[Bug binutils/30230] New: objdump: heap-buffer-overflow in get_sym_code_type

Tue, 14 Mar 2023 00:20:06 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=30230

            Bug ID: 30230
           Summary: objdump: heap-buffer-overflow in get_sym_code_type
           Product: binutils
           Version: 2.40
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: youngseok.main at gmail dot com
  Target Milestone: ---

Created attachment 14749
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14749&action=edit
poc_file used in command input

We found a heap overflow bug in objdump by fuzzing.

Command to reproduce:
objdump poc_file --archit=arm -S

poc_file is attached.

Sanitizer dump:
==11829==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60f000000688 at pc 0x5555564399e4 bp 0x7fffffffd2d0 sp 0x7fffffffd2c0
READ of size 1 at 0x60f000000688 thread T0
    #0 0x5555564399e3 in get_sym_code_type
/home/youngseok/latest-subjects/binutils-gdb/opcodes/arm-dis.c:12452
    #1 0x55555643a3db in mapping_symbol_for_insn
/home/youngseok/latest-subjects/binutils-gdb/opcodes/arm-dis.c:12582
    #2 0x55555643b8f6 in print_insn
/home/youngseok/latest-subjects/binutils-gdb/opcodes/arm-dis.c:12771
    #3 0x55555643ced5 in print_insn_little_arm
/home/youngseok/latest-subjects/binutils-gdb/opcodes/arm-dis.c:12969
    #4 0x5555563567df in disassemble_bytes objdump.c:3433
    #5 0x55555635a02e in disassemble_section objdump.c:4050
    #6 0x5555568468f1 in bfd_map_over_sections
/home/youngseok/latest-subjects/binutils-gdb/bfd/section.c:1366
    #7 0x55555635afff in disassemble_data objdump.c:4199
    #8 0x555556362a74 in dump_bfd objdump.c:5683
    #9 0x555556362d40 in display_object_bfd objdump.c:5746
    #10 0x555556363089 in display_any_bfd objdump.c:5833
    #11 0x5555563630ff in display_file objdump.c:5854
    #12 0x555556364a8b in main objdump.c:6265
    #13 0x7ffff6844c86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #14 0x555556348ad9 in _start
(/home/youngseok/latest-subjects/binutils-gdb/binutils/objdump+0xdf4ad9)

0x60f000000688 is located 4 bytes to the right of 164-byte region
[0x60f0000005e0,0x60f000000684)
allocated by thread T0 here:
    #0 0x7ffff6ef6b40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x55555683d539 in bfd_malloc
/home/youngseok/latest-subjects/binutils-gdb/bfd/libbfd.c:289
    #2 0x55555683d653 in bfd_zmalloc
/home/youngseok/latest-subjects/binutils-gdb/bfd/libbfd.c:411
    #3 0x55555689b480 in _bfd_x86_elf_get_synthetic_symtab
/home/youngseok/latest-subjects/binutils-gdb/bfd/elfxx-x86.c:3577
    #4 0x5555569be6cf in elf_i386_get_synthetic_symtab
/home/youngseok/latest-subjects/binutils-gdb/bfd/elf32-i386.c:4404
    #5 0x5555563628fa in dump_bfd objdump.c:5654
    #6 0x555556362d40 in display_object_bfd objdump.c:5746
    #7 0x555556363089 in display_any_bfd objdump.c:5833
    #8 0x5555563630ff in display_file objdump.c:5854
    #9 0x555556364a8b in main objdump.c:6265
    #10 0x7ffff6844c86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

*Environment*
- OS: Ubuntu 18.04
- gcc: 7.5.0
- binutils: 2.40.50.20230314

binutils is built it address sanitizer. Here is the build script:
CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" \
./configure --enable-targets=all

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to