Enviar #769772: rui314 mold mold 2.40.4 and main-branch Heap-based Buffer Overflowinformación

Títulorui314 mold mold 2.40.4 and main-branch Heap-based Buffer Overflow
Descripción### Description The crash occurs within mold::ObjectFile<mold::X86_64>::initialize_sections at src/input-files.cc:496. The AddressSanitizer report indicates a READ of size 8 occurring significantly past the end of an allocated region (1376 bytes after a 112-byte region). This likely happens when processing a crafted object file. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Reproduce 1. Build mold with Release optimization and ASAN enabled. 2. Run with the crashing [file](https://github.com/oneafter/0209/blob/main/mo1/repro): ``` ./build/mold -r repro ``` <details> <summary>ASAN report</summary> ``` ==1931536==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50b000000820 at pc 0x6474de7c7289 bp 0x7fff8b310990 sp 0x7fff8b310988 READ of size 8 at 0x50b000000820 thread T0 #0 0x6474de7c7288 in std::__uniq_ptr_impl<mold::InputSection<mold::X86_64>, std::default_delete<mold::InputSection<mold::X86_64>>>::_M_ptr() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:199:51 #1 0x6474de7c7288 in std::unique_ptr<mold::InputSection<mold::X86_64>, std::default_delete<mold::InputSection<mold::X86_64>>>::get() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:470:21 #2 0x6474de7c7288 in std::unique_ptr<mold::InputSection<mold::X86_64>, std::default_delete<mold::InputSection<mold::X86_64>>>::operator bool() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:487:16 #3 0x6474de7c7288 in mold::ObjectFile<mold::X86_64>::initialize_sections(mold::Context<mold::X86_64>&) /home/cobot001/src/mold/src/input-files.cc:496:45 #4 0x6474de7c2646 in mold::ObjectFile<mold::X86_64>::parse(mold::Context<mold::X86_64>&) /home/cobot001/src/mold/src/input-files.cc:897:3 #5 0x6474df26b7f4 in mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()::operator()() const /home/cobot001/src/mold/src/main.cc:42:37 #6 0x6474df26b7f4 in tbb::detail::d1::task* tbb::detail::d2::(anonymous namespace)::task_ptr_or_nullptr<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'() const&>(mold::X86_64&&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:131:9 #7 0x6474df26b7f4 in tbb::detail::d2::function_task<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()>::execute(tbb::detail::d1::execution_data&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:89:21 #8 0x6474e35777f5 in tbb::detail::d1::task* tbb::detail::r1::task_dispatcher::local_wait_for_all<false, tbb::detail::r1::external_waiter>(tbb::detail::d1::task*, tbb::detail::r1::external_waiter&) build-afl/third-party/tbb/src/tbb/third-party/tbb/src/tbb/task_dispatcher.h 0x50b000000820 is located 1376 bytes after 112-byte region [0x50b000000250,0x50b0000002c0) allocated by thread T0 here: #0 0x6474dd08f4b1 in operator new(unsigned long) (/home/cobot001/src/mold/build-afl/mold+0x52b4b1) (BuildId: f4d038dc2023d54efeb40ed56fcfbdda57d599be) #1 0x6474de7f2fe9 in std::__new_allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:151:27 #2 0x6474de7f2fe9 in std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>::allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/allocator.h:198:32 #3 0x6474de7f2fe9 in std::allocator_traits<std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>>::allocate(std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:482:20 #4 0x6474de7f2fe9 in std::_Vector_base<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>, std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>>::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_vector.h:381:20 #5 0x6474de7f2fe9 in std::vector<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>, std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>>::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/vector.tcc:663:34 #6 0x6474de7c2007 in mold::ObjectFile<mold::X86_64>::parse(mold::Context<mold::X86_64>&) /home/cobot001/src/mold/src/input-files.cc:882:22 #7 0x6474df26b7f4 in mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()::operator()() const /home/cobot001/src/mold/src/main.cc:42:37 #8 0x6474df26b7f4 in tbb::detail::d1::task* tbb::detail::d2::(anonymous namespace)::task_ptr_or_nullptr<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'() const&>(mold::X86_64&&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:131:9 #9 0x6474df26b7f4 in tbb::detail::d2::function_task<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()>::execute(tbb::detail::d1::execution_data&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:89:21 #10 0x6474e35777f5 in tbb::detail::d1::task* tbb::detail::r1::task_dispatcher::local_wait_for_all<false, tbb::detail::r1::external_waiter>(tbb::detail::d1::task*, tbb::detail::r1::external_waiter&) build-afl/third-party/tbb/src/tbb/third-party/tbb/src/tbb/task_dispatcher.h SUMMARY: AddressSanitizer: heap-buffer-overflow /home/cobot001/src/mold/src/input-files.cc:496:45 in mold::ObjectFile<mold::X86_64>::initialize_sections(mold::Context<mold::X86_64>&) Shadow bytes around the buggy address: 0x50b000000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50b000000600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50b000000680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50b000000700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50b000000780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x50b000000800: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa 0x50b000000880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50b000000900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50b000000980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50b000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x50b000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1931536==ABORTING ``` </details>
Fuente⚠️ https://github.com/rui314/mold/issues/1548
Usuario
 Oneafter (UID 92781)
Sumisión2026-03-02 04:04 (hace 2 meses)
Moderación2026-03-11 17:55 (10 days later)
EstadoAceptado
Entrada de VulDB350476 [rui314 mold hasta 2.40.4 Object File src/input-files.cc initialize_sections desbordamiento de búfer]
Puntos20

AnteriorVisión De ConjuntoPróximo

Do you know our Splunk app?

Download it now for free!