[Bug binutils/29924] New: Huge memoy allocation in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=29924 Bug ID: 29924 Summary: Huge memoy allocation in objdump Product: binutils Version: 2.39 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: pdeng21 at m dot fudan.edu.cn Target Milestone: --- Created attachment 14533 --> https://sourceware.org/bugzilla/attachment.cgi?id=14533&action=edit PoC to replay the vulnerability #Summary There is a huge memory allocation vulnerability in objdump, which can be triggered by a craft elf file. #Verification git clone git://sourceware.org/git/binutils-gdb.git CC="clang -fsanitize=address" CXX="clang++ -fsanitize=address" ./configure --disable-shared && make -j$(nproc) ./binutils/objdump -S poc #ASAN = ==23722==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x31 bytes #0 0x4942ed in malloc (/binutils-gdb/binutils/objdump+0x4942ed) #1 0x8410c8 in xmalloc /binutils-gdb/libiberty/./xmalloc.c:149:12 #2 0x4dbb9d in load_separate_debug_files /binutils-gdb/binutils/./dwarf.c:11965:7 #3 0x4c6e60 in display_object_bfd /binutils-gdb/binutils/./objdump.c #4 0x4c6e60 in display_any_bfd /binutils-gdb/binutils/./objdump.c:5823:5 #5 0x4c5604 in display_file /binutils-gdb/binutils/./objdump.c:5844:3 #6 0x4c5604 in main /binutils-gdb/binutils/./objdump.c:6252:6 #7 0x7f08291dec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310 ==23722==HINT: if you don't care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: out-of-memory (/binutils-gdb/binutils/objdump+0x4942ed) in malloc ==23722==ABORTING #Envieonment Ubuntu 18.04 clang 10.0.0 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29925] New: Memroy leak in nm-new
https://sourceware.org/bugzilla/show_bug.cgi?id=29925 Bug ID: 29925 Summary: Memroy leak in nm-new Product: binutils Version: 2.39 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: pdeng21 at m dot fudan.edu.cn Target Milestone: --- Created attachment 14534 --> https://sourceware.org/bugzilla/attachment.cgi?id=14534&action=edit PoC to replay the vulnerability #Summary There is a memory leak vulnerability in nm-new, which can be triggered by a craft elf file. #Verification git clone git://sourceware.org/git/binutils-gdb.git CC="clang -fsanitize=address" CXX="clang++ -fsanitize=address" ./configure --disable-shared && make -j$(nproc) ./binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc #ASAN poc:1948 t ./binutils/nm-new: BFD (GNU Binutils) 2.39.50.20221221 assertion fail ./dwarf2.c:5044 poc: 0064 d __afl_area_ptr./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: could not find abbrev number 126975 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x113 ./binutils/nm-new: DWARF error: could not find abbrev number 991 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x114 ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (16973824) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (355469056) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: could not find abbrev number 126975 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x113 ./binutils/nm-new: DWARF error: could not find abbrev number 991 ./binutils/nm-new: DWARF error: could not find variable specification at offset 0x114 ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (4278190080) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (25115) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (1612316672) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (472973653) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (8192596) greater than or equal to .debug_str size (1224) ./binutils/nm-new: DWARF error: offset (72417564) greater th
[Bug binutils/29923] Renaming symbols with objcopy does not affect the drectve Section
https://sourceware.org/bugzilla/show_bug.cgi?id=29923 Nick Clifton changed: What|Removed |Added Ever confirmed|0 |1 Last reconfirmed||2022-12-21 Status|UNCONFIRMED |NEW CC||nickc at redhat dot com --- Comment #3 from Nick Clifton --- Hi Denys, Yeah - I think that this might be a case of a scenario which is just not supported by the binutils. Renaming symbols is a slightly dodgy thing to do at the best of times, and if extra information about them is held outside of the symbol table then I do not see objcopy as being able to do much about that. Basically what I am saying is that the BFD library has enough knowledge about .drectve sections to be able to process them when performing a final link, but it does not have the ability to update their contents when performing other kinds of tasks. I am assuming that you would argue that the BFD library *ought* to have this ability, along with the ability to display the directives inside the .drectve section when running objdump or the like. Not a simple task. I am happy to leave this PR open in the hopes that someone will take and interest in it and have a go at adding the necessary code. But I doubt that that will be me. At least not in the short term. Sorry. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/29900] Partial Linking removes alignment from linker directives
https://sourceware.org/bugzilla/show_bug.cgi?id=29900 --- Comment #8 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a7a32d588f29466221f5b4d421d0fc0a652dae48 commit a7a32d588f29466221f5b4d421d0fc0a652dae48 Author: Nick Clifton Date: Wed Dec 21 10:23:08 2022 + Keep the .drectve section when performing a relocateable link. PR 29900 * scripttempl/pe.sc: Keep the .drectve section when performing a relocateable link. * scripttempl/pep.sc: Likewise. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/29900] Partial Linking removes alignment from linker directives
https://sourceware.org/bugzilla/show_bug.cgi?id=29900 Nick Clifton changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #9 from Nick Clifton --- Ok, I am going to close this PR, since the specific problem has been solved. At least probably. It may still turn out that concatenating together .drectve sections is the wrong thing to do. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29925] Memroy leak in nm-new
https://sourceware.org/bugzilla/show_bug.cgi?id=29925 Alan Modra changed: What|Removed |Added Last reconfirmed||2022-12-21 Assignee|unassigned at sourceware dot org |amodra at gmail dot com Status|UNCONFIRMED |ASSIGNED Ever confirmed|0 |1 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29925] Memroy leak in find_abstract_instance
https://sourceware.org/bugzilla/show_bug.cgi?id=29925 Alan Modra changed: What|Removed |Added Summary|Memroy leak in nm-new |Memroy leak in ||find_abstract_instance -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29925] Memory leak in find_abstract_instance
https://sourceware.org/bugzilla/show_bug.cgi?id=29925 Alan Modra changed: What|Removed |Added Summary|Memroy leak in |Memory leak in |find_abstract_instance |find_abstract_instance -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29924] Huge memoy allocation in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=29924 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED CC||nickc at redhat dot com Ever confirmed|0 |1 Assignee|unassigned at sourceware dot org |nickc at redhat dot com Last reconfirmed||2022-12-21 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29924] Huge memoy allocation in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=29924 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd commit 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Author: Nick Clifton Date: Wed Dec 21 11:51:23 2022 + Fix an attempt to allocate an unreasonably large amount of memory when parsing a corrupt ELF file. PR 29924 * objdump.c (load_specific_debug_section): Check for excessively large sections. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29924] Huge memoy allocation in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=29924 Nick Clifton changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #2 from Nick Clifton --- Thanks for reporting this problem. I have checked in a small patch to add a check for an excessively DWARF information section. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29925] Memory leak in find_abstract_instance
https://sourceware.org/bugzilla/show_bug.cgi?id=29925 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Alan Modra : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a commit d28fbc7197ba0e021a43f873eff90b05dcdcff6a Author: Alan Modra Date: Wed Dec 21 21:40:12 2022 +1030 PR29925, Memory leak in find_abstract_instance The testcase in the PR had a variable with both DW_AT_decl_file and DW_AT_specification, where the DW_AT_specification also specified DW_AT_decl_file. This leads to a memory leak as the file name is malloced and duplicates are not expected. I've also changed find_abstract_instance to not use a temp for "name", because that can result in a change in behaviour from the usual last of duplicate attributes wins. PR 29925 * dwarf2.c (find_abstract_instance): Delete "name" variable. Free *filename_ptr before assigning new file name. (scan_unit_for_symbols): Similarly free func->file and var->file before assigning. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/16744] '-z noexecstack' does not add .note.GNU-stack for relocatables
https://sourceware.org/bugzilla/show_bug.cgi?id=16744 Nick Desaulniers changed: What|Removed |Added CC||ndesaulniers at google dot com -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/29925] Memory leak in find_abstract_instance
https://sourceware.org/bugzilla/show_bug.cgi?id=29925 Alan Modra changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED Target Milestone|--- |2.40 --- Comment #2 from Alan Modra --- Fixed -- You are receiving this mail because: You are on the CC list for the bug.
