[Bug lto/120537] New: Heap Buffer Overflow in liblto_plugin.so triggered via nm

Wed, 04 Jun 2025 01:21:33 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120537

            Bug ID: 120537
           Summary: Heap Buffer Overflow in liblto_plugin.so triggered via
                    nm
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: lto
          Assignee: unassigned at gcc dot gnu.org
          Reporter: xdcao.cs at gmail dot com
  Target Milestone: ---

Summary

Hello GCC Security Team,
I would like to report a heap buffer overflow vulnerability in the GCC-provided
liblto_plugin.so, which is triggered when invoked by nm (from binutils) using
LTO plugin support.

A heap buffer overflow occurs in liblto_plugin.so during a strncmp() call,
leading to an out-of-bounds read past an allocated heap buffer. This issue can
be reliably reproduced with AddressSanitizer.
The bug appears to be in internal memory management or string handling logic
within the LTO plugin.

Environment
GNU Binutils version: 2.44.50 & master
OS: Ubuntu 22.04.5 LTS


Steps to reproduce
The file POC is a crafted input file (we can share it securely on request) that
triggers the crash.

# export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
# export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
# ./configure --disable-werror --enable-targets=all --enable-gold[=yes]
# make -j64 & make install

root@46b925a575de:# ./nm --plugin /usr/lib/bfd-plugins/liblto_plugin.so POC
=================================================================
==1983516==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6060000001d2 at pc 0x00000043268d bp 0x7ffd3f3fd1e0 sp 0x7ffd3f3fc980
READ of size 2 at 0x6060000001d2 thread T0
    #0 0x43268c in strncmp
(/workspace/new-test/fuzzdir/fz-binutils/fz-nm/nm+0x43268c)
    #1 0x7f89af140b21  (/usr/lib/bfd-plugins/liblto_plugin.so+0xeb21)
    #2 0x7f89af14087e  (/usr/lib/bfd-plugins/liblto_plugin.so+0xe87e)
    #3 0x7f89af13fe90  (/usr/lib/bfd-plugins/liblto_plugin.so+0xde90)
    #4 0x7ef82e in try_claim
/root/this-program/binutils-gdb/build/bfd/../../bfd/plugin.c:497:4
    #5 0x7ee72c in try_load_plugin
/root/this-program/binutils-gdb/build/bfd/../../bfd/plugin.c:608:8
    #6 0x7ede8a in load_plugin
/root/this-program/binutils-gdb/build/bfd/../../bfd/plugin.c:734:12
    #7 0x7ed067 in bfd_plugin_object_p
/root/this-program/binutils-gdb/build/bfd/../../bfd/plugin.c:761:53
    #8 0x5017e2 in bfd_check_format_matches
/root/this-program/binutils-gdb/build/bfd/../../bfd/format.c:497:17
    #9 0x4cd5e8 in display_file
/root/this-program/binutils-gdb/build/binutils/../../binutils/nm.c:1663:12
    #10 0x4cc5c1 in main
/root/this-program/binutils-gdb/build/binutils/../../binutils/nm.c:2181:12
    #11 0x7f89b1e3bd8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f89b1e3be3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x41f5b4 in _start
(/workspace/new-test/fuzzdir/fz-binutils/fz-nm/nm+0x41f5b4)

0x6060000001d2 is located 0 bytes to the right of 50-byte region
[0x6060000001a0,0x6060000001d2)
allocated by thread T0 here:
    #0 0x49a47d in malloc
(/workspace/new-test/fuzzdir/fz-binutils/fz-nm/nm+0x49a47d)
    #1 0x7f89af13c18c in xmalloc (/usr/lib/bfd-plugins/liblto_plugin.so+0xa18c)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/workspace/new-test/fuzzdir/fz-binutils/fz-nm/nm+0x43268c) in strncmp
Shadow bytes around the buggy address:
  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 05 fa fa fa fa fa
  0x0c0c7fff8010: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8020: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 05
=>0x0c0c7fff8030: fa fa fa fa 00 00 00 00 00 00[02]fa fa fa fa fa
  0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1983516==ABORTING

POC
https://drive.google.com/file/d/1nWTkCqzxdajk451n0G-BYAluMMzqAP9m/view?usp=sharing


Redit
Xiaoguo Li (CUPL)
Xudong Cao (UCAS)

Reply via email to