https://sourceware.org/bugzilla/show_bug.cgi?id=24402
Bug ID: 24402
Summary: global-buffer-overflow in symtab_finalize function in
symtab.c in Binutils 2.32
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: wcventure at 126 dot com
Target Milestone: ---
Created attachment 11711
--> https://sourceware.org/bugzilla/attachment.cgi?id=11711&action=edit
POC
Hi, there.
A global-buffer-overflow problem was discovered in symtab_finalize function in
symtab.c in binutils 2.32 the latest code base. A crafted ELF input can cause
segment faults and I have confirmed them with address sanitizer too.
Please use the "./gporf $POC" to reproduce the bug.
The ASAN dumps the stack trace as follows:
> =================================================================
> ==5541==ERROR: AddressSanitizer: global-buffer-overflow on address
> 0x0000022ca561 at pc 0x00000061a9b5 bp 0x7ffd282e0190 sp 0x7ffd282e0188
> READ of size 1 at 0x0000022ca561 thread T0
> #0 0x61a9b4 in symtab_finalize /binutils-gdb/gprof/symtab.c:112:10
> #1 0x5b638d in core_create_function_syms
> /binutils-gdb/gprof/corefile.c:749:3
> #2 0x5e05d8 in main /binutils-gdb/gprof/gprof.c:534:5
> #3 0x7fd6902e882f in __libc_start_main
> /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
> #4 0x4193d8 in _start (/binutils-gdb/build/bin/gprof+0x4193d8)
>
> 0x0000022ca561 is located 0 bytes to the right of global variable '<string
> literal>' defined in 'elf.c:332:12' (0x22ca560) of size 1
> '<string literal>' is ascii string ''
> SUMMARY: AddressSanitizer: global-buffer-overflow
> /binutils-gdb/gprof/symtab.c:112:10 in symtab_finalize
> Shadow bytes around the buggy address:
> 0x000080451450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080451460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080451470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080451480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080451490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0000804514a0: 00 00 00 00 00 00 00 00 00 00 00 00[01]f9 f9 f9
> 0x0000804514b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0000804514c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0000804514d0: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
> 0x0000804514e0: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
> 0x0000804514f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 f9
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==5541==ABORTING
> Aborted
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
