[Bug binutils/32136] New: Use-of-uninitialized-memory bug in function evax_bfd_print_image()

Tue, 03 Sep 2024 02:04:09 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=32136

            Bug ID: 32136
           Summary: Use-of-uninitialized-memory bug in function
                    evax_bfd_print_image()
           Product: binutils
           Version: 2.44 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: sabatini.1794627 at studenti dot uniroma1.it
  Target Milestone: ---

We found a “conditional jump or move depends on uninitialized value” bug in
function `evax_bfd_print_image()`, which in turns invokes function “fprintf()”,
after testing one of the harnesses provided on the OSS-Fuzz repository
(fuzz_objdump_safe).



In the attached archive you will find:
  - the executable on which we performed our tests
  - the input file that caused the bug
  - the output of Valgrind confirming our finding

To reproduce the errors, a memory safety tool is required to expose the bug.
Run the given binary with the testcase files inside Valgrind with a command
like `valgrind ./fuzz_objdump_safe /path_to_testcases/input.


Valgrind output
==235== Conditional jump or move depends on uninitialized value(s)
==235== at 0x483EEFD: strnlen (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==235== by 0x4A5A089: __vfprintf_internal (vfprintf-internal.c:1688)
==235== by 0x4A44C69: fprintf (fprintf.c:32)
==235== by 0xE0C0F4: evax_bfd_print_image (in /out/fuzz_objdump_safe)
==235== by 0xDFF4C5: vms_bfd_print_private_bfd_data (in /out/fuzz_objdump_safe)
==235== by 0x7FB7A0: dump_bfd (in /out/fuzz_objdump_safe)
==235== by 0x7FABB4: display_any_bfd (in /out/fuzz_objdump_safe)
==235== by 0x7FA9FC: LLVMFuzzerTestOneInput (in /out/fuzz_objdump_safe)
==235== by 0x7F71D9: ExecuteFilesOnyByOne (in /out/fuzz_objdump_safe)
==235== by 0x7F6FD5: LLVMFuzzerRunDriver (in /out/fuzz_objdump_safe)
==235== by 0x7F6B8D: main (in /out/fuzz_objdump_safe)

Environment info
The program has been tested on the standard Docker image provided on OSS-Fuzz
using Ubuntu 20.04 (x86_64), providing AFL++ as fuzzing engine and build flag
`--sanitizer=none`.
Also, we manually added the flag `-ldl` to the environment variables $CFLAGS
and $CXXFLAGS.    


The hash commit used to perform the tests is `a6ecb18`.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to