[Bug binutils/28168] New: objdump -S: stack-buffer-overflow

shaohua.li at inf dot ethz.ch Mon, 02 Aug 2021 07:18:22 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=28168


            Bug ID: 28168
           Summary: objdump -S: stack-buffer-overflow
           Product: binutils
           Version: 2.38 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: shaohua.li at inf dot ethz.ch
  Target Milestone: ---

Created attachment 13579
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13579&action=edit
poc

Hi there,

I found a stack-buffer-overflow in `objdump -S` with a fuzzer.

- binutils version: 2.38(Head), commit af51804103a08cd1e12edc4f4a30eec2c5c4f9e8
- Compiler: clang12
- Platform: Ubuntu 18.04.5 LTS, x86_64
- Reproduce: run `objdump -S poc`

AddressSanitizer report:

==389==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6d3f12c0
at pc 0x00000043ab44 bp 0x7fff6d3f1100 sp 0x7fff6d3f0898
WRITE of size 159 at 0x7fff6d3f12c0 thread T0
    #0 0x43ab43 in vsprintf (/out_bin/objdump+0x43ab43)
    #1 0x43bac3 in sprintf (/out_bin/objdump+0x43bac3)
    #2 0x6d3bb6 in csky_output_operand
/binutils_latest/repo/opcodes/csky-dis.c:568:6
    #3 0x6d1e82 in csky_print_operand
/binutils_latest/repo/opcodes/csky-dis.c:978:10
    #4 0x6d18e6 in csky_print_operands
/binutils_latest/repo/opcodes/csky-dis.c:1001:8
    #5 0x6d0995 in print_insn_csky
/binutils_latest/repo/opcodes/csky-dis.c:1206:11
    #6 0x4e1829 in disassemble_bytes
/binutils_latest/repo/binutils/./objdump.c:2873:20
    #7 0x4dae9a in disassemble_section
/binutils_latest/repo/binutils/./objdump.c:3455:4
    #8 0xb0e04a in bfd_map_over_sections
/binutils_latest/repo/bfd/section.c:1383:5
    #9 0x4d1ae0 in disassemble_data
/binutils_latest/repo/binutils/./objdump.c:3599:3
    #10 0x4cda84 in dump_bfd /binutils_latest/repo/binutils/./objdump.c:5006:5
    #11 0x4ccb9f in display_object_bfd
/binutils_latest/repo/binutils/./objdump.c:5068:7
    #12 0x4ccaa9 in display_any_bfd
/binutils_latest/repo/binutils/./objdump.c:5158:5
    #13 0x4cc65c in display_file
/binutils_latest/repo/binutils/./objdump.c:5179:3
    #14 0x4cb063 in main /binutils_latest/repo/binutils/./objdump.c:5529:6
    #15 0x7f92c662e0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #16 0x41c61d in _start (/out_bin/objdump+0x41c61d)

Address 0x7fff6d3f12c0 is located in stack of thread T0 at offset 192 in frame
    #0 0x6d1eaf in csky_output_operand
/binutils_latest/repo/opcodes/csky-dis.c:303

  This frame has 12 object(s):
    [32, 40) 'value' (line 307)
    [64, 192) 'buf' (line 310)
    [224, 352) 'num' (line 420) <== Memory access at offset 192 partially
underflows this variable
    [384, 388) 'ibytes' (line 460)
    [400, 408) 'ibytes259' (line 522)
    [432, 440) 'f' (line 555)
    [464, 468) 'ibytes336' (line 582)
    [480, 488) 'valbytes' (line 622)
    [512, 520) 'fvalue' (line 623)
    [544, 548) 'f464' (line 674)
    [560, 568) 'dvalue' (line 686)
    [592, 600) 'd' (line 703)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/out_bin/objdump+0x43ab43) in
vsprintf
Shadow bytes around the buggy address:
  0x10006da76200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006da76210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006da76220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006da76230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006da76240: f1 f1 f1 f1 00 f2 f2 f2 00 00 00 00 00 00 00 00
=>0x10006da76250: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f8 f8 f8 f8
  0x10006da76260: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
  0x10006da76270: f8 f2 00 f2 f2 f2 00 f2 f2 f2 f8 f2 f8 f2 f2 f2
  0x10006da76280: f8 f2 f2 f2 f8 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3
  0x10006da76290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006da762a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==389==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/28168] New: objdump -S: stack-buffer-overflow

Reply via email to