Bug 26166 - Heap user after free in nm
Summary: Heap user after free in nm
Status: RESOLVED DUPLICATE of bug 26005
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.35
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-24 13:39 UTC by Heqing HUANG
Modified: 2020-06-25 04:44 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
POC input (2.40 KB, application/octet-stream)
2020-06-24 13:39 UTC, Heqing HUANG 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Heqing HUANG 2020-06-24 13:39:43 UTC 
Created attachment 12656 [details]
POC input

Hi,

There is a heap oaf in nm, bfd module.

Here is my environment
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.6 LTS"

To reproduce, compiled with CFLAGS=-fsanitize=address,
then run 
nm input

This is the bug trace reported by ASAN:
=================================================================
==120174==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000016d5c at pc 0x000000538f3b bp 0x7fffe339c6c0 sp 0x7fffe339c6b0
WRITE of size 4 at 0x621000016d5c thread T0
    #0 0x538f3a in bfd_section_from_shdr ../../bfd/elf.c:2604
    #1 0x6e9c8c in bfd_elf32_object_p ../../bfd/elfcode.h:815
    #2 0x450216 in bfd_check_format_matches ../../bfd/format.c:328
    #3 0x412978 in display_file ../../binutils/nm.c:1375
    #4 0x4081a7 in main ../../binutils/nm.c:1860
    #5 0x7efdc018982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x40a248 in _start (/mnt/data/playground/binutils-2.34-a/build/binutils/nm-new+0x40a248)

0x621000016d5c is located 1116 bytes inside of 4064-byte region [0x621000016900,0x6210000178e0)
freed by thread T0 here:
    #0 0x7efdc07cf32a in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x93b4e1 in objalloc_free_block ../../libiberty/objalloc.c:248

previously allocated by thread T0 here:
    #0 0x7efdc07cf662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x93ab49 in _objalloc_alloc ../../libiberty/objalloc.c:159

SUMMARY: AddressSanitizer: heap-use-after-free ../../bfd/elf.c:2604 bfd_section_from_shdr
Shadow bytes around the buggy address:
  0x0c427fffad50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffad60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffad70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffad80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffad90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c427fffada0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c427fffadb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffadc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==120174==ABORTING
Comment 1 Alan Modra 2020-06-25 04:44:18 UTC 
Already fixed.

*** This bug has been marked as a duplicate of bug 26005 ***