Bug ID: 20898
           Summary: AS: Buffer Overflow when scrubing chars
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gas
          Assignee: unassigned at sourceware dot org
          Reporter: boehme.marcel at gmail dot com
  Target Milestone: ---

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.

There is a global buffer overflow (write of size 1) in the assembler for the
following execution on Ubuntu 14.04 x86_64 for Binutils v2.26 and in trunk.
Interestingly, it does not seg-fault on my machine.

$ printf "/" > test
$ ./as test

ASAN says:
==141249==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000143fdbf at pc 0x000000407db7 bp 0x7ffd85bdacb0 sp 0x7ffd85bdaca8
WRITE of size 1 at 0x00000143fdbf thread T0
    #0 0x407db6 in do_scrub_chars ../../gas/app.c:1193
    #1 0x44351b in input_file_give_next_buffer ../../gas/input-file.c:243
    #2 0x444a05 in input_scrub_next_buffer ../../gas/input-scrub.c:356
    #3 0x460204 in read_a_source_file ../../gas/read.c:835
    #4 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172
    #5 0x40c86c in main ../../gas/as.c:1296
    #6 0x7fb7630e5f44 in __libc_start_main
    #7 0x403858 

0x00000143fdbf is located 55 bytes to the right of global variable
'saved_input_len' defined in '../../gas/app.c:218:15' (0x143fd80) of size 8
0x00000143fdbf is located 1 bytes to the left of global variable 'input_buffer'
defined in '../../gas/app.c:219:13' (0x143fdc0) of size 32768
SUMMARY: AddressSanitizer: global-buffer-overflow ../../gas/app.c:1193 in

Valgrind does not complain.

Best regards,
- Marcel

You are receiving this mail because:
You are on the CC list for the bug.
bug-binutils mailing list

Reply via email to