https://sourceware.org/bugzilla/show_bug.cgi?id=26805
Bug ID: 26805
Summary: objcopy : global-buffer-overflow in objcopy.c:1274
Product: binutils
Version: 2.36 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: zodf0055980 at gmail dot com
Target Milestone: ---
Created attachment 12926
--> https://sourceware.org/bugzilla/attachment.cgi?id=12926&action=edit
file that reproduces this problem
OS : ubuntu 18.04.3
kernel : gnu/linux 5.4.0-52-generic
CPU : Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
compiler : gcc version 7.5.0
Steps to Reproduce :
download the sample from attachment
~/binutils-ASAN/binutils/objcopy -I elf32-i386 --extract-dwo ./sample /dev/null
ASan trace:
=================================================================
==13087==ERROR: AddressSanitizer: global-buffer-overflow on address
0x5606d020369c at pc 0x7f30d2c91a69 bp 0x7ffc6df9eba0 sp 0x7ffc6df9e348
READ of size 1 at 0x5606d020369c thread T0
#0 0x7f30d2c91a68 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68)
#1 0x5606cfb81813 in is_dwo_section
/home/yuan/binutils-ASAN/binutils/objcopy.c:1274
#2 0x5606cfb81813 in is_strip_section_1
/home/yuan/binutils-ASAN/binutils/objcopy.c:1371
#3 0x5606cfb81813 in is_strip_section
/home/yuan/binutils-ASAN/binutils/objcopy.c:1381
#4 0x5606cfb86b5c in setup_section
/home/yuan/binutils-ASAN/binutils/objcopy.c:3985
#5 0x5606cfc8d1cb in bfd_map_over_sections
/home/yuan/binutils-ASAN/bfd/section.c:1379
#6 0x5606cfb8ae5d in copy_object
/home/yuan/binutils-ASAN/binutils/objcopy.c:2826
#7 0x5606cfb9b51b in copy_file
/home/yuan/binutils-ASAN/binutils/objcopy.c:3838
#8 0x5606cfb6fd84 in copy_main
/home/yuan/binutils-ASAN/binutils/objcopy.c:5899
#9 0x5606cfb6fd84 in main /home/yuan/binutils-ASAN/binutils/objcopy.c:6025
#10 0x7f30d2663b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#11 0x5606cfb7b4d9 in _start
(/home/yuan/binutils-ASAN/binutils/objcopy+0xc14d9)
0x5606d020369c is located 54 bytes to the right of global variable '*.LC24'
defined in 'elf.c' (0x5606d0203660) of size 6
'*.LC24' is ascii string '.rela'
0x5606d020369c is located 4 bytes to the left of global variable '*.LC26'
defined in 'elf.c' (0x5606d02036a0) of size 1
'*.LC26' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68)
Shadow bytes around the buggy address:
0x0ac15a038680: 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0ac15a038690: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 05 f9
0x0ac15a0386a0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x0ac15a0386b0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x0ac15a0386c0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
=>0x0ac15a0386d0: f9 f9 f9[f9]01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0ac15a0386e0: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0ac15a0386f0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
0x0ac15a038700: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0ac15a038710: f9 f9 f9 f9 00 00 00 00 00 00 00 03 f9 f9 f9 f9
0x0ac15a038720: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 02 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13087==ABORTING
len in is_dwo_section() is 0, so name + len - 4 is overflow.
--
You are receiving this mail because:
You are on the CC list for the bug.
