[Bug gold/20949] New: GOLD: Reading beyond buffer during parsing

Thu, 08 Dec 2016 00:42:38 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=20949

            Bug ID: 20949
           Summary: GOLD: Reading beyond buffer during parsing
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gold
          Assignee: ccoutant at gmail dot com
          Reporter: boehme.marcel at gmail dot com
                CC: ian at airs dot com
  Target Milestone: ---

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.

Valgrind reports a a read of size 1 in the lexer of the linker for the
following executions on Binutils in trunk and pre-installed v2.24 on Ubuntu
14.04.

For this execution Valgrind points out two locations (script.cc:810,
script.cc:825): 
$ printf "\x0d" > test
$ gold/ld-new test

For this execution, there is only one location (script.cc:825):
$ printf "\x80" > test
$ gold/ld-new test

ASAN says:
==116723==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300000434a at pc 0x0000016367e1 bp 0x7ffec7190920 sp 0x7ffec7190918
READ of size 1 at 0x60300000434a thread T0
    #0 0x16367e0 in gold::Lex::get_token(char const**) ../../gold/script.cc:825
    #1 0x1637151 in gold::Lex::next_token() ../../gold/script.cc:875
    #2 0x164ba27 in gold::Parser_closure::next_token()
../../gold/script.cc:1339
    #3 0x164224b in yylex ../../gold/script.cc:2574
    #4 0x17473e2 in yyparse
/home/ubuntu/subjects/binutils-gdb_fixed/obj-gold-asan/gold/yyscript.c:1964
    #5 0x163b238 in gold::read_input_script(gold::Workqueue*,
gold::Symbol_table*, gold::Layout*, gold::Dirsearch*, int,
gold::Input_objects*, gold::Mapfile*, gold::Input_group*, gold::Input_argument
const*, gold::Input_file*, gold::Task_token*, bool*) ../../gold/script.cc:1500
    #6 0x1542934 in gold::Read_script::run(gold::Workqueue*)
../../gold/readsyms.cc:913
    #7 0x1741207 in gold::Workqueue::find_and_run_task(int)
../../gold/workqueue.cc:319
    #8 0x1742951 in gold::Workqueue::process(int) ../../gold/workqueue.cc:495
    #9 0x405d95 in main ../../gold/main.cc:252
    #10 0x7fbb1bba9f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #11 0x405147 
(/home/ubuntu/subjects/binutils-gdb_fixed/obj-gold-asan/gold/ld-new+0x405147)

0x60300000434a is located 0 bytes to the right of 26-byte region
[0x603000004330,0x60300000434a)
allocated by thread T0 here:
    #0 0x7fbb1d02d270 in operator new(unsigned long)
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc3270)
    #1 0x1998df8 in std::string::_Rep::_S_create(unsigned long, unsigned long,
std::allocator<char> const&)
(/home/ubuntu/subjects/binutils-gdb_fixed/obj-gold-asan/gold/ld-new+0x1998df8)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../gold/script.cc:825 in
gold::Lex::get_token(char const**)

Best regards,
- Marcel

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to