https://sourceware.org/bugzilla/show_bug.cgi?id=27799
Bug ID: 27799 Summary: [size] heap-buffer-overflow on bfd/libbfd.c:548 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13411 --> https://sourceware.org/bugzilla/attachment.cgi?id=13411&action=edit crash test case Hello, I report a double free detected by address sanitizer. I found this test input by fuzz testing. The stack traces are as follows: ==22808==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000000d5 at pc 0x0000004fab69 bp 0x7fffffffcd40 sp 0x7fffffffcd38READ of size 1 at 0x6070000000d5 thread T0' #0 0x4fab68 in bfd_getl16 .../subjects/binutils-gdb/bfd/libbfd.c:548:11' #1 0x13b486a in elf_xtensa_grok_prstatus .../subjects/binutils-gdb/bfd/elf32-xtensa.c:3747:36' #2 0x5fffa3 in elfcore_grok_note .../subjects/binutils-gdb/bfd/elf.c:10326:6' #3 0x59bfd9 in elf_parse_notes .../subjects/binutils-gdb/bfd/elf.c:12205:13' #4 0x5affba in elf_read_notes .../subjects/binutils-gdb/bfd/elf.c:12254:8' #5 0x721d07 in _bfd_elf32_core_find_build_id .../subjects/binutils-gdb/bfd/./elfcore.h:411:4' #6 0x5afe93 in _bfd_elf_core_find_build_id .../subjects/binutils-gdb/bfd/elf.c:3030:12' #7 0x5af9a9 in bfd_section_from_phdr .../subjects/binutils-gdb/bfd/elf.c:3049:2' #8 0x720ed1 in bfd_elf32_core_file_p .../subjects/binutils-gdb/bfd/./elfcore.h:285:11' #9 0x4f402a in bfd_check_format_matches .../subjects/binutils-gdb/bfd/format.c:343:17' #10 0x4c6ce6 in display_bfd .../subjects/binutils-gdb/binutils/size.c:345:7' #11 0x4c6824 in display_file .../subjects/binutils-gdb/binutils/size.c:432:5' #12 0x4c6412 in main .../subjects/binutils-gdb/binutils/size.c:258:7' #13 0x7ffff6e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310' #14 0x41be59 in _start (.../subjects_asan/size/size.san+0x41be59)' You can reproduce the bug by executing ./size <test input> I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. -- You are receiving this mail because: You are on the CC list for the bug.