https://sourceware.org/bugzilla/show_bug.cgi?id=29894
Bug ID: 29894 Summary: SEGV of objdump caused by heap-buffer-overflow at elfcomm.c:149 in byte_get_little_endian() Product: binutils Version: 2.39 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: 13579and24680 at gmail dot com Target Milestone: --- Created attachment 14515 --> https://sourceware.org/bugzilla/attachment.cgi?id=14515&action=edit Generated by my fuzzer and AFL_TMIN_EXACT=1 afl-tmin # version $ ./binutils-gdb/binutils/objdump --version GNU objdump (GNU Binutils) 2.39.50.20221210 Copyright (C) 2022 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. --------------------------------------------------------------------- # make $ git clone git://sourceware.org/git/binutils-gdb.git $ cd binutils-gdb $ ./configure $ make --------------------------------------------------------------------- # crash $ ./binutils-gdb/binutils/objdump -W poc ./binutils-gdb/binutils/objdump: pocpoc: file format elf64-x86-64 : invalid string offset 808464432 >= 3321 for section `ld-id' Contents of the .eh_frame section: 00000000 0000000000000014 00000000 CIE Version: 1 Augmentation: "zR" Code alignment factor: 48 Data alignment factor: -8 Return address column: 16 Augmentation data: 1b DW_CFA_def_cfa: r48 (mm7) ofs 48 DW_CFA_offset: r16 (rip) at cfa-384 DW_CFA_nop DW_CFA_nop 00000018 0000000000000014 0000001c FDE cie=00000000 pc=000000003030aab0..000000006060dae0 DW_CFA_advance_loc: 192 to 000000003030ab70 DW_CFA_undefined: r16 (rip) DW_CFA_nop DW_CFA_nop DW_CFA_nop DW_CFA_nop 00000030 0000000000000024 00000034 FDE cie=00000000 pc=000000003030aac8..000000006060daf8 DW_CFA_def_cfa_offset: 48 DW_CFA_advance_loc: 288 to 000000003030abe8 DW_CFA_def_cfa_offset: 48 DW_CFA_advance_loc: 480 to 000000003030adc8 DW_CFA_def_cfa_expression (DW_OP_breg7 (rsp): 48; DW_OP_breg16 (rip): 48; DW_OP_lit0; DW_OP_and; DW_OP_lit11; DW_OP_ge; DW_OP_lit3; DW_OP_shl; DW_OP_lit0) DW_CFA_nop DW_CFA_nop DW_CFA_nop DW_CFA_nop (... too long ignore) 51439: 0000000000000000 51440: 0000000000000000 51441: 0000000000000000 51442: 0000000000000000 51443: 0000000000000000 51444: 0000000000000000 51445: 0000000000000000 51446: 0000000000000000 51447: 0000000000000000 51448: 0000000000000000 51449: 0000000000000000 51450: 0000000000000000 51451: 0000000000000000 51452: 0000000000000000 51453: 0000000000000000 51454: 0000000000000000 51455: 0000000000000000 51456: 0000000000000000 51457: 0000000000000000 51458: 0000000000000000 fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV (Address boundary error) --------------------------------------------------------------------- # ASAN report $ ./binutils-gdb_asan_no_fuzz/binutils/objdump -W poc ./binutils-gdb_asan_no_fuzz/binutils/objdump: poc : invalid string offset 808464432 >= 3321 for section `ld-id'poc: file format elf64-x86-64 Contents of the .eh_frame section: 00000000 0000000000000014 00000000 CIE Version: 1 Augmentation: "zR" Code alignment factor: 48 Data alignment factor: -8 Return address column: 16 Augmentation data: 1b DW_CFA_def_cfa: r48 (mm7) ofs 48 DW_CFA_offset: r16 (rip) at cfa-384 DW_CFA_nop DW_CFA_nop 00000018 0000000000000014 0000001c FDE cie=00000000 pc=000000003030aab0..000000006060dae0 DW_CFA_advance_loc: 192 to 000000003030ab70 DW_CFA_undefined: r16 (rip) DW_CFA_nop DW_CFA_nop DW_CFA_nop DW_CFA_nop 00000030 0000000000000024 00000034 FDE cie=00000000 pc=000000003030aac8..000000006060daf8 DW_CFA_def_cfa_offset: 48 DW_CFA_advance_loc: 288 to 000000003030abe8 DW_CFA_def_cfa_offset: 48 DW_CFA_advance_loc: 480 to 000000003030adc8 DW_CFA_def_cfa_expression (DW_OP_breg7 (rsp): 48; DW_OP_breg16 (rip): 48; DW_OP_lit0; DW_OP_and; DW_OP_lit11; DW_OP_ge; DW_OP_lit3; DW_OP_shl; DW_OP_lit0) DW_CFA_nop DW_CFA_nop DW_CFA_nop DW_CFA_nop 00000058 0000000000000014 0000005c FDE cie=00000000 pc=000000003030aaf0..000000006060db20 DW_CFA_nop DW_CFA_nop DW_CFA_nop DW_CFA_nop DW_CFA_nop DW_CFA_nop DW_CFA_nop (... too long ignore) 321: 3030303030303030 322: 3030303030303030 323: 3030303030303030 324: 3030303030303030 325: 3030303030303030 326: 3030303030303030 327: 3030303030303030 328: 3030303030303030 329: 3030303030303030 330: 3030303030303030 331: 3030303030303030 332: 3030303030303030 ================================================================= ==1262566==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000af1 at pc 0x55b9be28a630 bp 0x7fff76f83aa0 sp 0x7fff76f83a90 READ of size 1 at 0x61e000000af1 thread T0 #0 0x55b9be28a62f in byte_get_little_endian /home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/elfcomm.c:149 #1 0x55b9be22f5f8 in display_debug_addr dwarf.c:7740 #2 0x55b9be1f28c4 in dump_dwarf_section objdump.c:4396 #3 0x55b9be34115d in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/bfd/section.c:1366 #4 0x55b9be1f2af3 in dump_dwarf objdump.c:4434 #5 0x55b9be1f9110 in dump_bfd objdump.c:5636 #6 0x55b9be1f94e5 in display_object_bfd objdump.c:5715 #7 0x55b9be1f9816 in display_any_bfd objdump.c:5801 #8 0x55b9be1f9890 in display_file objdump.c:5822 #9 0x55b9be1fb1b9 in main objdump.c:6230 #10 0x7f5dbd2f2082 in __libc_start_main ../csu/libc-start.c:308 #11 0x55b9be1df39d in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/objdump+0x13b39d) 0x61e000000af1 is located 0 bytes to the right of 2673-byte region [0x61e000000080,0x61e000000af1) allocated by thread T0 here: #0 0x7f5dbd5d3808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x55b9be5d5b00 in xmalloc xmalloc.c:149 #2 0x55b9be1f19c8 in load_specific_debug_section objdump.c:4216 #3 0x55b9be1f2148 in load_debug_section objdump.c:4317 #4 0x55b9be24e856 in load_separate_debug_files dwarf.c:11929 #5 0x55b9be1f87bd in dump_bfd objdump.c:5520 #6 0x55b9be1f94e5 in display_object_bfd objdump.c:5715 #7 0x55b9be1f9816 in display_any_bfd objdump.c:5801 #8 0x55b9be1f9890 in display_file objdump.c:5822 #9 0x55b9be1fb1b9 in main objdump.c:6230 #10 0x7f5dbd2f2082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/elfcomm.c:149 in byte_get_little_endian Shadow bytes around the buggy address: 0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3c7fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa 0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1262566==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.