<table border="1" cellspacing="0" cellpadding="8">

    <tr>

        <th>Issue</th>

        <td>

            <a href=https://github.com/llvm/llvm-project/issues/55762>55762</a>

        </td>

    </tr>

    <tr>

        <th>Summary</th>

        <td>

            heap-overflow in llvm::suport::endian::read 

        </td>

    </tr>

    <tr>

      <th>Labels</th>

      <td>

            new issue

      </td>

    </tr>

    <tr>

      <th>Assignees</th>

      <td>

      </td>

    </tr>

    <tr>

      <th>Reporter</th>

      <td>

          sleicasper

      </td>

    </tr>

</table>

<pre>

## desc

There is a heap-based buffer overflow in llvm::suport::endian::read before version 14.0.4.

## asan output

```

=================================================================

==2924118==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000c2b at pc 0x000000db2891 bp 0x7ffcb836f070 sp 0x7ffcb836f068

READ of size 4 at 0x61f000000c2b thread T0

    #0 0xdb2890 in unsigned int llvm::support::endian::read<unsigned int, 1ul>(void const*, llvm::support::endianness) /llvm/source/SRC/llvm/include/llvm/Support/Endian.h:66:3

    #1 0xdb2890 in unsigned int llvm::support::endian::read<unsigned int, (llvm::support::endianness)1, 1ul>(void const*) /llvm/source/SRC/llvm/include/llvm/Support/Endian.h:77:10

    #2 0xdb2890 in llvm::support::detail::packed_endian_specific_integral<unsigned int, (llvm::support::endianness)1, 1ul, 1ul>::operator unsigned int() const /llvm/source/SRC/llvm/include/llvm/Support/Endian.h:216:12

    #3 0xdb2890 in llvm::object::ELFFile<llvm::object::ELFType<(llvm::support::endianness)1, true> >::getSectionName(llvm::object::Elf_Shdr_Impl<llvm::object::ELFType<(llvm::support::endianness)1, true> > const&, llvm::StringRef) const /llvm/source/SRC/llvm/include/llvm/Object/ELF.h:1170:21

    #4 0xdb1374 in llvm::object::ELFFile<llvm::object::ELFType<(llvm::support::endianness)1, true> >::getSectionName(llvm::object::Elf_Shdr_Impl<llvm::object::ELFType<(llvm::support::endianness)1, true> > const&, llvm::function_ref<llvm::Error (llvm::Twine const&)>) const /llvm/source/SRC/llvm/include/llvm/Object/ELF.h:1164:10

    #5 0xd94476 in llvm::object::ELFObjectFile<llvm::object::ELFType<(llvm::support::endianness)1, true> >::getSectionName(llvm::object::DataRefImpl) const /llvm/source/SRC/llvm/include/llvm/Object/ELFObjectFile.h:828:13

    #6 0xd903f5 in llvm::object::SectionRef::getName() const /llvm/source/SRC/llvm/include/llvm/Object/ObjectFile.h:457:24

    #7 0xd903f5 in llvm::object::ELFObjectFile<llvm::object::ELFType<(llvm::support::endianness)1, true> >::getSymbolName(llvm::object::DataRefImpl) const /llvm/source/SRC/llvm/include/llvm/Object/ELFObjectFile.h:525:27

    #8 0xf55e2d in llvm::object::ObjectFile::printSymbolName(llvm::raw_ostream&, llvm::object::DataRefImpl) const /llvm/source/SRC/llvm/lib/Object/ObjectFile.cpp:70:30

    #9 0x53e818 in llvm::object::BasicSymbolRef::printName(llvm::raw_ostream&) const /llvm/source/SRC/llvm/include/llvm/Object/SymbolicFile.h:201:24

    #10 0x53e818 in getSymbolNamesFromObject(llvm::object::SymbolicFile&, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> >&) /llvm/source/SRC/llvm/tools/llvm-nm/llvm-nm.cpp:1839:25

    #11 0x53e818 in dumpSymbolNamesFromObject(llvm::object::SymbolicFile&, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> >&, bool, bool, llvm::StringRef, llvm::StringRef, llvm::StringRef, bool) /llvm/source/SRC/llvm/tools/llvm-nm/llvm-nm.cpp:1909:8

    #12 0x534903 in dumpSymbolicFile(llvm::object::SymbolicFile*, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> >&, llvm::StringRef) /llvm/source/SRC/llvm/tools/llvm-nm/llvm-nm.cpp:2246:3

    #13 0x50afea in dumpSymbolNamesFromFile(llvm::StringRef) /llvm/source/SRC/llvm/tools/llvm-nm/llvm-nm.cpp:2277:5

    #14 0x5047c8 in std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*std::for_each<__gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*)(llvm::StringRef)>(__gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, __gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*)(llvm::StringRef)))(llvm::StringRef) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_algo.h:3882:2

    #15 0x5047c8 in std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*llvm::for_each<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*)(llvm::StringRef)>(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*)(llvm::StringRef)))(llvm::StringRef) /llvm/source/SRC/llvm/include/llvm/ADT/STLExtras.h:1601:10

    #16 0x5047c8 in main /llvm/source/SRC/llvm/tools/llvm-nm/llvm-nm.cpp:2458:5

    #17 0x7fe3f857a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

    #18 0x42a9ad in _start (/llvm/source/BUILD/bin/llvm-nm+0x42a9ad)

0x61f000000c2b is located 2 bytes to the right of 2985-byte region [0x61f000000080,0x61f000000c29)

allocated by thread T0 here:

    #0 0x4fbf9f in operator new(unsigned long, std::nothrow_t const&) /fuzz/fuzzdeps/llvm-project-11.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:105:3

    #1 0x12063e4 in llvm::WritableMemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) /llvm/source/SRC/llvm/lib/Support/MemoryBuffer.cpp:294:34

    #2 0x1208456 in llvm::ErrorOr<std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer> > > getOpenFileImpl<llvm::MemoryBuffer>(int, llvm::Twine const&, unsigned long, unsigned long, long, bool, bool) /llvm/source/SRC/llvm/lib/Support/MemoryBuffer.cpp:472:14

    #3 0x1203d60 in llvm::ErrorOr<std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer> > > getFileAux<llvm::MemoryBuffer>(llvm::Twine const&, unsigned long, unsigned long, bool, bool, bool) /llvm/source/SRC/llvm/lib/Support/MemoryBuffer.cpp:260:14

    #4 0x1203273 in llvm::MemoryBuffer::getFile(llvm::Twine const&, bool, bool, bool) /llvm/source/SRC/llvm/lib/Support/MemoryBuffer.cpp:241:10

    #5 0x1203273 in llvm::MemoryBuffer::getFileOrSTDIN(llvm::Twine const&, bool, bool) /llvm/source/SRC/llvm/lib/Support/MemoryBuffer.cpp:153:10

    #6 0x509833 in dumpSymbolNamesFromFile(llvm::StringRef) /llvm/source/SRC/llvm/tools/llvm-nm/llvm-nm.cpp:2253:7

    #7 0x5047c8 in std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*std::for_each<__gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*)(llvm::StringRef)>(__gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, __gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*)(llvm::StringRef)))(llvm::StringRef) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_algo.h:3882:2

    #8 0x5047c8 in std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*llvm::for_each<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*)(llvm::StringRef)>(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::vector<(anonymous namespace)::NMSymbol, std::allocator<(anonymous namespace)::NMSymbol> > (*)(llvm::StringRef)))(llvm::StringRef) /llvm/source/SRC/llvm/include/llvm/ADT/STLExtras.h:1601:10

    #9 0x5047c8 in main /llvm/source/SRC/llvm/tools/llvm-nm/llvm-nm.cpp:2458:5

    #10 0x7fe3f857a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /llvm/source/SRC/llvm/include/llvm/Support/Endian.h:66:3 in unsigned int llvm::support::endian::read<unsigned int, 1ul>(void const*, llvm::support::endianness)

Shadow bytes around the buggy address:

  0x0c3e7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3e7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3e7fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3e7fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3e7fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c3e7fff8180: 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa

  0x0c3e7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3e7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3e7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3e7fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3e7fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==2924118==ABORTING

```

## poc

[poc.zip](https://github.com/llvm/llvm-project/files/8793636/poc.zip)

## reproduce

* clone latest llvm source code from github

* build with address sanitizer

* run `./llvm-nm --debug-syms ./poc`

</pre>

<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJztW1tzozoS_jXOi8oucYeHPDgXn03VzORUkqmtfaIECJsdjFhJTC6_flsSxuBLJpl4ZuJTSRGMpabV_XWrJbpNwrLH0xG-GOHpyHbgQBkVqWm4W1BOUSEQQQtK6nFCBM1Q0uQ55Yh9pzwv2T0qKlSW35cjZwqHaGrGpbmmVVaQylxzSuBOmjNgCDeKglXIcid44k7awfsiEEEqxBpZN7Jt93F7mK_OxdEfPUXsyHYtKzRfLm9urm8AMTTNMk6FuCVVIYsnylWbMYM2wLgzAEBJDC3CD76VY_2X2gkiEtUpNJqWLLHDyEJJDS1BnqdJ6Pg5DjASwxY_NMLdXE4vEMuRgNGRq5htsJcLbda71ioI_sB6GMj0UFi5RlOJYl6B2xSVHPrJfkcZOef920b2ObKacuRcjuzwOysylLJKQPNU9TzLswJQRnYEYs00nT0TrOEphYvbm_N1a1GlZZPRdcNty8ueXWpGkwXw9H04OQNlrV-hLKj5Eq2s54A5lM5BACdraGF7oPQeUTMqSVGa65qk32gWG-ljUdO0yIs0BnXpnJPyABCskdBErKacSMbRkG-ocNEYHQgd21IuYdkDeJw98LDkvzRttbj8NJsVJQXN9_bfPdaq_zVISN7ALZeow2FO5S3whGj7hSzpgNVgtDKPbxcZj6-WdfnrZFq5pz-ct7eSF9X8huZvsM61kROM82mmLWNZAdYGGpjG1aaxnMD9MM1LTJM3lRYx5mCd_uCXnMPsGgx2d19UtMcn0nHpkBb13e1Y5CmLRq4b-M9a1HB7R3a9IJKAy2urHgaktYoarhCiHaA1XK58jRZ2cm8_Wq30aj6uFGo1OYSgG1K6nlpfbHcgZfACKX-7TR-XCSv_rEk921NgBQOwQgAr9zxqZ_vB6iOl12MIuPs04uQ-ZkLC1mS5FQ7erG1ZJHucIa1rYKpjtjOc4REo6Dk0tML9Cp4RUaRGoc5vtZI_VO_tdjLDFmlnJhtb2z5t4YEaA48SM86WK357nKs_SmsXITPT9x2oGDdOTipWPS5ZI1ClOMPOi-pQrOi-fDZcBjeTsmQped397dww-P0IOclYKdqv42q5vmptboWO4g--PcDLGuCVNcv6nwHYOUqY4bj63LkTem2zYXYAa0RYCR8OjWFrY7gQk4fGWMH7IhtM35EN9uw-34qebbs7nhHVA4GHSU7JHlfeAvHAQumHuI355Wqh3CDV8-tPmwXp7cW045QzHlOSQjg9j-N51cTpw4PpieOK8SUp40KaZzwg6W6LFZ1lmS-JWhRioaEEonRB-EBa1RBLTgopVt3KP_bo0_YbH9rjyr9djj00v1mO_v97mOOtM6nufZPK5Ew-XOvYXOvDYsdmsWMIBu3xzALcCN49vszTFM4PoR_77rgsquZhDE4JTcBiNplsn9bPDnDjmT40baLAhVVdljEp50w_PDhhaKs1e7hYe-9xse6lidar9cc82JoD7-LZ48Vr4ocBj9eAP45jr8txTC_uFM3dp8sHQFCYNKyv0xsbaVjLH0SoJYHTm59bXE-lMDeeWwJdq6ROHnoBwaGthotjiMzKCQiX8WrspCnKTIVr1Te-fbp6Cs66r_bEsVQ8Fs0qSJtL3an5TFIVjbFOovpDEVTKzbVJRHTKzQxrzLOl8NnXq08XOtRXfU3PVgyUvXr1740CayGQdheaIRslj5IKJBmSC4p4MV9IVZy1o9Abqy7E6VxV1UfeWY8LDjH434Bt1I3ZOqOq6T-ui7lIVf2V92wWdd08yaNcqdyV1yp6D3p3RbaSwRzsu3vFgC27j2W_LqCMkzdPT-1HRuvOC2rOVPZgbFkTPMHKKmxZw8MxH-vKm1l_1a8D2o8YBIgzWlK5yiBaWOVIt4u0lo19h26Uff7NC0mSkn6mS8Yfz3Rd3fSopDe9_1oVVSGht-3aoeoz9Y8XZkPXhcW-GKs5EKmah-Nu1V9Bn9D1NooeuipzPYiVTVX8r6FxLfkgST7QuG-xjOakKWUL6v57ejESsLquaaWSGFtFqo17AMG2wLsft3O0BfI26u3nMJV2EMTdQO2_LHerpAuIO5mP3wniCu1p8_ADsN-G8mai8oAo2z7eRtltUbYDZ4jyzvm5lTTbVvFXKuDuWAW9VytwzW_vLq6-vEqPg8hvec62_GYRj0LH-UOJSi1UsFUMfHePPh95ymPe0R9TauIjT3mUrvVhsWOz2DEEg_eepwzf41r9kab8h2W5PtKUR27AP5emjH5XlhL_uSylOd9-_fx5evOf0WteJHk18M-8JfFu3v1o4ViQDDQ0OVTCWVNlOo-aNPP54-r1GXV3a0X8gFOHBnmeh5ajUhUI41cduxi5h2LkHYqRfyhGwc8z0q89XfaZhTuYqbS2NfIucoL2H7skizSzZ297GSNyKEbJoRilh2KU_Tyj3sRCJZ3D1FMrAKsoEr0eTmuYYLSSAoWI1HVZwOqiqhV6QrZrSStYG65UXl5Jtf5be97fEPkKWKO6mbsixhbCNsIOwi7CHsI-wl026V8Q8kDEXII02RNIuOa-RmXGKQQeFR3bekqPKFsR3UqSftvNKreGREuIWNvD2UMiU8zZIMudIRHJ4dERiGTD10Ll3pCoEbQlFCmrW15592POv0qWkHJbIEUUbRCpygdiPDPrRUvUFcL-ZoVglakcwaA9GpR3iJ-zSsIy13tZdC142pmbc_IIUZ19KzbsjUhHdFXBwo7MT0s3xE-SjhOscGrNoLxS75T1WeV0RfRJWc1sbzZxSDsvuNEG2UmVdsO1nj8n9YbYQJTufb1zenZ9c3f15a_d77X2X4Kt2YqLdwbXk6eihvgHk2shZa3XKnumdgqFXDTJJGXL9brcr6WpKltRqkk2C4PI8R3YJs5W_IbVx8HwasqyrEnpqnWK0lLN65LAlDXrOTL7BLBeRlHO2RIZada36O0NuofW7h1V0e1DOirewF7Ix5P15gqNxxmFxXksHpcCTYzIQHKSnTpZ5ETkRBaypKd6H_MTryKfNLw8fTWQhRCNRtLzAt8-WZw6QeJjOwrCMMv8KI_8wHVxivMwSbPIyshJSRJailMw4ci2KwoiKhZwDaY8KU5tbNvYsyPLczzsTFLHg4CMozzzqJORYORiChvFcqLkmDA-P-GnWiRARkBnWQgp1p1E6I0T1cMBf9LIBeOnoqQQbkVN-Yke_VRL_38V36Fb">