[Bug binutils/29908] New: SEGV of objdump caused by heap-buffer-overflow at dwarf.c:7756 in display_debug_addr()

Fri, 16 Dec 2022 01:02:44 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=29908

            Bug ID: 29908
           Summary: SEGV of objdump caused by heap-buffer-overflow at
                    dwarf.c:7756 in display_debug_addr()
           Product: binutils
           Version: 2.39
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 13579and24680 at gmail dot com
  Target Milestone: ---

Created attachment 14520
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14520&action=edit
Generated by my fuzzer and afl-tmin

# version

$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.39.50.20221213
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# git log

$ git log --oneline -1
d0d41b77c0c (HEAD -> master, origin/master, origin/HEAD) Replace
gdbpy_should_stop with gdbpy_breakpoint_cond_says_stop

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make

---------------------------------------------------------------------
# crash

$ ./binutils-gdb/binutils/objdump -W poc
./binutils-gdb/binutils/objdump: Warning: Corrupt attribute block length:
0x30303030

poc:     file format elf64-x86-64

Contents of the .eh_frame section:


00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 48

(... too long ignore)

        49894:  0000000000000000
        49895:  0000000000000000
        49896:  0000000000000000
        49897:  0000000000000000
        49898:  0000000000000000
        49899:  0000000000000000
        49900:  0000000000000000
        49901:  0000000000000000
        49902:  0000000000000000
        49903:  0000000000000000
        49904:  0000000000000000
        49905:  0000000000000000
        49906:  0000000000000000
        49907:  0000000000000000
        49908:  0000000000000000
        49909:  0000000000000000
        49910:  0000000000000000
        49911:  0000000000000000
        49912:  0000000000000000
        49913:  0000000000000000
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV
(Address boundary error)

---------------------------------------------------------------------
# ASAN report

$ ./binutils-gdb_asan/binutils/objdump -W poc
./binutils-gdb_asan/binutils/objdump: Warning: Corrupt attribute block length:
0x30303030

poc:     file format elf64-x86-64

Contents of the .eh_frame section:


00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 48

(... too long ignore)

        300:    3030303030303030
        301:    3030303030303030
        302:    3030303030303030
        303:    3030303030303030
        304:    3030303030303030
        305:    3030303030303030
        306:    3030303030303030
        307:    3030303030303030
        308:    3030303030303030
        309:    3030303030303030
        310:    3030303030303030
        311:    3030303030303030
        312:    3030303030303030
        313:    3030303030303030
        314:    3030303030303030
        315:    3030303030303030
=================================================================
==2848799==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61e000000ab1 at pc 0x55f9366f07ac bp 0x7ffc73f785f0 sp 0x7ffc73f785e0
READ of size 1 at 0x61e000000ab1 thread T0
    #0 0x55f9366f07ab in byte_get_little_endian
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149
    #1 0x55f936695768 in display_debug_addr dwarf.c:7756
    #2 0x55f9366588c4 in dump_dwarf_section objdump.c:4396
    #3 0x55f9367a72d9 in bfd_map_over_sections
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
    #4 0x55f936658af3 in dump_dwarf objdump.c:4434
    #5 0x55f93665f110 in dump_bfd objdump.c:5636
    #6 0x55f93665f4e5 in display_object_bfd objdump.c:5715
    #7 0x55f93665f816 in display_any_bfd objdump.c:5801
    #8 0x55f93665f890 in display_file objdump.c:5822
    #9 0x55f9366611b9 in main objdump.c:6230
    #10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x55f93664539d in _start
(/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b39d)

0x61e000000ab1 is located 0 bytes to the right of 2609-byte region
[0x61e000000080,0x61e000000ab1)
allocated by thread T0 here:
    #0 0x7fae0f435808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55f936a3bc7c in xmalloc xmalloc.c:149
    #2 0x55f9366579c8 in load_specific_debug_section objdump.c:4216
    #3 0x55f936658148 in load_debug_section objdump.c:4317
    #4 0x55f9366b49d2 in load_separate_debug_files dwarf.c:11945
    #5 0x55f93665e7bd in dump_bfd objdump.c:5520
    #6 0x55f93665f4e5 in display_object_bfd objdump.c:5715
    #7 0x55f93665f816 in display_any_bfd objdump.c:5801
    #8 0x55f93665f890 in display_file objdump.c:5822
    #9 0x55f9366611b9 in main objdump.c:6230
    #10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149
in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8150: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2848799==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to