https://sourceware.org/bugzilla/show_bug.cgi?id=22894
Bug ID: 22894 Summary: integer overflow in parse_die Product: binutils Version: 2.31 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: luanjunchao at 163 dot com Target Milestone: --- The command I test is "nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC". In function parse_die, I find a case which can lead to interger overflow of xptr. Below is part of function parse_die. case FORM_BLOCK4: if (xptr + 4 <= aDiePtrEnd) xptr += bfd_get_32 (abfd, xptr); xptr += 4; break; The result of bfd_get_32 can be large and when it's added to xptr, xptr overflow. Backtrace of gdb (gdb) bt #0 0x08056486 in bfd_getl16 (p=0x206da1) at /work/binutils-gdb/bfd/libbfd.c:583 #1 0x080a0c55 in parse_die (aDieInfo=aDieInfo@entry=0xffffd45c, aDiePtr=<optimized out>, aDiePtrEnd=0x8188026 "\r", abfd=<optimized out>) at /work/binutils-gdb/bfd/dwarf1.c:221 #2 0x080a123c in _bfd_dwarf1_find_nearest_line (abfd=0x817e058, symbols=0x8184de0, section=0x817faa0, offset=160, filename_ptr=0xffffd568, functionname_ptr=0xffffd56c, linenumber_ptr=0xffffd570) at /work/binutils-gdb/bfd/dwarf1.c:541 #3 0x0807fda9 in _bfd_elf_find_nearest_line (abfd=0x817e058, symbols=0x8184de0, section=0x817faa0, offset=160, filename_ptr=0xffffd568, functionname_ptr=0xffffd56c, line_ptr=0xffffd570, discriminator_ptr=0x0) at /work/binutils-gdb/bfd/elf.c:8746 #4 0x0804b279 in print_symbol (abfd=abfd@entry=0x817e058, sym=<optimized out>, ssize=0, archive_bfd=0x0) at /work/binutils-gdb/binutils/nm.c:1009 #5 0x0804b55c in print_symbols (archive_bfd=<optimized out>, size=<optimized out>, symcount=<optimized out>, minisyms=<optimized out>, is_dynamic=<optimized out>, abfd=0x817e058) at /work/binutils-gdb/binutils/nm.c:1089 #6 display_rel_file (abfd=abfd@entry=0x817e058, archive_bfd=archive_bfd@entry=0x0) at /work/binutils-gdb/binutils/nm.c:1205 #7 0x0804c67b in display_file (filename=<optimized out>) at /work/binutils-gdb/binutils/nm.c:1325 #8 0x0804a505 in main (argc=11, argv=0xffffd744) at /work/binutils-gdb/binutils/nm.c:1799 The poc file is https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_parse_die.elf -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils