https://sourceware.org/bugzilla/show_bug.cgi?id=20063
Bug ID: 20063
Summary: Segmentation fault on objdump -D (with invalid
SHT_GROUP entry)
Product: binutils
Version: 2.27 (HEAD)
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: paulwebsec at gmail dot com
Target Milestone: ---
Created attachment 9243
--> https://sourceware.org/bugzilla/attachment.cgi?id=9243&action=edit
Executable sample to crash (segfault) binutils's objdump (latest version)
Hi there,
I crashed objdump (with flag -D) by specifying a specifically crafted
executable using afl-fuzz and this happens because of an invalid SHT_GROUP
entry.
The crash looks like:
gdb-peda$ r -D
../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609
Starting program: /root/binutils-2.26/binutils/objdump -D
../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609
/root/binutils-2.26/binutils/objdump:
../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609: invalid
SHT_GROUP entry
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xff00
RBX: 0x7fffffffe140 --> 0x1
RCX: 0xa77fc0 --> 0xa7436d ("elf64-x86-64")
RDX: 0xcd8dd0 --> 0xcda510 --> 0x200000000
RSI: 0xcd8188 --> 0x0
RDI: 0xcdb030 --> 0x1200000013
RBP: 0xcd7ff0 --> 0xcda350
("../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609")
RSP: 0x7fffffffe050 --> 0x7fffffffe160 --> 0xfe
RIP: 0x63f84c (<bfd_elf_get_elf_syms+316>: cmp QWORD PTR
[rdx+rax*8],rsi)
R8 : 0xcd8120 --> 0x10102464c457f
R9 : 0x7fffffffe170 --> 0xcdad80 --> 0x300000001
R10: 0x1
R11: 0x1
R12: 0xcd7ff0 --> 0xcda350
("../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609")
R13: 0x0
R14: 0xcdb030 --> 0x1200000013
R15: 0x1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x63f840 <bfd_elf_get_elf_syms+304>: mov r14,rdi
0x63f843 <bfd_elf_get_elf_syms+307>: nop DWORD PTR [rax+rax*1+0x0]
0x63f848 <bfd_elf_get_elf_syms+312>: mov eax,DWORD PTR [r14+0x28]
=> 0x63f84c <bfd_elf_get_elf_syms+316>: cmp QWORD PTR [rdx+rax*8],rsi
0x63f850 <bfd_elf_get_elf_syms+320>: je 0x63f8df
<bfd_elf_get_elf_syms+463>
0x63f856 <bfd_elf_get_elf_syms+326>: xchg ax,ax
0x63f858 <bfd_elf_get_elf_syms+328>: lea rsp,[rsp-0x98]
0x63f860 <bfd_elf_get_elf_syms+336>: mov QWORD PTR [rsp],rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe050 --> 0x7fffffffe160 --> 0xfe
0008| 0x7fffffffe058 --> 0x1
0016| 0x7fffffffe060 --> 0xa7035c --> 0x32312d2500646662 ('bfd')
0024| 0x7fffffffe068 --> 0x7fff00000005
0032| 0x7fffffffe070 --> 0x7fffffffdfc0 --> 0xa77fc0 --> 0xa7436d
("elf64-x86-64")
0040| 0x7fffffffe078 --> 0xcdb1e8 --> 0xcda510 --> 0x200000000
0048| 0x7fffffffe080 --> 0x0
0056| 0x7fffffffe088 --> 0x7ffff7df0515 (<_dl_runtime_resolve+53>: mov
r11,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000063f84c in bfd_elf_get_elf_syms (ibfd=0xcd7ff0, symtab_hdr=0xcd8188,
symcount=0x1, symoffset=0x0, intsym_buf=0x7fffffffe140,
extsym_buf=0x7fffffffe170,
extshndx_buf=0x7fffffffe160) at elf.c:410
410 if (sections[entry->hdr.sh_link] == symtab_hdr)
gdb-peda$
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
