Heap-buffer-overflow in bfd_getl16

```
==1503783==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000df at pc 0x00000055afb2 bp 0x7fff5fce4bb0 sp 0x7fff5fce4ba8
READ of size 1 at 0x6020000000df thread T0
    #0 0x55afb1 in bfd_getl16 /src/binutils-gdb/bfd/libbfd.c:601:11
    #1 0x9c9830 in _bfd_vms_slurp_egsd /src/binutils-gdb/bfd/vms-alpha.c:1396:18
    #2 0x9c8bb2 in _bfd_vms_slurp_object_records /src/binutils-gdb/bfd/vms-alpha.c:2630:10
    #3 0x9c28ad in alpha_vms_object_p /src/binutils-gdb/bfd/vms-alpha.c:2836:9
    #4 0x5564fb in bfd_check_format_matches /src/binutils-gdb/bfd/format.c:328:14
    #5 0x555d22 in bfd_check_format /src/binutils-gdb/bfd/format.c:94:10
    #6 0x104541c in bfd_generic_archive_p /src/binutils-gdb/bfd/archive.c:920:8
    #7 0x5564fb in bfd_check_format_matches /src/binutils-gdb/bfd/format.c:328:14
    #8 0x555d22 in bfd_check_format /src/binutils-gdb/bfd/format.c:94:10
    #9 0x555ad8 in LLVMFuzzerTestOneInput /src/binutils-gdb/fuzz/fuzz_bfd.c:61:5
    #10 0x45bb83 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
    #11 0x4472f2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
    #12 0x44cf96 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
    #13 0x4764a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7f366a614b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
    #15 0x4231a9 in _start (/root/oss-fuzz/build/out/binutils/fuzz_bfd+0x4231a9)

DEDUP_TOKEN: bfd_getl16--_bfd_vms_slurp_egsd--_bfd_vms_slurp_object_records
0x6020000000df is located 0 bytes to the right of 15-byte region [0x6020000000d0,0x6020000000df)
allocated by thread T0 here:
    #0 0x522ba3 in realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x55aa76 in bfd_realloc /src/binutils-gdb/bfd/libbfd.c:317:9
    #2 0x9c8163 in vms_get_remaining_object_record /src/binutils-gdb/bfd/vms-alpha.c:869:22
    #3 0x9c2822 in alpha_vms_object_p /src/binutils-gdb/bfd/vms-alpha.c:2827:8
    #4 0x5564fb in bfd_check_format_matches /src/binutils-gdb/bfd/format.c:328:14
    #5 0x555d22 in bfd_check_format /src/binutils-gdb/bfd/format.c:94:10
    #6 0x104541c in bfd_generic_archive_p /src/binutils-gdb/bfd/archive.c:920:8
    #7 0x5564fb in bfd_check_format_matches /src/binutils-gdb/bfd/format.c:328:14
    #8 0x555d22 in bfd_check_format /src/binutils-gdb/bfd/format.c:94:10
    #9 0x555ad8 in LLVMFuzzerTestOneInput /src/binutils-gdb/fuzz/fuzz_bfd.c:61:5
    #10 0x45bb83 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
    #11 0x4472f2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
    #12 0x44cf96 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
    #13 0x4764a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7f366a614b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)

DEDUP_TOKEN: realloc--bfd_realloc--vms_get_remaining_object_record
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/binutils-gdb/bfd/libbfd.c:601:11 in bfd_getl16
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff8010: fa fa 01 fa fa fa fd fd fa fa 00[07]fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1503783==ABORTING
```

src-openEuler/binutils
Closed

Content Risk Flag

Comments (3)

src-openEuler/binutilsClosed .gitee-modal { width: 500px !important; }

Content Risk Flag