https://sourceware.org/bugzilla/show_bug.cgi?id=29894
Bug ID: 29894
Summary: SEGV of objdump caused by heap-buffer-overflow at
elfcomm.c:149 in byte_get_little_endian()
Product: binutils
Version: 2.39
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 13579and24680 at gmail dot com
Target Milestone: ---
Created attachment 14515
--> https://sourceware.org/bugzilla/attachment.cgi?id=14515&action=edit
Generated by my fuzzer and AFL_TMIN_EXACT=1 afl-tmin
# version
$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.39.50.20221210
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
---------------------------------------------------------------------
# make
$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make
---------------------------------------------------------------------
# crash
$ ./binutils-gdb/binutils/objdump -W poc
./binutils-gdb/binutils/objdump:
pocpoc: file format elf64-x86-64
: invalid string offset
808464432 >= 3321 for section `ld-id'
Contents of the .eh_frame section:
00000000 0000000000000014 00000000 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 48
Data alignment factor: -8
Return address column: 16
Augmentation data: 1b
DW_CFA_def_cfa: r48 (mm7) ofs 48
DW_CFA_offset: r16 (rip) at cfa-384
DW_CFA_nop
DW_CFA_nop
00000018 0000000000000014 0000001c FDE cie=00000000
pc=000000003030aab0..000000006060dae0
DW_CFA_advance_loc: 192 to 000000003030ab70
DW_CFA_undefined: r16 (rip)
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
00000030 0000000000000024 00000034 FDE cie=00000000
pc=000000003030aac8..000000006060daf8
DW_CFA_def_cfa_offset: 48
DW_CFA_advance_loc: 288 to 000000003030abe8
DW_CFA_def_cfa_offset: 48
DW_CFA_advance_loc: 480 to 000000003030adc8
DW_CFA_def_cfa_expression (DW_OP_breg7 (rsp): 48; DW_OP_breg16 (rip): 48;
DW_OP_lit0; DW_OP_and; DW_OP_lit11; DW_OP_ge; DW_OP_lit3; DW_OP_shl;
DW_OP_lit0)
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
(... too long ignore)
51439: 0000000000000000
51440: 0000000000000000
51441: 0000000000000000
51442: 0000000000000000
51443: 0000000000000000
51444: 0000000000000000
51445: 0000000000000000
51446: 0000000000000000
51447: 0000000000000000
51448: 0000000000000000
51449: 0000000000000000
51450: 0000000000000000
51451: 0000000000000000
51452: 0000000000000000
51453: 0000000000000000
51454: 0000000000000000
51455: 0000000000000000
51456: 0000000000000000
51457: 0000000000000000
51458: 0000000000000000
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV
(Address boundary error)
---------------------------------------------------------------------
# ASAN report
$ ./binutils-gdb_asan_no_fuzz/binutils/objdump -W poc
./binutils-gdb_asan_no_fuzz/binutils/objdump: poc
: invalid string offset 808464432 >= 3321 for section `ld-id'poc: file
format elf64-x86-64
Contents of the .eh_frame section:
00000000 0000000000000014 00000000 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 48
Data alignment factor: -8
Return address column: 16
Augmentation data: 1b
DW_CFA_def_cfa: r48 (mm7) ofs 48
DW_CFA_offset: r16 (rip) at cfa-384
DW_CFA_nop
DW_CFA_nop
00000018 0000000000000014 0000001c FDE cie=00000000
pc=000000003030aab0..000000006060dae0
DW_CFA_advance_loc: 192 to 000000003030ab70
DW_CFA_undefined: r16 (rip)
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
00000030 0000000000000024 00000034 FDE cie=00000000
pc=000000003030aac8..000000006060daf8
DW_CFA_def_cfa_offset: 48
DW_CFA_advance_loc: 288 to 000000003030abe8
DW_CFA_def_cfa_offset: 48
DW_CFA_advance_loc: 480 to 000000003030adc8
DW_CFA_def_cfa_expression (DW_OP_breg7 (rsp): 48; DW_OP_breg16 (rip): 48;
DW_OP_lit0; DW_OP_and; DW_OP_lit11; DW_OP_ge; DW_OP_lit3; DW_OP_shl;
DW_OP_lit0)
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
00000058 0000000000000014 0000005c FDE cie=00000000
pc=000000003030aaf0..000000006060db20
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
(... too long ignore)
321: 3030303030303030
322: 3030303030303030
323: 3030303030303030
324: 3030303030303030
325: 3030303030303030
326: 3030303030303030
327: 3030303030303030
328: 3030303030303030
329: 3030303030303030
330: 3030303030303030
331: 3030303030303030
332: 3030303030303030
=================================================================
==1262566==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61e000000af1 at pc 0x55b9be28a630 bp 0x7fff76f83aa0 sp 0x7fff76f83a90
READ of size 1 at 0x61e000000af1 thread T0
#0 0x55b9be28a62f in byte_get_little_endian
/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/elfcomm.c:149
#1 0x55b9be22f5f8 in display_debug_addr dwarf.c:7740
#2 0x55b9be1f28c4 in dump_dwarf_section objdump.c:4396
#3 0x55b9be34115d in bfd_map_over_sections
/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/bfd/section.c:1366
#4 0x55b9be1f2af3 in dump_dwarf objdump.c:4434
#5 0x55b9be1f9110 in dump_bfd objdump.c:5636
#6 0x55b9be1f94e5 in display_object_bfd objdump.c:5715
#7 0x55b9be1f9816 in display_any_bfd objdump.c:5801
#8 0x55b9be1f9890 in display_file objdump.c:5822
#9 0x55b9be1fb1b9 in main objdump.c:6230
#10 0x7f5dbd2f2082 in __libc_start_main ../csu/libc-start.c:308
#11 0x55b9be1df39d in _start
(/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/objdump+0x13b39d)
0x61e000000af1 is located 0 bytes to the right of 2673-byte region
[0x61e000000080,0x61e000000af1)
allocated by thread T0 here:
#0 0x7f5dbd5d3808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55b9be5d5b00 in xmalloc xmalloc.c:149
#2 0x55b9be1f19c8 in load_specific_debug_section objdump.c:4216
#3 0x55b9be1f2148 in load_debug_section objdump.c:4317
#4 0x55b9be24e856 in load_separate_debug_files dwarf.c:11929
#5 0x55b9be1f87bd in dump_bfd objdump.c:5520
#6 0x55b9be1f94e5 in display_object_bfd objdump.c:5715
#7 0x55b9be1f9816 in display_any_bfd objdump.c:5801
#8 0x55b9be1f9890 in display_file objdump.c:5822
#9 0x55b9be1fb1b9 in main objdump.c:6230
#10 0x7f5dbd2f2082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/elfcomm.c:149
in byte_get_little_endian
Shadow bytes around the buggy address:
0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1262566==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
