https://sourceware.org/bugzilla/show_bug.cgi?id=23771
Bug ID: 23771 Summary: A memory exhaustion problem in program objdump via a crafted ELF file Product: binutils Version: 2.31 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 11323 --> https://sourceware.org/bugzilla/attachment.cgi?id=11323&action=edit POC_MEM_EXHAU Hi, there. We are doing research on Fuzz testing. Our fuzzer caught a memory exhaustion problem in program objdump of the latest binutils(v2.31.1) code base. A crafted ELF file can cause the memory allocations corresponding to large length values I have confirmed it with address sanitizer too. Please use the "./objdump -xg -W $POC" to reproduce the bug. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: objdump: error message was: Memory exhausted ==14605==ERROR: AddressSanitizer failed to allocate 0x1000003000 (68719489024) bytes of LargeMmapAllocator (error code: 12) ==14605==Process memory map follows: ... ==14605==End of process memory map. ==14605==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x4c2bed in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (binutils_gdb/build/bin/objdump+0x4c2bed) #1 0x4c9813 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (binutils_gdb/build/bin/objdump+0x4c9813) #2 0x4c9a01 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) (binutils_gdb/build/bin/objdump+0x4c9a01) #3 0x4d2972 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) (binutils_gdb/build/bin/objdump+0x4d2972) #4 0x41f5ff in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (binutils_gdb/build/bin/objdump+0x41f5ff) #5 0x4b95c1 in malloc (binutils_gdb/build/bin/objdump+0x4b95c1) #6 0x26935ff in _objalloc_alloc binutils_gdb/libiberty/./objalloc.c:143:22 #7 0xb1996e in bfd_alloc binutils_gdb/bfd/opncls.c:949:9 #8 0xeb464a in bfd_elf64_slurp_reloc_table binutils_gdb/bfd/./elfcode.h:1556:25 #9 0x10fb2f2 in _bfd_elf_canonicalize_reloc binutils_gdb/bfd/elf.c:8231:9 #10 0xa2bce5 in bfd_canonicalize_reloc binutils_gdb/bfd/bfd.c:1359:10 #11 0x21a7623 in bfd_generic_get_relocated_section_contents binutils_gdb/bfd/reloc.c:8297:17 #12 0xa373c7 in bfd_get_relocated_section_contents binutils_gdb/bfd/bfd.c:1926:10 #13 0xb45b58 in bfd_simple_get_relocated_section_contents binutils_gdb/bfd/simple.c:264:14 #14 0x4ee41c in load_specific_debug_section binutils_gdb/binutils/./objdump.c:2529:13 #15 0x520386 in dump_dwarf_section binutils_gdb/binutils/./objdump.c:2691:6 #16 0xb3cfb7 in bfd_map_over_sections binutils_gdb/bfd/section.c:1374:5 #17 0x513470 in dump_dwarf binutils_gdb/binutils/./objdump.c:2774:3 #18 0x50155f in dump_bfd binutils_gdb/binutils/./objdump.c:3627:5 #19 0x4fa7d3 in display_object_bfd binutils_gdb/binutils/./objdump.c:3714:7 #20 0x4fa7d3 in display_any_bfd binutils_gdb/binutils/./objdump.c:3783 #21 0x4f6c61 in display_file binutils_gdb/binutils/./objdump.c:3804:3 #22 0x4f6c61 in main binutils_gdb/binutils/./objdump.c:4106 #23 0x7f5a6cce582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #24 0x4194d8 in _start (binutils_gdb/build/bin/objdump+0x4194d8) Aborted -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils