https://sourceware.org/bugzilla/show_bug.cgi?id=22509
Bug ID: 22509
Summary: Null pointer dereference on coff_slurp_reloc_table
Product: binutils
Version: 2.30 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: mgcho.minic at gmail dot com
Target Milestone: ---
Created attachment 10645
--> https://sourceware.org/bugzilla/attachment.cgi?id=10645&action=edit
poc of the crash
Triggered by "./objdump -W $POC"
Tested on Ubuntu 16.04 (x86)
Null pointer dereference occurred when processing malformed PE file.
The GDB debugging information is as follows:
Program received signal SIGSEGV, Segmentation fault.
0x08153c96 in coff_slurp_reloc_table (abfd=0x825ca08, asect=0x825db9c,
symbols=0x0) at ./coffcode.h:5353
5353 ptr = *(cache_ptr->sym_ptr_ptr);
(gdb) bt
#0 0x08153c96 in coff_slurp_reloc_table (abfd=0x825ca08, asect=0x825db9c,
symbols=0x0) at ./coffcode.h:5353
#1 0x0815026a in coff_canonicalize_reloc (abfd=0x825ca08, section=0x825db9c,
relptr=0x8260e28, symbols=0x0)
at ./coffcode.h:5452
#2 0x080c105b in bfd_canonicalize_reloc (abfd=0x825ca08, asect=0x825db9c,
location=0x8260e28, symbols=0x0)
at bfd.c:1372
#3 0x08049fcd in load_specific_debug_section (debug=eh_frame, sec=0x825db9c,
file=0x825ca08) at ./objdump.c:2524
#4 0x0804de0b in dump_dwarf_section (abfd=0x825ca08, section=0x825db9c,
arg=0x0) at ./objdump.c:2665
#5 0x080cd36c in bfd_map_over_sections (abfd=0x825ca08, operation=0x804dcb0
<dump_dwarf_section>,
user_storage=0x0) at section.c:1395
#6 0x0804ca8d in dump_dwarf (abfd=0x825ca08) at ./objdump.c:2738
#7 0x0804baeb in dump_bfd (abfd=0x825ca08) at ./objdump.c:3582
#8 0x0804b742 in display_object_bfd (abfd=0x825ca08) at ./objdump.c:3649
#9 0x0804b6f7 in display_any_bfd (file=0x825ca08, level=0) at ./objdump.c:3738
#10 0x0804b421 in display_file (filename=0xbffff2af
"/home/min/Downloads/null_coff_slurp_reloc_table",
target=0x0, last_file=1) at ./objdump.c:3759
#11 0x0804aff0 in main (argc=3, argv=0xbffff094) at ./objdump.c:4061
(gdb) p *cache_ptr->sym_ptr_ptr
Cannot access memory at address 0x0
ASAN output:
==7926==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc
0x085014b4 bp 0xb6100650 sp 0xbffd7690 T0)
#0 0x85014b3 in coff_slurp_reloc_table
/home/min/fuzzing/src/binutils-2.29.1/bfd/./coffcode.h:5336:14
#1 0x85014b3 in coff_canonicalize_reloc
/home/min/fuzzing/src/binutils-2.29.1/bfd/./coffcode.h:5435
#2 0x82e9f82 in bfd_canonicalize_reloc
/home/min/fuzzing/src/binutils-2.29.1/bfd/bfd.c:1074:10
#3 0x81404bd in load_specific_debug_section
/home/min/fuzzing/src/binutils-2.29.1/binutils/./objdump.c:2511:18
#4 0x814a5a2 in dump_dwarf_section
/home/min/fuzzing/src/binutils-2.29.1/binutils/./objdump.c:2626:6
#5 0x830c34b in bfd_map_over_sections
/home/min/fuzzing/src/binutils-2.29.1/bfd/section.c:1395:5
#6 0x8148a07 in dump_dwarf
/home/min/fuzzing/src/binutils-2.29.1/binutils/./objdump.c:2695:3
#7 0x8145058 in dump_bfd
/home/min/fuzzing/src/binutils-2.29.1/binutils/./objdump.c:3536:5
#8 0x8143726 in display_object_bfd
/home/min/fuzzing/src/binutils-2.29.1/binutils/./objdump.c:3603:7
#9 0x8143726 in display_any_bfd
/home/min/fuzzing/src/binutils-2.29.1/binutils/./objdump.c:3692
#10 0x814267d in display_file
/home/min/fuzzing/src/binutils-2.29.1/binutils/./objdump.c:3713:3
#11 0x814267d in main
/home/min/fuzzing/src/binutils-2.29.1/binutils/./objdump.c:4015
#12 0xb74be636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
#13 0x806c367 in _start
(/home/min/fuzzing/program/binutils-2.29.1-fast/bin/objdump+0x806c367)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/min/fuzzing/src/binutils-2.29.1/bfd/./coffcode.h:5336:14 in
coff_slurp_reloc_table
Credits:
Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei
University.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
