[Bug binutils/29169] New: Invalid read during processing of program input via objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=29169 Bug ID: 29169 Summary: Invalid read during processing of program input via objdump Product: binutils Version: 2.38 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: nils_b...@t-online.de Target Milestone: --- Created attachment 14111 --> https://sourceware.org/bugzilla/attachment.cgi?id=14111&action=edit Reproduction scripts and bug triggering input. Invalid read during processing of program input # Description During processing of the attached input file via ``` objdump -a -C -g -D -f -F -h -l -p -r -R -s -S -G -t --dynamic-syms --special-syms -x /testcase ``` an out-of-bounds read is triggered. This possibly opens up other attack vectors to an attacker if files from untrusted sources are processed. For reproduction of the crash, I attach a Docker container. Run ./build_upstream.sh to build the Docker image and ./reproduce-upstream.sh to reproduce the crash. If you need further details, please do not hesitate to ask. # Version The input was tested on branch binutils-2_38 of git://sourceware.org/git/binutils-gdb.git commit 20756b0fbe065a84710aa38f2457563b57546440. # Valgrind ==1== Memcheck, a memory error detector ==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: /binutils-gdb/binutils/objdump -a -C -g -D -f -F -h -l -p -r -R -s -S -G -t --dynamic-syms --special-syms -x /testcase ==1== /binutils-gdb/binutils/objdump: warning: /testcase has a section extending past end of file /testcase: file format elf32-little /testcase architecture: UNKNOWN!, flags 0x0010: HAS_SYMS start address 0x020210ff Sections: Idx Name Size VMA LMA File off Algn 0 .gdb_index0100 0034 2**0 CONTENTS, READONLY, DEBUGGING, EXCLUDE SYMBOL TABLE: no symbols DYNAMIC SYMBOL TABLE: 0100 D *ABS* ff00 0xff (null) 00e7 lD *ABS* b400 0x16 (null) lD *ABS* 00bc0060 (null) ff00 D *UND* 00f4 0x80 (null) 000b D *UND* f742c000 0x7f 0080 lD *UND* 00bb4330 (null) lD *UND* 0005 (null) 74727473 D *ABS* 2e006261 0x64 (null) 0078 gD *ABS* ffe40019 (null) 04ff lD .gdb_index 0x60 (null) 7fff lD *UND* 00fa (null) 000b lD *UND* de00 (null) 0100 lD *UND* (null) 0010 ld *UND* 0001 (null) 0100 D *UND* 00b4 (null) Contents of section .gdb_index: (Starting at file offset: 0x34) 0400 8f00 0001 0010 0001 0001 00ff f600 0020 0080 e700 00b4 0016faff 0030 0400 6000bc00 1600 `... 0040 26000100 00ff f400 ff80 &... 0050 0b00 00c042f7 ff7f ..B. 0060 00d0 8000 3043bb00 0C.. 0070 0500 0500 0080 002e7368 73747274 6162002e 6764625f ..shstrtab..gdb_ 0090 696e6465 7800 1900e4ff 10e3 index... 00a0 16fa ff04 00600100 .`.. 00b0 2200 ff7f fa00 "... 00c0 0b00 0b00 00de 00d0 3400 0001 0800 4... 00e0 0100 1000 0100 0300 00f0 8000 0001 b400 1600 /binutils-gdb/binutils/objdump: can't disassemble for architecture UNKNOWN! Contents of the .gdb_index section (loaded from /testcase): Version 4 /binutils-gdb/binutils/objdump: Warning: Version 4 does not support case insensitive lookups. /binutils-gdb/binutils/objdump: Warning: Version 5 does not include inlined functions. /binutils-gdb/binutils/objdump: Warning: Version 6 does not include symbol attributes. ==1== Invalid read of size 8 ==1==at 0x1B2AC8: byte_get_little_endian (elfcomm.c:162) ==1==by 0x177BB1: display_gdb_index (dwarf.c:10157) ==1==by 0x173EE3: dump_dwarf_section (objdump.c:3982) ==1==by 0x1F10D6: bfd_map_over_sections (section.c:1383) ==1==by 0x16CB53: dump_dwarf (objdump.c:4020) ==1==by 0x16FAC8: dump_bfd (objdump.c:5184) ==1==by 0x16FCEC: display_object_bfd (objdump.c:5221) ==1==by 0x16FCEC: display_any_bfd (objdump.c:5311) ==1==by 0x169C57: display_file (objdump.c:5332) ==1==by 0x169C57: display_file (objdump.c:5315) ==1==by 0x169C57: main (objdump.c:5700) ==1== Address 0x4a6ae9f is 255 bytes inside a block of size 257 alloc'd ==1==at 0x483B7F3: malloc (in /us
[Bug binutils/29170] New: Integer divide by zero, which results in SIGFPE during the processing of program input
https://sourceware.org/bugzilla/show_bug.cgi?id=29170
Bug ID: 29170
Summary: Integer divide by zero, which results in SIGFPE during
the processing of program input
Product: binutils
Version: 2.38
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: nils_b...@t-online.de
Target Milestone: ---
Created attachment 14112
--> https://sourceware.org/bugzilla/attachment.cgi?id=14112&action=edit
Reproduction scripts and bug triggering input.
Integer divide by zero, which results in SIGFPE during the processing of
program input
# Description
During processing of the attached input file via
```
/binutils-gdb/binutils/objdump -a -C -g -D -f -F -h -l -p -r -R -s -S -G -t
--dynamic-syms --special-syms -x /testcase
```
an SIGFPE is triggered.
For reproduction of the crash, I attach a Docker container. Run
./build_upstream.sh to build the Docker image and ./reproduce-upstream.sh to
reproduce the crash.
If you need further details, please feel free to ask.
# Version
The input was tested on branch binutils-2_38 of
git://sourceware.org/git/binutils-gdb.git commit
20756b0fbe065a84710aa38f2457563b57546440.
# Valgrind
[+] Running valgrind /binutils-gdb/binutils/objdump -a -C -g -D -f -F -h -l -p
-r -R -s -S -G -t --dynamic-syms --special-syms -x /testcase
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: /binutils-gdb/binutils/objdump -a -C -g -D -f -F -h -l -p -r -R
-s -S -G -t --dynamic-syms --special-syms -x /testcase
==1==
/binutils-gdb/binutils/objdump: warning: /testcase has a section extending past
end of file
/testcase: file format elf32-little
/testcase
architecture: UNKNOWN!, flags 0x:
start address 0xedff04f0
Sections:
Idx Name Size VMA LMA File off Algn
0 .debug_names 0100 1d00 1d00 0034 2**0
CONTENTS, READONLY, DEBUGGING, OCTETS
/binutils-gdb/binutils/objdump: /testcase: not a dynamic object
/binutils-gdb/binutils/objdump: can't disassemble for architecture UNKNOWN!
SYMBOL TABLE:
no symbols
DYNAMIC SYMBOL TABLE:
no symbols
Contents of section .debug_names: (Starting at file offset: 0x34)
1d00 7d00 0500 0100 }...
1d10 0200 1500
1d20 0500
1d30 00ff00b4
1d40 f6ff 0400
1d50 0200 0f00fffa
1d60 6c00fdff deff0008 4808 d9ec l...H...
1d70 01de0800 0fe7
1d80 002e7355 92747274 ff62002e 64656275 ..sU.trt.b..debu
1d90 675f6e61 6d657300 0076 0040 g_namesv...@
1da0 1500 002a ...*
1db0 64d0 d...
1dc0 0b00 0b07
1dd0 001d 3400 0001 4...
1de0 0100 1000 0100
1df0 0300 0200 b400
Contents of the .debug_names section (loaded from /testcase):
Version 5
/binutils-gdb/binutils/objdump: Warning: Compilation unit count must be >= 1 in
.debug_names
==1==
==1== Process terminating with default action of signal 8 (SIGFPE): dumping
core
==1== Integer divide by zero at address 0x1009667D6C
==1==at 0x188FEC: display_debug_names (dwarf.c:9787)
==1==by 0x173EE3: dump_dwarf_section (objdump.c:3982)
==1==by 0x1F10D6: bfd_map_over_sections (section.c:1383)
==1==by 0x16CB53: dump_dwarf (objdump.c:4020)
==1==by 0x16FAC8: dump_bfd (objdump.c:5184)
==1==by 0x16FCEC: display_object_bfd (objdump.c:5221)
==1==by 0x16FCEC: display_any_bfd (objdump.c:5311)
==1==by 0x169C57: display_file (objdump.c:5332)
==1==by 0x169C57: display_file (objdump.c:5315)
==1==by 0x169C57: main (objdump.c:5700)
Augmentation string: ("")
CU table:
TU table:
[ 0] 0x5
Foreign TU table:
Used 0 of 0 buckets.
==1==
==1== HEAP SUMMARY:
==1== in use at exit: 45,698 bytes in 10 blocks
==1== total heap usage: 26 allocs, 16 frees, 131,756 bytes allocated
==1==
==1== LEAK SUMMARY:
==1==definitely lost: 0 bytes in 0 blocks
==1==indirectly lost: 0 bytes in 0 blocks
==1== possibly lost: 0 bytes in 0 blocks
==1==still reachable: 45,698 bytes in 10 blocks
==1== suppressed: 0 bytes in 0 blocks
==1== Rerun with --leak-check=full to see details of leaked memory
==1==
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 0 errors from 0 contexts (s
[Bug binutils/29171] New: Invalid read during processing of program input causing SIGSEGV
https://sourceware.org/bugzilla/show_bug.cgi?id=29171
Bug ID: 29171
Summary: Invalid read during processing of program input
causing SIGSEGV
Product: binutils
Version: 2.38
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: nils_b...@t-online.de
Target Milestone: ---
Created attachment 14113
--> https://sourceware.org/bugzilla/attachment.cgi?id=14113&action=edit
Reproduction scripts and bug triggering input.
Invalid read during processing of program input causing SIGSEGV
# Description
During processing of the attached input file via
```
/binutils-gdb/binutils/objdump -a -C -g -D -f -F -h -l -p -r -R -s -S -G -t
--dynamic-syms --special-syms -x /testcase
```
an out-of-bounds read is triggered. This possibly opens up
other attack vectors to an attacker if files from untrusted sources are
processed.
For reproduction of the crash, I attach a Docker image. Run ./build_upstream.sh
to build the Docker image and ./reproduce-upstream.sh to reproduce the crash.
If you need further assistance, please do not hesitate to ask.
# Version
The input was tested on branch binutils-2_38 of
git://sourceware.org/git/binutils-gdb.git commit
20756b0fbe065a84710aa38f2457563b57546440.
# Valgrind
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: /binutils-gdb/binutils/objdump -a -C -g -D -f -F -h -l -p -r -R
-s -S -G -t --dynamic-syms --special-syms -x /testcase
==1==
/binutils-gdb/binutils/objdump: warning: /testcase has a section extending past
end of file
/testcase: file format elf32-little
/testcase
architecture: UNKNOWN!, flags 0x0010:
HAS_SYMS
start address 0xedff04f0
Sections:
Idx Name Size VMA LMA File off Algn
0 .debug_names 0100 1d00 1d00 0034 2**0
CONTENTS, READONLY, DEBUGGING, OCTETS
SYMBOL TABLE:
no symbols
DYNAMIC SYMBOL TABLE:
0006 DO *UND* 0002
0005 lD *UND*
lD *UND* ff00
fff6 lD *UND* 0010
3e00 D *ABS* 823e3e3e 0x3e (null)
a8a8a8a8 uD *ABS* a8a8a8a8 0xa8 (null)
3e3e3e3e D *ABS* 3e3e3e3e 0x3e (null)
3e3e3e3e df *ABS* 2e3e3e3e 0x65 (null)
0073656d lD *UND* 7600 (null)
lD *ABS* (null)
lD *UND* d064
000b lD *UND* 000b (null)
0034 lD *UND* 0100 (null)
0001 lDO *UND* 0010
df *UND* 00020600 (null)
Contents of section .debug_names: (Starting at file offset: 0x34)
1d00 7d00 0500 0100 }...
1d10 0600 0200 1500
1d20 0500
1d30 00ff
1d40 f6ff 1000 0600
1d50 0d00 003e 3e3e3e82 3e3e3e3e ...>>>>.>>>>
1d60 a8a8a8a8 a8a8a8a8 a8a8a8a8 a8a8a8a8
1d70 3e3e3e3e 3e3e3e3e 3e3e3e3e 3e3e3e3e >>>>>>>>>>>>>>>>
1d80 3e3e3e3e 3e3e3e3e 3e3e3e2e 64656275 >>>>>>>>>>>.debu
1d90 675f6e61 6d657300 0076 g_namesv
1da0 15f0 002a ...*
1db0 64d0 d...
1dc0 0f00 0b00 0b00
1dd0 001d 3400 0001 4...
1de0 0100 1000 0100
1df0 0300 00060200 b400
/binutils-gdb/binutils/objdump: can't disassemble for architecture UNKNOWN!
Contents of the .debug_names section (loaded from /testcase):
Version 5
/binutils-gdb/binutils/objdump: Warning: Compilation unit count must be >= 1 in
.debug_names
/binutils-gdb/binutils/objdump: Error: Augmentation string: ("")
CU table:
TU table:
[ 0] 0x5
Foreign TU table:
Used 1 of 6 buckets.
Out of 2 items there are 1 bucket clashes (longest of 1 entries).
end of data encountered whilst reading LEB
/binutils-gdb/binutils/objdump: Error: end of data encountered whilst reading
LEB
/binutils-gdb/binutils/objdump: Error: end of data encountered whilst reading
LEB
/binutils-gdb/binutils/objdump: Error: end of data encountered whilst reading
LEB
Symbol table:
[ 0] # :/binutils-gdb/binutils/objdump:
Warning: Unrecognized form: 0x3e
/binutils-gdb/binutils/objdump: Error: end of data encountered whilst reading
LEB
/binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x2850a142850a1428
/binutils-gdb/binutils/objdump: Error: end of data encountere
[Bug binutils/28763] New: SIGSEGV during processing of program headers
https://sourceware.org/bugzilla/show_bug.cgi?id=28763 Bug ID: 28763 Summary: SIGSEGV during processing of program headers Product: binutils Version: 2.37 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: nils_b...@t-online.de Target Milestone: --- Created attachment 13899 --> https://sourceware.org/bugzilla/attachment.cgi?id=13899&action=edit The crashing input alongside a script to automatically reproduce the bug. SIGSEGV during processing of program headers # Description During processing of the attached elf file via ``` readelf -a $PWD/02f5bec64cda36a9941f7752571e5a41328f683542fa5b125bf03a8dd3c10fb0 ``` an out-of-bounds read is triggered, which causes a SIGSEGV. The bug appears to be located in the code responsible for parsing the program headers. This allows an attacker to perform a denial of service and possibly opens up other attack vectors if files from untrusted sources are processed. For reproduction of the crash, I attach a script called ./reproduce.sh alongside the crashing input. If you need further details, please do not hesitate to ask. # Version The input was tested on branch binutils-2_37 of git://sourceware.org/git/binutils-gdb.git commit 116a737f438d03a1bd6aa706b6ea0b4022f3b7e2. # Valgrind ``` readelf: Warning: Section 27 has an out of range sh_info value of 131072 readelf: Warning: Section 28 has an out of range sh_link value of 1096552196 readelf: Warning: Section 28 has an out of range sh_info value of 2370617481 readelf: Warning: Section 29 has an out of range sh_link value of 134344835 readelf: Warning: Section 29 has an out of range sh_info value of 3901310160 readelf: Error: Reading 1163130152494825472 bytes extends past end of file for string table Section Headers: [Nr] Name Type Address Offset Size EntSize Flags Link Info Align readelf: Warning: Size of section 0 is larger than the entire file! [ 0] 841f: LOOS+0x3244cb6 0179850f0020247c ba005cbd 00801f0f005c 0063247c80c031ed XLTCxxolxxx 2147483648 1057916 3550243881428485391 readelf: Warning: [ 2]: Expected link to another section in info field [ 2] LOUSER+0x78e9ff 80c0940f02fa8341 31452d750063247c 72bdfb7be9ed fb24840fd0890063 WAxMSILOGTColp 1157627904 2202135857 2629117855673549562 readelf: Warning: [ 3]: Unexpected value (2232352867) in info field. readelf: Warning: Size of section 3 is larger than the entire file! [ 3] 841f: LOUSER+0x40fd02 8d49272704c64305 676ce394901244c 8d4924012744c643 870fce394903244c WAXxGTxx 1224877132 108449337 10180711322849953347 readelf: Warning: [ 5]: Expected link to another section in info fieldreadelf: Warning: Size of section 5 is larger than the entire file! [ 5] 04c48349: LOUSER+0x7ffb15 91046348d5b60f40 1f0fe0ff3ec80148 0f02fa834144 8341fd78e9c0 WAXxMSILCoxxx 826654868 4253936109 10668749317231214591 [ 7] LOUSER+0x7e 4401c38348fd 5cbded3145c089 841f0f66 448d49272704c643 LTCop 2214592512 1082396608 393755151237644282 readelf: Warning: [ 8]: Expected link to another section in info fieldreadelf: Warning: Size of section 8 is larger than the entire file! [ 8] 430676c6: 0f02fa83: LOUSER+0x348fff 72ba000d bbda8eb00 fdc1e90076ba 0061ba00 WAILOxxolp 180223999 3120562176 557757969320640622 readelf: Warning: [11]: Expected link to another section in info fieldreadelf: Warning: Size of section 11 is larger than the entire file! [11] 1f0f66ff: LOUSER+0x4d8945 20bdc031 1f0ff87de900 4502fa834144 2444b60ffc16 WIOCxxolp 2484061577 3833941442 9587991139382987381 [13] LOUSER+0x40fc22 0696840f f0008247c80 f6854d073385 24548b48070f ASLGTxx 1220580367 1478786179 9516053376779226880 [14] LOUSER+0x464158 49e9582454894800 63247c80fa 854dfbb5850f 74894c03c485 WAXOGTxxoE 3531870198 822083587 1080960824299964626 readelf: Warning: [15]: Expected link to another section in info field [15] LOUSER+0x403103 27bdd6894900 f7e9e900 0063247c80001f0f 1f0f66f7cce9 WXIOxxop 4218258703 826671103 273766429165 [16] LOUSER+0x202484 4800 fffb834938244489 4418247c8b482d75 4824548b44e2 op 1210340489 608471108 4677041145485214784 readelf: Warning: [17]: Unexpected value (2267319432) in info field. readelf: Warning: Size of section 17 is larger than the entire file! [17] 0f444024: 3824648b: LOOS+0x
[Bug binutils/28763] SIGSEGV during processing of program headers
https://sourceware.org/bugzilla/show_bug.cgi?id=28763 Nils Bars changed: What|Removed |Added Attachment #13899|The crashing input |please ignore description|alongside a script to | |automatically reproduce the | |bug.| Attachment #13899|0 |1 is obsolete|| -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/28763] SIGSEGV during processing of program headers
https://sourceware.org/bugzilla/show_bug.cgi?id=28763 --- Comment #3 from Nils Bars --- Yes, sorry, I updated the attachment. Thanks for looking into the issue. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/28763] SIGSEGV during processing of program headers
https://sourceware.org/bugzilla/show_bug.cgi?id=28763 --- Comment #2 from Nils Bars --- Created attachment 13918 --> https://sourceware.org/bugzilla/attachment.cgi?id=13918&action=edit The crashing input alongside a script to automatically reproduce the bug. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/28763] SIGSEGV during processing of program headers via readelf
https://sourceware.org/bugzilla/show_bug.cgi?id=28763 Nils Bars changed: What|Removed |Added Summary|SIGSEGV during processing |SIGSEGV during processing |of program headers |of program headers via ||readelf -- You are receiving this mail because: You are on the CC list for the bug.
