[Bug binutils/29936] New: objdump SEGV in concat_filename() at dwarf2.c:2060

13579and24680 at gmail dot com Fri, 23 Dec 2022 02:24:11 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=29936


            Bug ID: 29936
           Summary: objdump SEGV in concat_filename() at dwarf2.c:2060
           Product: binutils
           Version: 2.39
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 13579and24680 at gmail dot com
  Target Milestone: ---

Created attachment 14536
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14536&action=edit
found by my fuzzer, trimed with afl-tmin

# version

$ ./binutils-gdb/binutils/objdump -v
GNU objdump (GNU Binutils) 2.39.50.20221223
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# git log

$ git log --oneline -1
110028744cd (HEAD -> master, origin/master, origin/HEAD) sim: lm32/m32r: drop
redundant opcode/cgen.h include

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make

---------------------------------------------------------------------
# crash

$ ./binutils-gdb/binutils/objdump -S poc
./binutils-gdb/binutils/objdump: warning: poc has a section extending past end
of file

poc:     file format elf64-x86-64


Disassembly of section
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info:

3030303030303030
<000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info>:
./binutils-gdb/binutils/objdump: DWARF error: can't find .debug_str section.
./binutils-gdb/binutils/objdump: DWARF error: can't find .debug_str section.
./binutils-gdb/binutils/objdump: DWARF error: can't find .debug_str section.
./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than
or equal to .debug_line_str size (12336)
./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than
or equal to .debug_line_str size (12336)
./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than
or equal to .debug_line_str size (12336)
./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than
or equal to .debug_line_str size (12336)
./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than
or equal to .debug_line_str size (12336)
./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than
or equal to .debug_line_str size (12336)
./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than
or equal to .debug_line_str size (12336)
./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than
or equal to .debug_line_str size (12336)
./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than
or equal to .debug_line_str size (12336)
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV
(Address boundary error)

---------------------------------------------------------------------
# ASAN report

$ ./binutils-gdb_asan/binutils/objdump -S poc
./binutils-gdb_asan/binutils/objdump: warning: poc has a section extending past
end of file

poc:     file format elf64-x86-64


Disassembly of section
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info:

3030303030303030
<000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info>:
./binutils-gdb_asan/binutils/objdump: DWARF error: can't find .debug_str
section.
./binutils-gdb_asan/binutils/objdump: DWARF error: can't find .debug_str
section.
./binutils-gdb_asan/binutils/objdump: DWARF error: can't find .debug_str
section.
./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater
than or equal to .debug_line_str size (12336)
./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater
than or equal to .debug_line_str size (12336)
./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater
than or equal to .debug_line_str size (12336)
./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater
than or equal to .debug_line_str size (12336)
./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater
than or equal to .debug_line_str size (12336)
./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater
than or equal to .debug_line_str size (12336)
./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater
than or equal to .debug_line_str size (12336)
./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater
than or equal to .debug_line_str size (12336)
./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater
than or equal to .debug_line_str size (12336)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2466233==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x55f76c40748c bp 0x7ffcf161a580 sp 0x7ffcf161a530 T0)
==2466233==The signal is caused by a READ memory access.
==2466233==Hint: address points to the zero page.
    #0 0x55f76c40748b in concat_filename dwarf2.c:2060
    #1 0x55f76c40b28a in decode_line_info dwarf2.c:2891
    #2 0x55f76c414771 in comp_unit_maybe_decode_line_info dwarf2.c:4706
    #3 0x55f76c4144a7 in comp_unit_find_nearest_line dwarf2.c:4673
    #4 0x55f76c41a8ce in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5986
    #5 0x55f76c36c26d in _bfd_elf_find_nearest_line_with_alt
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338
    #6 0x55f76c36c0fc in _bfd_elf_find_nearest_line
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315
    #7 0x55f76c15ee2b in show_line objdump.c:2180
    #8 0x55f76c164871 in disassemble_bytes objdump.c:3339
    #9 0x55f76c16892d in disassemble_section objdump.c:4050
    #10 0x55f76c2bb721 in bfd_map_over_sections
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
    #11 0x55f76c1698bc in disassemble_data objdump.c:4194
    #12 0x55f76c1716d0 in dump_bfd objdump.c:5676
    #13 0x55f76c1719ab in display_object_bfd objdump.c:5739
    #14 0x55f76c171cdc in display_any_bfd objdump.c:5825
    #15 0x55f76c171d56 in display_file objdump.c:5846
    #16 0x55f76c173690 in main objdump.c:6254
    #17 0x7fd90c174082 in __libc_start_main ../csu/libc-start.c:308
    #18 0x55f76c1573bd in _start
(/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b3bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV dwarf2.c:2060 in concat_filename
==2466233==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/29936] New: objdump SEGV in concat_filename() at dwarf2.c:2060

Reply via email to