*** This bug is a security vulnerability *** Public security bug reported:
SIGSEGV and out-of-bounds write during processing file via objdump # Description During processing of the attached elf file via ``` objdump -S testcase ``` an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV) This allows an attacker to perform a denial of service and possibly opens up other attack vectors if files from untrusted sources are processed. For reproduction of the crash, I attached the following script(s): - reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04 Since I was unable to reproduce the bug upstream, I report it here. If you need further assistance, please do not hesitate to ask. # Ubuntu version # apt show binutils Package: binutils Version: 2.34-6ubuntu1.3 Priority: optional Build-Essential: yes Section: devel Origin: Ubuntu Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> Original-Maintainer: Matthias Klose <d...@debian.org> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 110 kB Provides: binutils-gold, elf-binutils Depends: binutils-common (= 2.34-6ubuntu1.3), libbinutils (= 2.34-6ubuntu1.3), binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3) Suggests: binutils-doc (>= 2.34-6ubuntu1.3) Conflicts: binutils-mingw-w64-i686 (<< 2.23.52.20130612-1+3), binutils-mingw-w64-x86-64 (<< 2.23.52.20130612-1+3), binutils-multiarch (<< 2.27-8), modutils (<< 2.4.19-1) Homepage: https://www.gnu.org/software/binutils/ Task: ubuntustudio-video, ubuntu-mate-core, ubuntu-mate-desktop Download-Size: 3380 B APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages Description: GNU assembler, linker and binary utilities # Ubuntu valgrind ==1== Memcheck, a memory error detector ==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: objdump -S /testcase ==1== objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size objdump: /testcase: warning: loop in section dependencies detected objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size ==1== Invalid write of size 4 ==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469f4 is 1,940 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== ==1== Invalid write of size 4 ==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== ==1== Invalid read of size 4 ==1== at 0x4A3FFA4: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d46a04 is 1,956 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== ==1== Invalid write of size 4 ==1== at 0x4A3FFAE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d46a04 is 1,956 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== ==1== Invalid read of size 4 ==1== at 0x4A3FFA4: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== ==1== Invalid write of size 4 ==1== at 0x4A3FFAE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== ==1== Invalid write of size 4 ==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== objdump: /testcase: warning: loop in section dependencies detected ==1== Invalid write of size 4 ==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d46a04 is 1,956 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== objdump: /testcase: file format not recognized ==1== ==1== HEAP SUMMARY: ==1== in use at exit: 0 bytes in 0 blocks ==1== total heap usage: 29 allocs, 29 frees, 178,276 bytes allocated ==1== ==1== All heap blocks were freed -- no leaks are possible ==1== ==1== For lists of detected and suppressed errors, rerun with: -s ==1== ERROR SUMMARY: 29 errors from 8 contexts (suppressed: 0 from 0) ** Affects: binutils (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security ** Package changed: poppler (Ubuntu) => binutils (Ubuntu) ** Description changed: SIGSEGV and out-of-bounds write during processing file via objdump # Description During processing of the attached elf file via ``` - objdump -a testcase + objdump -S testcase ``` an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV) This allows an attacker to perform a denial of service and possibly opens up other attack vectors if files from untrusted sources are processed. For reproduction of the crash, I attached the following script(s): - - reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04 + - reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04 Since I was unable to reproduce the bug upstream, I report it here. If you need further assistance, please do not hesitate to ask. # Ubuntu version # apt show binutils Package: binutils Version: 2.34-6ubuntu1.3 Priority: optional Build-Essential: yes Section: devel Origin: Ubuntu Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> Original-Maintainer: Matthias Klose <d...@debian.org> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 110 kB Provides: binutils-gold, elf-binutils Depends: binutils-common (= 2.34-6ubuntu1.3), libbinutils (= 2.34-6ubuntu1.3), binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3) Suggests: binutils-doc (>= 2.34-6ubuntu1.3) Conflicts: binutils-mingw-w64-i686 (<< 2.23.52.20130612-1+3), binutils-mingw-w64-x86-64 (<< 2.23.52.20130612-1+3), binutils-multiarch (<< 2.27-8), modutils (<< 2.4.19-1) Homepage: https://www.gnu.org/software/binutils/ Task: ubuntustudio-video, ubuntu-mate-core, ubuntu-mate-desktop Download-Size: 3380 B APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages Description: GNU assembler, linker and binary utilities # Ubuntu valgrind ==1== Memcheck, a memory error detector ==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: objdump -S /testcase - ==1== + ==1== objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size objdump: /testcase: warning: loop in section dependencies detected objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size ==1== Invalid write of size 4 ==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469f4 is 1,940 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) - ==1== + ==1== ==1== Invalid write of size 4 ==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) - ==1== + ==1== ==1== Invalid read of size 4 ==1== at 0x4A3FFA4: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d46a04 is 1,956 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) - ==1== + ==1== ==1== Invalid write of size 4 ==1== at 0x4A3FFAE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d46a04 is 1,956 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) - ==1== + ==1== ==1== Invalid read of size 4 ==1== at 0x4A3FFA4: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) - ==1== + ==1== ==1== Invalid write of size 4 ==1== at 0x4A3FFAE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) - ==1== + ==1== ==1== Invalid write of size 4 ==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) - ==1== + ==1== objdump: /testcase: warning: loop in section dependencies detected ==1== Invalid write of size 4 ==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d46a04 is 1,956 bytes inside a block of size 4,064 free'd ==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) - ==1== + ==1== objdump: /testcase: file format not recognized - ==1== + ==1== ==1== HEAP SUMMARY: ==1== in use at exit: 0 bytes in 0 blocks ==1== total heap usage: 29 allocs, 29 frees, 178,276 bytes allocated - ==1== + ==1== ==1== All heap blocks were freed -- no leaks are possible - ==1== + ==1== ==1== For lists of detected and suppressed errors, rerun with: -s ==1== ERROR SUMMARY: 29 errors from 8 contexts (suppressed: 0 from 0) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/1967082 Title: SIGSEGV and out-of-bounds write during processing file via objdump To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1967082/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
