[Bug ld/33457] New: [BUG] A heap-buffer-overflow in cache_bwrite at cache.c:435

yfzhang23 at stu dot pku.edu.cn Thu, 18 Sep 2025 07:46:21 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=33457


            Bug ID: 33457
           Summary: [BUG] A heap-buffer-overflow in cache_bwrite at
                    cache.c:435
           Product: binutils
           Version: 2.45
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: yfzhang23 at stu dot pku.edu.cn
  Target Milestone: ---

Created attachment 16353
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16353&action=edit
POC

## Description

- Version: Binutils 2.45
- Environment: Ubuntu 20.04.6 LTS, Clang 12.0.0

## Steps to reproduce

export CC="clang"
export CFLAGS="-g -fsanitize=address"
./configure
make -j
./ld/ld-new --version-exports-section symbol --shared $POC

## Sanitizer output

==139074==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a0000005f4 at pc 0x00000043609e bp 0x7fff559183a0 sp 0x7fff55917b68
READ of size 1408 at 0x61a0000005f4 thread T0
    #0 0x43609d in fwrite
/src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143:16
    #1 0x92a7c6 in cache_bwrite /benchmark/bin/binutils-2.45/bfd/cache.c:435:12
    #2 0x5c4c2e in bfd_write /benchmark/bin/binutils-2.45/bfd/bfdio.c:412:12
    #3 0x5e14df in _bfd_generic_set_section_contents
/benchmark/bin/binutils-2.45/bfd/libbfd.c:1351:10
    #4 0x6e9348 in _bfd_elf_set_section_contents
/benchmark/bin/binutils-2.45/bfd/elf.c:10018:10
    #5 0x602d88 in bfd_set_section_contents
/benchmark/bin/binutils-2.45/bfd/section.c:1527:7
    #6 0x76cce8 in elf_link_input_bfd
/benchmark/bin/binutils-2.45/bfd/elflink.c:12286:14
    #7 0x75b599 in bfd_elf_final_link
/benchmark/bin/binutils-2.45/bfd/elflink.c:13185:11
    #8 0x545133 in ldwrite /benchmark/bin/binutils-2.45/ld/ldwrite.c:548:8
    #9 0x53cc51 in main /benchmark/bin/binutils-2.45/ld/./ldmain.c:912:3
    #10 0x7f58bfd3d082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #11 0x41d6ad in _start (/benchmark/bin/binutils-2.45/ld/ld-new+0x41d6ad)

0x61a0000005f4 is located 0 bytes to the right of 1396-byte region
[0x61a000000080,0x61a0000005f4)
allocated by thread T0 here:
    #0 0x49917d in malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x5dcf72 in bfd_malloc /benchmark/bin/binutils-2.45/bfd/libbfd.c:291:9
    #2 0x5c9c41 in bfd_get_full_section_contents
/benchmark/bin/binutils-2.45/bfd/compress.c:742:21
    #3 0x6f6d26 in elf_mmap_section_contents
/benchmark/bin/binutils-2.45/bfd/elf.c:14328:14
    #4 0x6acf51 in _bfd_elf_mmap_section_contents
/benchmark/bin/binutils-2.45/bfd/elf.c:14340:10
    #5 0x6498cc in elf_x86_64_scan_relocs
/benchmark/bin/binutils-2.45/bfd/elf64-x86-64.c:2515:13
    #6 0x729d55 in _bfd_elf_link_iterate_on_relocs
/benchmark/bin/binutils-2.45/bfd/elflink.c:4282:9
    #7 0x629244 in elf_x86_64_early_size_sections
/benchmark/bin/binutils-2.45/bfd/elf64-x86-64.c:3106:6
    #8 0x73c762 in bfd_elf_size_dynamic_sections
/benchmark/bin/binutils-2.45/bfd/elflink.c:6916:11
    #9 0x59afe4 in ldelf_before_allocation
/benchmark/bin/binutils-2.45/ld/ldelf.c:1840:10
    #10 0x57acc0 in gldelf_x86_64_before_allocation
/benchmark/bin/binutils-2.45/ld/eelf_x86_64.c:172:3
    #11 0x57111b in elf_x86_64_before_allocation
/benchmark/bin/binutils-2.45/ld/eelf_x86_64.c:115:3
    #12 0x554af7 in ldemul_before_allocation
/benchmark/bin/binutils-2.45/ld/ldemul.c:104:3
    #13 0x50cdcc in lang_process
/benchmark/bin/binutils-2.45/ld/ldlang.c:8627:3
    #14 0x53ca89 in main /benchmark/bin/binutils-2.45/ld/./ldmain.c:882:3
    #15 0x7f58bfd3d082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143:16
in fwrite
Shadow bytes around the buggy address:
  0x0c347fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa
  0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==139074==ABORTING

## Credit

Reported by Yifan Zhang, [PLL](https://pl.cs.pku.edu.cn/en/)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug ld/33457] New: [BUG] A heap-buffer-overflow in cache_bwrite at cache.c:435

Reply via email to