https://sourceware.org/bugzilla/show_bug.cgi?id=19379
Bug ID: 19379
Summary: "Augmentation Data:" Overflow in obdjump
Product: binutils
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: hanafie.nurud...@f13-labs.net
Target Milestone: ---
Created attachment 8855
--> https://sourceware.org/bugzilla/attachment.cgi?id=8855&action=edit
proof of concept to trigger crash
The crash trigger upon using objdump to parse binary (by reading the
"Augmentation Data:".
Code trigger crashed
====================
; parsed strings (input) for "Augmentation Data:"
.text:08064227 mov dword ptr [esp+4], offset
aAugmentationDa ; " Augmentation data: "
.text:0806422F xor ebx, ebx
.text:08064231 mov dword ptr [esp], 1
.text:08064238 call ___printf_chk
.text:0806423D mov eax, [ebp+var_20] ;
var_20 = strings (input) from binary that being parsed, then copy to eax
.text:08064240 test eax, eax
; if input is zero, jump out from here
.text:08064242 jz short loc_806426F ;
.text:08064244 lea esi, [esi+0]
;
; overflow at "Augmentation Data:"
.text:08064248 mov eax, [ebp+var_24] ;
.text:0806424B movzx eax, byte ptr [eax+ebx] ; overflow here
due to long strings here
.text:0806424F add ebx, 1
.text:08064252 mov dword ptr [esp+4], offset unk_808A20E
.text:0806425A mov dword ptr [esp], 1
.text:08064261 mov [esp+8], eax
.text:08064265 call ___printf_chk
.text:0806426A cmp [ebp+var_20], ebx
.text:0806426D ja short loc_8064248
Crashed Info (from GDB)
=======================
[----------------------------------registers-----------------------------------]
EAX: 0x80a459c --> 0x0
EBX: 0x19a64
ECX: 0xb7dde898 --> 0x0
EDX: 0x3
ESI: 0x809c708 ("0000009c")
EDI: 0x98
EBP: 0xbfffed68 --> 0x809f82c --> 0x809e808 (".eh_frame")
ESP: 0xbfffecc0 --> 0x1
EIP: 0x806424b (movzx eax,BYTE PTR [eax+ebx*1])
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x8064242: je 0x806426f
0x8064244: lea esi,[esi+eiz*1+0x0]
0x8064248: mov eax,DWORD PTR [ebp-0x24]
=> 0x806424b: movzx eax,BYTE PTR [eax+ebx*1]
0x806424f: add ebx,0x1
0x8064252: mov DWORD PTR [esp+0x4],0x808a20e
0x806425a: mov DWORD PTR [esp],0x1
0x8064261: mov DWORD PTR [esp+0x8],eax
[------------------------------------stack-------------------------------------]
0000| 0xbfffecc0 --> 0x1
0004| 0xbfffecc4 --> 0x808a20e (" %02x")
0008| 0xbfffecc8 --> 0x0
0012| 0xbfffeccc --> 0x809c388 ("feffffa6")
0016| 0xbfffecd0 --> 0x809c708 ("0000009c")
0020| 0xbfffecd4 --> 0x0
0024| 0xbfffecd8 --> 0xbfffecf4 --> 0x0
0028| 0xbfffecdc --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0806424b in ?? ()
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
