https://sourceware.org/bugzilla/show_bug.cgi?id=22905
Bug ID: 22905 Summary: integer overflow in display_debug_ranges Product: binutils Version: 2.31 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: luanjunchao at 163 dot com Target Milestone: --- The command I test is "objdump -x -D -S -s -g -e -G --dwarf -t -T -r -R --special-syms --inlines --dwarf-check $POC". The binutils tools are compile in 32 bit mode. Part of gdb debugging output: Program received signal SIGSEGV, Segmentation fault. byte_get_little_endian (field=0x725e9e0 <error: Cannot access memory at address 0x725e9e0>, size=8) at /work/binutils-gdb/binutils/elfcomm.c:209 209 return ((elf_vma) (field[0])) (gdb) bt #0 byte_get_little_endian (field=0x725e9e0 <error: Cannot access memory at address 0x725e9e0>, size=8) at /work/binutils-gdb/binutils/elfcomm.c:209 #1 0x08054311 in display_debug_ranges_list (start=0x725e9e0 <error: Cannot access memory at address 0x725e9e0>, finish=0x825ebf0 "", pointer_size=8, offset=4278190080, base_address=0) at /work/binutils-gdb/binutils/dwarf.c:6541 #2 0x0805fa10 in display_debug_ranges (section=0x824b960 <debug_displays+1024>, file=0x8257058) at /work/binutils-gdb/binutils/dwarf.c:6831 #3 0x08052ce9 in dump_dwarf_section (abfd=0x8257058, section=0x825c820, arg=0x0) at /work/binutils-gdb/binutils/objdump.c:2671 It's clear that there is something wrong with display_debug_ranges. Here is snippt of function display_debug_ranges. 6801: offset = range_entry->ranges_offset; 6802: next = section_begin + offset; .... 6828: start = next; 6829: last_start = next; 6830: 6831: (is_rnglists ? display_debug_rnglists_list : display_debug_ranges_list) 6832: (start, finish, pointer_size, offset, base_address); (gdb) p/x *range_entry $7 = {ranges_offset = 0xff000000, debug_info_p = 0x825e4b8} (gdb) p/x section_begin $4 = 0x825e9e0 We can see that range_entry->ranges_offset is 0xff000000, and section_begin is 0x825e9e0, thus when executes line 6802 in dwarf.c, integer overflow occurs. The poc file is https://github.com/skysider/FuzzVuln/blob/master/binutils_objdump_integer_overflow_display_debug_ranges.elf -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils