29988 – AddressSanitizer: heap-buffer-overflow /binutils-gdb/bfd/libbfd.c:784 in bfd_getl64

Bug 29988 - AddressSanitizer: heap-buffer-overflow /binutils-gdb/bfd/libbfd.c:784 in bfd_getl64

Summary: AddressSanitizer: heap-buffer-overflow /binutils-gdb/bfd/libbfd.c:784 in bfd_...

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.40

Importance:	P2 normal
Target Milestone:	---
Assignee:	Nick Clifton

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-01-11 10:00 UTC by 曾思維
Modified:	2023-03-23 16:20 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:	2023-01-11 00:00:00

Attachments
Generated by my fuzzer and afl-tmin (598 bytes, application/octet-stream) 2023-01-11 10:00 UTC, 曾思維	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 曾思維 2023-01-11 10:00:01 UTC

Created attachment 14574 [details]
Generated by my fuzzer and afl-tmin

# version

$ ./binutils-gdb_asan/binutils/objdump --version
GNU objdump (GNU Binutils) 2.40.50.20230110
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# git log

$ git log --oneline -1
aefebe82dc8 (HEAD -> master, origin/master, origin/HEAD) IBM zSystems: Fix offset relative to static TLS

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ mv binutils-gdb binutils-gdb_asan
$ cd binutils-gdb_asan
$ ./configure CFLAGS='-fsanitize=address -g3' CXXFALGS='-fsanitize=address -g3'
$ make

---------------------------------------------------------------------
# ASAN report

$ ./binutils-gdb_asan/binutils/objdump -S poc
BFD: warning: poc has a section extending past end of file

poc:     file format elf64-x86-64


Disassembly of section abbrev:

3030303030303030 <abbrev>:
BFD: DWARF error: can't find .debug_str section.
BFD: DWARF error: can't find .debug_str section.
BFD: DWARF error: can't find .debug_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: can't find .debug_line_str section.
BFD: DWARF error: mangled line number section (bad file number)
BFD: DWARF error: mangled line number section (bad file number)
=================================================================
==3970096==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000017f at pc 0x5573ee01c8cc bp 0x7fff9bcf2f50 sp 0x7fff9bcf2f40
READ of size 1 at 0x60300000017f thread T0
    #0 0x5573ee01c8cb in bfd_getl64 /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:784
    #1 0x5573ee16bef2 in read_indexed_address dwarf2.c:1431
    #2 0x5573ee16dc6a in read_attribute_value dwarf2.c:1669
    #3 0x5573ee16e004 in read_attribute dwarf2.c:1711
    #4 0x5573ee1783c7 in scan_unit_for_symbols dwarf2.c:3973
    #5 0x5573ee17c2c4 in comp_unit_maybe_decode_line_info dwarf2.c:4721
    #6 0x5573ee17bf03 in comp_unit_find_nearest_line dwarf2.c:4679
    #7 0x5573ee182273 in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5991
    #8 0x5573ee0d4de3 in _bfd_elf_find_nearest_line_with_alt /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338
    #9 0x5573ee0d4c72 in _bfd_elf_find_nearest_line /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315
    #10 0x5573edec9d8b in show_line objdump.c:2180
    #11 0x5573edecf759 in disassemble_bytes objdump.c:3339
    #12 0x5573eded37f3 in disassemble_section objdump.c:4050
    #13 0x5573ee024bbc in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
    #14 0x5573eded4767 in disassemble_data objdump.c:4194
    #15 0x5573ededc530 in dump_bfd objdump.c:5676
    #16 0x5573ededc807 in display_object_bfd objdump.c:5739
    #17 0x5573ededcb38 in display_any_bfd objdump.c:5825
    #18 0x5573ededcbb2 in display_file objdump.c:5846
    #19 0x5573edede4db in main objdump.c:6254
    #20 0x7f755d389082 in __libc_start_main ../csu/libc-start.c:308
    #21 0x5573edec23bd in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b3bd)

0x60300000017f is located 2 bytes to the right of 29-byte region [0x603000000160,0x60300000017d)
allocated by thread T0 here:
    #0 0x7f755d66a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5573ee01b6aa in bfd_malloc /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:289
    #2 0x5573ee168ad5 in read_section dwarf2.c:734
    #3 0x5573ee16bae7 in read_indexed_address dwarf2.c:1412
    #4 0x5573ee16dc6a in read_attribute_value dwarf2.c:1669
    #5 0x5573ee16e004 in read_attribute dwarf2.c:1711
    #6 0x5573ee1783c7 in scan_unit_for_symbols dwarf2.c:3973
    #7 0x5573ee17c2c4 in comp_unit_maybe_decode_line_info dwarf2.c:4721
    #8 0x5573ee17bf03 in comp_unit_find_nearest_line dwarf2.c:4679
    #9 0x5573ee182273 in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5991
    #10 0x5573ee0d4de3 in _bfd_elf_find_nearest_line_with_alt /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338
    #11 0x5573ee0d4c72 in _bfd_elf_find_nearest_line /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315
    #12 0x5573edec9d8b in show_line objdump.c:2180
    #13 0x5573edecf759 in disassemble_bytes objdump.c:3339
    #14 0x5573eded37f3 in disassemble_section objdump.c:4050
    #15 0x5573ee024bbc in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
    #16 0x5573eded4767 in disassemble_data objdump.c:4194
    #17 0x5573ededc530 in dump_bfd objdump.c:5676
    #18 0x5573ededc807 in display_object_bfd objdump.c:5739
    #19 0x5573ededcb38 in display_any_bfd objdump.c:5825
    #20 0x5573ededcbb2 in display_file objdump.c:5846
    #21 0x5573edede4db in main objdump.c:6254
    #22 0x7f755d389082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:784 in bfd_getl64
Shadow bytes around the buggy address:
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8010: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00[05]
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3970096==ABORTING

Comment 1 Sourceware Commits 2023-01-11 12:13:03 UTC

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11d171f1910b508a81d21faa087ad1af573407d8

commit 11d171f1910b508a81d21faa087ad1af573407d8
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jan 11 12:12:25 2023 +0000

    Fix a potential illegal memory access in the BFD library when parsing a corrupt DWARF file.
    
            PR 29988
            * dwarf2.c (read_indexed_address): Fix check for an out of range
            offset.

Comment 2 Sourceware Commits 2023-01-11 12:14:19 UTC

The binutils-2_40-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3e307d538c351aa9327cbad672c884059ecc20dd

commit 3e307d538c351aa9327cbad672c884059ecc20dd
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jan 11 12:13:46 2023 +0000

    Fix a potential illegal memory access in the BFD library when parsing a corrupt DWARF file.
    
            PR 29988
            * dwarf2.c (read_indexed_address): Fix check for an out of range
            offset.

Comment 3 Nick Clifton 2023-01-11 12:16:03 UTC

Hi,

  Thanks for reporting this bug.  There was a check in the read_indexed_address() function for a buffer overflow, but it was testing against the wrong size field.  I have checked in a small patch to fix this.

Cheers
  Nick

Comment 4 曾思維 2023-03-23 16:20:27 UTC

use CVE-2023-1579