[Bug binutils/33049] New: Heap-buffer-overflow in objcopy when using --interleave and --byte options on a crafted binary input

Tue, 03 Jun 2025 00:29:43 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=33049

            Bug ID: 33049
           Summary: Heap-buffer-overflow in objcopy when using
                    --interleave and --byte options on a crafted binary
                    input
           Product: binutils
           Version: 2.45 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dragonarthurx at outlook dot com
  Target Milestone: ---

Created attachment 16117
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16117&action=edit
the poc input file

Step to Reproduce:
git clone https://gitlab.com/gnutools/binutils-gdb.git
cd binutils-gdb
mkdir build
cd build
export CC=/root/go/bin/gclang 
export CXX=/root/go/bin/gclang++ 
export CFLAGS="-g -O0 -fno-discard-value-names -fsanitize=address"  
export CXXFLAGS="-g -O0 -fno-discard-value-names -fsanitize=address" 
../configure --disable-shared --disable-gdb --disable-gdbserver
--disable-gdbsupport --disable-gnulib --disable-libdecnumber --disable-gas
--disable-gdb --disable-ld --disable-gold --disable-sim --disable-gprof
--disable-gprofing --disable-gprofng
make -j

./binutils/objcopy -I binary -O elf64-x86-64 "--output-target=elf64-x86-64"
"--byte=0" "--interleave=4" "--interleave-width=2"
"--remove-section=.debug_info" -S /home/poc /tmp/output_file.o

ASan output:
=================================================================
==64150==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000000b1 at pc 0x00000043682e bp 0x7ffc172f68c0 sp 0x7ffc172f6088
READ of size 2 at 0x6020000000b1 thread T0
    #0 0x43682d in __interceptor_fwrite
(/home/binutils-gdb/build/binutils/objcopy+0x43682d)
    #1 0x89cd46 in cache_bwrite
/home/binutils-gdb/build/bfd/../../bfd/cache.c:435:12
    #2 0x55040e in bfd_write
/home/binutils-gdb/build/bfd/../../bfd/bfdio.c:412:12
    #3 0x56d8af in _bfd_generic_set_section_contents
/home/binutils-gdb/build/bfd/../../bfd/libbfd.c:1351:10
    #4 0x65d7e8 in _bfd_elf_set_section_contents
/home/binutils-gdb/build/bfd/../../bfd/elf.c:10008:10
    #5 0x577028 in bfd_set_section_contents
/home/binutils-gdb/build/bfd/../../bfd/section.c:1527:7
    #6 0x4e474f in copy_section
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:4677:12
    #7 0x4da989 in copy_object
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:3408:10
    #8 0x4d4540 in copy_file
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:4028:10
    #9 0x4cf4b0 in copy_main
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:6187:3
    #10 0x4cadef in main
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:6291:5
    #11 0x7f2149ab0082 in __libc_start_main
/build/glibc-FcRMwW/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41c58d in _start (/home/binutils-gdb/build/binutils/objcopy+0x41c58d)

0x6020000000b1 is located 0 bytes to the right of 1-byte region
[0x6020000000b0,0x6020000000b1)
allocated by thread T0 here:
    #0 0x498d3d in __interceptor_malloc
(/home/binutils-gdb/build/binutils/objcopy+0x498d3d)
    #1 0x569342 in bfd_malloc
/home/binutils-gdb/build/bfd/../../bfd/libbfd.c:291:9
    #2 0x5561e1 in bfd_get_full_section_contents
/home/binutils-gdb/build/bfd/../../bfd/compress.c:744:21
    #3 0x4e3eca in copy_section
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:4610:12
    #4 0x4da989 in copy_object
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:3408:10
    #5 0x4d4540 in copy_file
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:4028:10
    #6 0x4cf4b0 in copy_main
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:6187:3
    #7 0x4cadef in main
/home/binutils-gdb/build/binutils/../../binutils/objcopy.c:6291:5
    #8 0x7f2149ab0082 in __libc_start_main
/build/glibc-FcRMwW/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/binutils-gdb/build/binutils/objcopy+0x43682d) in __interceptor_fwrite
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8010: fa fa 00 01 fa fa[01]fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==64150==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to