https://sourceware.org/bugzilla/show_bug.cgi?id=26166

            Bug ID: 26166
           Summary: Heap user after free in nm
           Product: binutils
           Version: 2.35 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: featherrain26 at gmail dot com
  Target Milestone: ---

Created attachment 12656
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12656&action=edit
POC input

Hi,

There is a heap oaf in nm, bfd module.

Here is my environment
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.6 LTS"

To reproduce, compiled with CFLAGS=-fsanitize=address,
then run 
nm input

This is the bug trace reported by ASAN:
=================================================================
==120174==ERROR: AddressSanitizer: heap-use-after-free on address
0x621000016d5c at pc 0x000000538f3b bp 0x7fffe339c6c0 sp 0x7fffe339c6b0
WRITE of size 4 at 0x621000016d5c thread T0
    #0 0x538f3a in bfd_section_from_shdr ../../bfd/elf.c:2604
    #1 0x6e9c8c in bfd_elf32_object_p ../../bfd/elfcode.h:815
    #2 0x450216 in bfd_check_format_matches ../../bfd/format.c:328
    #3 0x412978 in display_file ../../binutils/nm.c:1375
    #4 0x4081a7 in main ../../binutils/nm.c:1860
    #5 0x7efdc018982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x40a248 in _start
(/mnt/data/playground/binutils-2.34-a/build/binutils/nm-new+0x40a248)

0x621000016d5c is located 1116 bytes inside of 4064-byte region
[0x621000016900,0x6210000178e0)
freed by thread T0 here:
    #0 0x7efdc07cf32a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x93b4e1 in objalloc_free_block ../../libiberty/objalloc.c:248

previously allocated by thread T0 here:
    #0 0x7efdc07cf662 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x93ab49 in _objalloc_alloc ../../libiberty/objalloc.c:159

SUMMARY: AddressSanitizer: heap-use-after-free ../../bfd/elf.c:2604
bfd_section_from_shdr
Shadow bytes around the buggy address:
  0x0c427fffad50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffad60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffad70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffad80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffad90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c427fffada0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c427fffadb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffadc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==120174==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to