https://sourceware.org/bugzilla/show_bug.cgi?id=27879
Bug ID: 27879 Summary: stash-buffer-overflow on sysdump Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: shaohua.li at inf dot ethz.ch Target Milestone: --- Created attachment 13456 --> https://sourceware.org/bugzilla/attachment.cgi?id=13456&action=edit poc Hi there, I found a stack-buffer-overflow on sysdump with a fuzzer. I attached the poc file. Compiler: clang12 Compile args: -fsanitize=address Reproduce: `sysdump poc` AddressSanitizer output: ==30955==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeaa74a95f at pc 0x000000496b07 bp 0x7ffeaa74a830 sp 0x7ffeaa749ff8 READ of size 255 at 0x7ffeaa74a95f thread T0 #0 0x496b06 in __asan_memcpy (/data/clean/binutils-gdb-asan/binutils/sysdump+0x496b06) #1 0x4d9725 in getBARRAY /data/clean/binutils-gdb-asan/binutils/sysdump.c:146:17 #2 0x4d9725 in sysroff_swap_ob_in /data/clean/binutils-gdb-asan/binutils/./sysroff.c:1296:15 #3 0x4e4839 in getone /data/clean/binutils-gdb-asan/binutils/sysdump.c:419:2 #4 0x4e4839 in module /data/clean/binutils-gdb-asan/binutils/sysdump.c:618:10 #5 0x4e4839 in main /data/clean/binutils-gdb-asan/binutils/sysdump.c:709:3 #6 0x7fd3cf0db0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #7 0x41c4fd in _start (/data/clean/binutils-gdb-asan/binutils/sysdump+0x41c4fd) Address 0x7ffeaa74a95f is located in stack of thread T0 at offset 287 in frame #0 0x4d935f in sysroff_swap_ob_in /data/clean/binutils-gdb-asan/binutils/./sysroff.c:1280 This frame has 2 object(s): [32, 287) 'raw' (line 1281) [352, 356) 'idx' (line 1282) <== Memory access at offset 287 partially underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/data/clean/binutils-gdb-asan/binutils/sysdump+0x496b06) in __asan_memcpy Shadow bytes around the buggy address: 0x1000554e14d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000554e14e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000554e14f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000554e1500: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 0x1000554e1510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000554e1520: 00 00 00 00 00 00 00 00 00 00 00[07]f2 f2 f2 f2 0x1000554e1530: f2 f2 f2 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00 0x1000554e1540: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x1000554e1550: f8 f2 f8 f2 f8 f2 f8 f2 f8 f2 f8 f8 f8 f8 f8 f8 0x1000554e1560: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x1000554e1570: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==30955==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.