Created attachment 12551 [details] crash test case Hello, I'm currently developing a new fuzzing feature, and I found a crash in size. I downloaded from git master, and I built it with Ubuntu 16.04 with gcc 5.4.0 with ASAN, and the following command to build size from the source: CFLAGS="-O1 -fsanitize=address -U_FORTIFY_SOURCE" ./configure; make clean all; You can reproduce the crash with the following command: ./size <attached file> The AddressSanitizer message of the crash is: ==7401==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014124 at pc 0x000000460d42 bp 0x7ffc2483b3d0 sp 0x7ffc2483b3c0 READ of size 4 at 0x621000014124 thread T0 #0 0x460d41 in bfd_section_from_shdr (/home/cheong/results/crashes/size_crash/size.master_asan+0x460d41) #1 0x4624a5 in bfd_section_from_shdr (/home/cheong/results/crashes/size_crash/size.master_asan+0x4624a5) #2 0x4624a5 in bfd_section_from_shdr (/home/cheong/results/crashes/size_crash/size.master_asan+0x4624a5) #3 0x4f8310 in bfd_elf32_object_p (/home/cheong/results/crashes/size_crash/size.master_asan+0x4f8310) #4 0x418a29 in bfd_check_format_matches (/home/cheong/results/crashes/size_crash/size.master_asan+0x418a29) #5 0x403989 in display_bfd (/home/cheong/results/crashes/size_crash/size.master_asan+0x403989) #6 0x403c11 in display_file (/home/cheong/results/crashes/size_crash/size.master_asan+0x403c11) #7 0x4040ed in main (/home/cheong/results/crashes/size_crash/size.master_asan+0x4040ed) #8 0x7fd86d9ff82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x402bc8 in _start (/home/cheong/results/crashes/size_crash/size.master_asan+0x402bc8) 0x621000014124 is located 36 bytes inside of 4064-byte region [0x621000014100,0x6210000150e0) freed by thread T0 here: #0 0x7fd86e0452ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x5ae662 in objalloc_free_block (/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae662) previously allocated by thread T0 here: #0 0x7fd86e045602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x5ae3d8 in _objalloc_alloc (/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae3d8) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 bfd_section_from_shdr Shadow bytes around the buggy address: 0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c427fffa820: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffa870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==7401==ABORTING
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ed02cdb5b78d17429f7e873acc49d94a5a0223d8 commit ed02cdb5b78d17429f7e873acc49d94a5a0223d8 Author: Nick Clifton <nickc@redhat.com> Date: Mon May 18 15:52:03 2020 +0100 Fix a use-after-free bug in the BFD library when scanning a corrupt ELF file. PR 26005 * elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory for the sections_being_created array.
Hi Ahcheong, Thanks for reporting this bug. I have checked in a small patch to fix the problem. Cheers Nick
*** Bug 26008 has been marked as a duplicate of this bug. ***
*** Bug 26009 has been marked as a duplicate of this bug. ***
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6fd1d259e98354236fafd14ec05f3d6a377ede9f commit 6fd1d259e98354236fafd14ec05f3d6a377ede9f Author: Gunther Nikl <gnikl@justmail.de> Date: Tue May 19 17:32:26 2020 +0100 Fix thinko in recent update to bfd_section_from_shdr. PR 26005 * elf.c (bfd_section_from_shdr): Replace bfd_malloc + memset with bfd_zmalloc to allocate memory for the sections_being_created array.
*** Bug 26147 has been marked as a duplicate of this bug. ***
*** Bug 26166 has been marked as a duplicate of this bug. ***