from:"paulwebsec at gmail dot com"

[Bug binutils/18570] New: Crash in objdump (elf-attrs.c)

2015-06-22 Thread paulwebsec at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=18570

Bug ID: 18570
   Summary: Crash in objdump (elf-attrs.c)
   Product: binutils
   Version: 2.25
Status: NEW
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: paulwebsec at gmail dot com
  Target Milestone: ---

Created attachment 8381
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8381&action=edit
file to reproduce the segfault

Segfault produced by the command: `objdump -r `

(gdb) r -r
"/home/user/binutils-gdb/afl_out_objdump/crashes/id:07,sig:11,src:002710,op:flip1,pos:26769"
Starting program: /home/user/binutils-gdb/binutils/objdump -r
"/home/user/binutils-gdb/afl_out_objdump/crashes/id:07,sig:11,src:002710,op:flip1,pos:26769"

Program received signal SIGSEGV, Segmentation fault.
0x006eba4c in bfd_elf_add_obj_attr_int (abfd=abfd@entry=0xc9b1c0,
vendor=vendor@entry=1, tag=tag@entry=-157895616, i=401923) at elf-attrs.c:300
300   attr->i = i;
(gdb) info registers
rax0x1  1
rbx0x0  0
rcx0x62203  401923
rdx0xf696b440   4137071680
rsi0x1  1
rdi0xc9b1c0 13218240
rbp0x6a34ff10   0x6a34ff10
rsp0x7fffe100   0x7fffe100
r8 0xc9f201 13234689
r9 0xf696b440   -157895616
r100x9  9
r110x3  3
r120x1  1
r130xc9b1c0 13218240
r140x62203  401923
r150xc9f29c 13234844
rip0x6eba4c 0x6eba4c 
eflags 0x10213  [ CF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0  0
es 0x0  0
fs 0x0  0
gs 0x0  0
(gdb) bt
#0  0x006eba4c in bfd_elf_add_obj_attr_int (abfd=abfd@entry=0xc9b1c0,
vendor=vendor@entry=1, tag=tag@entry=-157895616, i=401923) at elf-attrs.c:300
#1  0x006ee1c7 in _bfd_elf_parse_attributes (abfd=abfd@entry=0xc9b1c0,
hdr=hdr@entry=0xc9d8a0) at elf-attrs.c:539
#2  0x006335d5 in bfd_section_from_shdr (abfd=abfd@entry=0xc9b1c0,
shindex=shindex@entry=5) at elf.c:2119
#3  0x0061b4d0 in bfd_elf64_object_p (abfd=0xc9b1c0) at elfcode.h:800
#4  0x005af7c0 in bfd_check_format_matches (abfd=abfd@entry=0xc9b1c0,
format=format@entry=bfd_object, matching=matching@entry=0x7fffe490) at
format.c:305
#5  0x0041fdb0 in display_object_bfd (abfd=0xc9b1c0) at
./objdump.c:3407
#6  display_any_bfd (file=file@entry=0xc9b1c0, level=level@entry=0) at
./objdump.c:3498
#7  0x0040d1f6 in display_file (target=0x0, 
filename=0x7fffe861
"/home/user/binutils-gdb/afl_out_objdump/crashes/id:07,sig:11,src:002710,op:flip1,pos:26769")
at ./objdump.c:3519
#8  display_file (target=, 
filename=0x7fffe861
"/home/user/binutils-gdb/afl_out_objdump/crashes/id:07,sig:11,src:002710,op:flip1,pos:26769")
at ./objdump.c:3525
#9  main (argc=3, argv=0x7fffe618) at ./objdump.c:3802
(gdb)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/18570] Crash in objdump (elf-attrs.c)

2015-06-22 Thread paulwebsec at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=18570

--- Comment #1 from PaulSec  ---
Tested on a Debian GNU/Linux 7 (wheezy) x86_64 GNU/Linux

-- 
You are receiving this mail because:
You are on the CC list for the bug.

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/20063] New: Segmentation fault on objdump -D (with invalid SHT_GROUP entry)

2016-05-09 Thread paulwebsec at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=20063

Bug ID: 20063
   Summary: Segmentation fault on objdump -D (with invalid
SHT_GROUP entry)
   Product: binutils
   Version: 2.27 (HEAD)
Status: NEW
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: paulwebsec at gmail dot com
  Target Milestone: ---

Created attachment 9243
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9243&action=edit
Executable sample to crash (segfault) binutils's objdump (latest version)

Hi there, 

I crashed objdump (with flag -D) by specifying a specifically crafted
executable using afl-fuzz and this happens because of an invalid SHT_GROUP
entry.

The crash looks like: 

gdb-peda$ r -D
../afl_out/crashes/id:00,sig:11,src:002668,op:flip8,pos:91609
Starting program: /root/binutils-2.26/binutils/objdump -D
../afl_out/crashes/id:00,sig:11,src:002668,op:flip8,pos:91609
/root/binutils-2.26/binutils/objdump:
../afl_out/crashes/id:00,sig:11,src:002668,op:flip8,pos:91609: invalid
SHT_GROUP entry

Program received signal SIGSEGV, Segmentation fault.
[--registers---]
RAX: 0xff00
RBX: 0x7fffe140 --> 0x1
RCX: 0xa77fc0 --> 0xa7436d ("elf64-x86-64")
RDX: 0xcd8dd0 --> 0xcda510 --> 0x2
RSI: 0xcd8188 --> 0x0
RDI: 0xcdb030 --> 0x120013
RBP: 0xcd7ff0 --> 0xcda350
("../afl_out/crashes/id:00,sig:11,src:002668,op:flip8,pos:91609")
RSP: 0x7fffe050 --> 0x7fffe160 --> 0xfe
RIP: 0x63f84c (:  cmpQWORD PTR
[rdx+rax*8],rsi)
R8 : 0xcd8120 --> 0x10102464c457f
R9 : 0x7fffe170 --> 0xcdad80 --> 0x30001
R10: 0x1
R11: 0x1
R12: 0xcd7ff0 --> 0xcda350
("../afl_out/crashes/id:00,sig:11,src:002668,op:flip8,pos:91609")
R13: 0x0
R14: 0xcdb030 --> 0x120013
R15: 0x1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-code-]
   0x63f840 : movr14,rdi
   0x63f843 : nopDWORD PTR [rax+rax*1+0x0]
   0x63f848 : moveax,DWORD PTR [r14+0x28]
=> 0x63f84c : cmpQWORD PTR [rdx+rax*8],rsi
   0x63f850 : je 0x63f8df

   0x63f856 : xchg   ax,ax
   0x63f858 : learsp,[rsp-0x98]
   0x63f860 : movQWORD PTR [rsp],rdx
[stack-]
| 0x7fffe050 --> 0x7fffe160 --> 0xfe
0008| 0x7fffe058 --> 0x1
0016| 0x7fffe060 --> 0xa7035c --> 0x32312d2500646662 ('bfd')
0024| 0x7fffe068 --> 0x7fff0005
0032| 0x7fffe070 --> 0x7fffdfc0 --> 0xa77fc0 --> 0xa7436d
("elf64-x86-64")
0040| 0x7fffe078 --> 0xcdb1e8 --> 0xcda510 --> 0x2
0048| 0x7fffe080 --> 0x0
0056| 0x7fffe088 --> 0x77df0515 (<_dl_runtime_resolve+53>:  mov   
r11,rax)
[--]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0063f84c in bfd_elf_get_elf_syms (ibfd=0xcd7ff0, symtab_hdr=0xcd8188,
symcount=0x1, symoffset=0x0, intsym_buf=0x7fffe140,
extsym_buf=0x7fffe170,
extshndx_buf=0x7fffe160) at elf.c:410
410 if (sections[entry->hdr.sh_link] == symtab_hdr)
gdb-peda$

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/20063] Segmentation fault on objdump -D (with invalid SHT_GROUP entry)

2016-05-10 Thread paulwebsec at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=20063

--- Comment #3 from PaulSec  ---
Thanks for the patch. 

Would it be possible to get notified when this is going to be pushed in a
release or anything so I can try it with couple of other crashes I have (with
the invalid SHT_GROUP entry again) 

Best,

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/18570] New: Crash in objdump (elf-attrs.c)

[Bug binutils/18570] Crash in objdump (elf-attrs.c)

[Bug binutils/20063] New: Segmentation fault on objdump -D (with invalid SHT_GROUP entry)

[Bug binutils/20063] Segmentation fault on objdump -D (with invalid SHT_GROUP entry)

4 matches

Site Navigation

Mail list logo

Footer information