[Bug binutils/21781] New: Internal error in handle_COMDAT

2017-07-17 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21781

Bug ID: 21781
   Summary: Internal error in handle_COMDAT
   Product: binutils
   Version: 2.30 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: ned at forallsecure dot com
  Target Milestone: ---

Created attachment 10268
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10268&action=edit
internal_error_coffcode

The attached file produces the following output when run with `./objdump -x
internal_error_coffcode`:

```
./objdump: ./internal_error_coffcode (): Section flag IMAGE_SCN_LNK_OTHER
(0x100) ignored
./objdump: BFD (GNU Binutils) 2.29.51.20170714 internal error, aborting at
./coffcode.h:1000 in flagword handle_COMDAT(bfd *, flagword, void *, const char
*, asection *)

./objdump: Please report this bug.
```

It's not clear that we want to handle this case for a malformed input, but the
message indicates that this is a real bug. Perhaps we want to cleanly return
when it is encountered. When I replaced the abort with a `break;`, I got a
memory leak.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21786] New: Stack-buffer-overflow in {coff,coff64}-rs6000.c

2017-07-18 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21786

Bug ID: 21786
   Summary: Stack-buffer-overflow in {coff,coff64}-rs6000.c
   Product: binutils
   Version: 2.30 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: ned at forallsecure dot com
  Target Milestone: ---

Created attachment 10269
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10269&action=edit
testcase

`_bfd_xcoff_read_ar_hdr` and similar functions can call strtol on a string that
is not null-terminated, leading to an out of bounds read on the stack. See the
attached testcase.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21786] Stack-buffer-overflow in {coff,coff64}-rs6000.c

2017-07-18 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21786

--- Comment #1 from Ned Williamson  ---
Created attachment 10270
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10270&action=edit
suggested patch

Here, I attach my suggested patch, fixing all places where I was able to
trigger the bug using a variant of the original testcase.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21786] Stack-buffer-overflow in {coff,coff64}-rs6000.c

2017-07-18 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21786

--- Comment #2 from Ned Williamson  ---
Created attachment 10271
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10271&action=edit
crash state

Here is the crashing state when inspecting the crash using ASAN.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21787] Heap-use-after-free in bfd_cache_close

2017-07-18 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21787

--- Comment #1 from Ned Williamson  ---
Created attachment 10273
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10273&action=edit
crash state

ASAN output for crashing state.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21787] New: Heap-use-after-free in bfd_cache_close

2017-07-18 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21787

Bug ID: 21787
   Summary: Heap-use-after-free in bfd_cache_close
   Product: binutils
   Version: 2.30 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: ned at forallsecure dot com
  Target Milestone: ---

Created attachment 10272
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10272&action=edit
testcase

A heap-use-after-free is triggered when the provided file is scanned using
`./objdump -x use-after-free`. All targets must be enabled; I believe the bug
is in the XCOFF archive format.

I used ASAN to detect the crash. If you have trouble reproducing this (valgrind
may work as well, but I haven't checked), let me know.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21786] Stack-buffer-overflow in {coff,coff64}-rs6000.c

2017-07-19 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21786

--- Comment #5 from Ned Williamson  ---
Hi Nick, thanks for the great patch! It's much better than the suggested one.
Thank you for pointing out the specification.

I did see a crash in coff64-rs6000 as well, so that may need to use the new
safe functions.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21813] New: Additional undefined behavior and crashes

2017-07-21 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21813

Bug ID: 21813
   Summary: Additional undefined behavior and crashes
   Product: binutils
   Version: 2.30 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: ned at forallsecure dot com
  Target Milestone: ---

Created attachment 10281
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10281&action=edit
5 testcases with asan output

I've found 5 more bugs in objdump master branch.

These bugs repro for me when building for all targets with a recent version of
clang and AddressSanitizer and running them with `./objdump -xg testcase` (one
crash requires debug output).

If any don't reproduce, let me know and I can try to identify another testcase
or help identify the root cause. I've included `asan_output` with my stacktrace
for each test.

I have investigated alpha-heap-overflow, and there the fix is to check that
`PRIV (recrd.rec_size) > test_len` before reading the remaining record.

Cheers,
Ned

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21840] New: Undefined behavior round 3

2017-07-26 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21840

Bug ID: 21840
   Summary: Undefined behavior round 3
   Product: binutils
   Version: 2.30 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: ned at forallsecure dot com
  Target Milestone: ---

Created attachment 10285
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10285&action=edit
Testcases and ASAN output

I have found 5 more testcases revealing crashes or undefined behavior in the
current objdump. These can be detected with a recent ASAN running under
`objdump -x`.

See the attached file for the testcases and ASAN output.

Thanks so much for addressing previous reports with high quality patches.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/21916] New: Null-Deref and OOB Read in ELF Parsing

2017-08-07 Thread ned at forallsecure dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=21916

Bug ID: 21916
   Summary: Null-Deref and OOB Read in ELF Parsing
   Product: binutils
   Version: 2.30 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: ned at forallsecure dot com
  Target Milestone: ---

Created attachment 10324
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10324&action=edit
3 testcases with ASAN output

Hi there, I have a few more testcases to report. One triggers a
null-dereference, and the other two trigger two out of bounds reads which I
think are caused by distinct issues.

I've attached the cases here. Building with a recent version of clang+ASAN
should show the bugs when running `for fn in bugs4/*; do echo $fn; ./objdump -d
$fn; done`.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils