https://sourceware.org/bugzilla/show_bug.cgi?id=26929
Bug ID: 26929 Summary: [readelf] crash with ASAN in print_dynamic_symbol Product: binutils Version: 2.35.1 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: hao-wang20 at mails dot tsinghua.edu.cn Target Milestone: --- Created attachment 12991 --> https://sourceware.org/bugzilla/attachment.cgi?id=12991&action=edit crash test case Hello, I found a crash in readelf when doing fuzzing experiments. I downloaded source code from ftp server, and I built it with Ubuntu 18.04 with gcc 7.5.0 with ASAN, and the following command to build readelf from the source: CFLAGS="-O1 -fsanitize=address -U_FORTIFY_SOURCE" ./configure; make clean all; You can reproduce the crash with the following command: ./readelf --dyn-syms <attached file> The AddressSanitizer message of the crash is: ==90332==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd502affe0 at pc 0x7f8ed10b98f9 bp 0x7ffd502afd00 sp 0x7ffd502af490 WRITE of size 364 at 0x7ffd502affe0 thread T0 #0 0x7f8ed10b98f8 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8) #1 0x7f8ed10b9c86 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86) #2 0x55d1d3eaeb01 in print_dynamic_symbol (/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xd3b01) #3 0x55d1d3eaf9c9 in process_symbol_table (/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xd49c9) #4 0x55d1d3ed59b3 in process_object (/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xfa9b3) #5 0x55d1d3ede499 in main (/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0x103499) #6 0x7f8ed0c4bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #7 0x55d1d3e83a59 in _start (/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xa8a59) Address 0x7ffd502affe0 is located in stack of thread T0 at offset 416 in frame #0 0x55d1d3eadd8d in print_dynamic_symbol (/home/vul337/rfuzz/psrc/binutils-2.35.1/binutils/readelf+0xd2d8d) This frame has 3 object(s): [32, 34) 'vna_other' [96, 100) 'sym_info' [160, 416) 'buffer' <== Memory access at offset 416 overflows this variable -- You are receiving this mail because: You are on the CC list for the bug.