https://sourceware.org/bugzilla/show_bug.cgi?id=29876
Bug ID: 29876
Summary: Out of bound read at `case DST__K_LINE_NUM` handler in
function `parse_module`
Product: binutils
Version: 2.40 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: r3tr0spect2019 at gmail dot com
Target Milestone: ---
Created attachment 14497
--> https://sourceware.org/bugzilla/attachment.cgi?id=14497&action=edit
PoC
# Reproduce
```bash
cd binutils-gdb
git reset --hard f2f58a399cf3f946983398cdfe52d0eaa72bf877
mkdir build && cd build
../configure --disable-gdb --disable-gdbserver --disable-gdbsupport
--disable-libdecnumber --disable-readline --disable-sim --disable-libbacktrace
--disable-gas --disable-ld --disable-werror --enable-targets=all
CPPFLAGS=-DDEBUG CFLAGS="-g -O0 -fsanitize=address"
make all-binutils MAKEINFO=true
binutils/addr2line -e poc.bin 0
```
# Output
```
binutils/addr2line: DST__K_SET_PC not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_STMTNUM not implemented
binutils/addr2line: unknown line command 68
binutils/addr2line: unknown line command 83
binutils/addr2line: unknown line command 49
binutils/addr2line: DST__K_RESET_LINUM_INCR not implemented
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 87
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 32
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 45
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
binutils/addr2line: unknown line command 58
binutils/addr2line: DST__K_SET_LINUM_INCR not implemented
=================================================================
==174957==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x611000036868 at pc 0x55e028da0f5e bp 0x7ffe4823f1c0 sp 0x7ffe4823f1b0
READ of size 1 at 0x611000036868 thread T0
#0 0x55e028da0f5d in parse_module ../../bfd/vms-alpha.c:4580
#1 0x55e028da1fad in module_find_nearest_line ../../bfd/vms-alpha.c:4902
#2 0x55e028da2911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982
#3 0x55e0287ceb1e in find_address_in_section ../../binutils/addr2line.c:197
#4 0x55e0287e9f43 in bfd_map_over_sections ../../bfd/section.c:1366
#5 0x55e0287cf8eb in translate_addresses ../../binutils/addr2line.c:337
#6 0x55e0287cffbc in process_file ../../binutils/addr2line.c:470
#7 0x55e0287d05b1 in main ../../binutils/addr2line.c:579
#8 0x7f127bbffd8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7f127bbffe3f in __libc_start_main_impl ../csu/libc-start.c:392
#10 0x55e0287ce244 in _start
(/binutils-gdb/build/binutils/addr2line+0x343244)
0x611000036868 is located 0 bytes to the right of 232-byte region
[0x611000036780,0x611000036868)
allocated by thread T0 here:
#0 0x7f127beb2867 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55e0287e08d5 in bfd_malloc ../../bfd/libbfd.c:289
#2 0x55e028d8b13a in _bfd_malloc_and_read ../../bfd/libbfd.h:970
#3 0x55e028da1f77 in module_find_nearest_line ../../bfd/vms-alpha.c:4896
#4 0x55e028da2911 in _bfd_vms_find_nearest_line ../../bfd/vms-alpha.c:4982
#5 0x55e0287ceb1e in find_address_in_section ../../binutils/addr2line.c:197
#6 0x55e0287e9f43 in bfd_map_over_sections ../../bfd/section.c:1366
#7 0x55e0287cf8eb in translate_addresses ../../binutils/addr2line.c:337
#8 0x55e0287cffbc in process_file ../../binutils/addr2line.c:470
#9 0x55e0287d05b1 in main ../../binutils/addr2line.c:579
#10 0x7f127bbffd8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../bfd/vms-alpha.c:4580 in
parse_module
Shadow bytes around the buggy address:
0x0c227fffecb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fffecc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fffecd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fffece0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c227fffecf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fffed00: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
0x0c227fffed10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffed20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffed30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffed40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffed50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==174957==ABORTING
Aborted (core dumped)
```
# Analysis
`((signed char *)pcl_ptr)[0]` is accessed[1], which is only ensured to be
smaller than `ptr + rec_length`. However, `rec_length` can be controlled by
file content[2] and can be larger than actual buffer size. Therefore,
out-of-bound read can occur.
[1]
https://github.com/bminor/binutils-gdb/blob/85f9067d3a47d51a46ba369c60fdec752da0f885/bfd/vms-alpha.c#L4580
[2]
https://github.com/bminor/binutils-gdb/blob/85f9067d3a47d51a46ba369c60fdec752da0f885/bfd/vms-alpha.c#L4372
--
You are receiving this mail because:
You are on the CC list for the bug.
