[Bug binutils/27289] New: Undefined negation/ Negation Overflow in _bfd_doprnt_scan() potentially crashing on some systems

Sat, 30 Jan 2021 19:39:32 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=27289

            Bug ID: 27289
           Summary: Undefined negation/ Negation Overflow in
                    _bfd_doprnt_scan() potentially crashing on some
                    systems
           Product: binutils
           Version: 2.36
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dennis.r at columbia dot edu
  Target Milestone: ---

Created attachment 13180
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13180&action=edit
poc

= Attachment = 
./poc

= Reproduce =
Compile with ./configure -enable=avr
objdump --private=mem-usage poc

= Location =
../bfd/bfd.c:1169
../bfd/bfd.c:928

= Description =
Variable arg_no is statically assigned to an undefined value (-1u)      which
is undefined.

= UBSan =
../../bfd/bfd.c:1169:13: runtime error: negation of 1 cannot be represented in
type 'unsigned int'

./objdump: warning: ../../bfd/bfd.c:928:13: runtime error: negation of 1 cannot
be represented in type 'unsigned int'

= Stack Trace =
Breakpoint 1, error_handler_internal (fmt=<optimized out>, ap=<optimized out>)
at ../../bfd/bfd.c:1169
1169              arg_no = -1u;
(gdb) bt
#0  error_handler_internal (fmt=<optimized out>, ap=<optimized out>) at
../../bfd/bfd.c:1169
#1  0x0000000000b3da50 in _bfd_error_handler (fmt=<optimized out>) at
../../bfd/bfd.c:1411
#2  0x0000000000d65911 in bfd_elf32_object_p (abfd=<optimized out>) at
../../bfd/elfcode.h:819
#3  0x0000000000b56b8e in bfd_check_format_matches (abfd=<optimized out>,
format=<optimized out>, matching=<optimized out>) at ../../bfd/format.c:343
#4  0x000000000041b2a0 in display_object_bfd (abfd=0x37c5c90) at
../../binutils/objdump.c:5006
#5  display_any_bfd (file=0x37c5c90, level=0) at ../../binutils/objdump.c:5098
#6  0x000000000040757d in display_file (filename=<optimized out>,
target=<optimized out>, last_file=<optimized out>) at
../../binutils/objdump.c:5119
#7  main (argc=<optimized out>, argv=<optimized out>) at
../../binutils/objdump.c:5467
(gdb) c
Continuing.
../../bfd/bfd.c:1169:13: runtime error: negation of 1 cannot be represented in
type 'unsigned int'
./objdump: warning: ../../bfd/bfd.c:928:13: runtime error: negation of 1 cannot
be represented in type 'unsigned int'
out/master/crashes/id:000002,sig:11,src:000000,op:havoc,rep:16 has a program
header with invalid alignment

= Fix =
Cast to signed type

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to