[Bug binutils/20063] New: Segmentation fault on objdump -D (with invalid SHT_GROUP entry)

[paulwebsec at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=20063

            Bug ID: 20063
           Summary: Segmentation fault on objdump -D (with invalid
                    SHT_GROUP entry)
           Product: binutils
           Version: 2.27 (HEAD)
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: paulwebsec at gmail dot com
  Target Milestone: ---

Created attachment 9243
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9243&action=edit
Executable sample to crash (segfault) binutils's objdump (latest version)

Hi there, 

I crashed objdump (with flag -D) by specifying a specifically crafted
executable using afl-fuzz and this happens because of an invalid SHT_GROUP
entry.

The crash looks like: 

gdb-peda$ r -D
../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609
Starting program: /root/binutils-2.26/binutils/objdump -D
../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609
/root/binutils-2.26/binutils/objdump:
../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609: invalid
SHT_GROUP entry

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xff00
RBX: 0x7fffffffe140 --> 0x1
RCX: 0xa77fc0 --> 0xa7436d ("elf64-x86-64")
RDX: 0xcd8dd0 --> 0xcda510 --> 0x200000000
RSI: 0xcd8188 --> 0x0
RDI: 0xcdb030 --> 0x1200000013
RBP: 0xcd7ff0 --> 0xcda350
("../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609")
RSP: 0x7fffffffe050 --> 0x7fffffffe160 --> 0xfe
RIP: 0x63f84c (<bfd_elf_get_elf_syms+316>:      cmp    QWORD PTR
[rdx+rax*8],rsi)
R8 : 0xcd8120 --> 0x10102464c457f
R9 : 0x7fffffffe170 --> 0xcdad80 --> 0x300000001
R10: 0x1
R11: 0x1
R12: 0xcd7ff0 --> 0xcda350
("../afl_out/crashes/id:000000,sig:11,src:002668,op:flip8,pos:91609")
R13: 0x0
R14: 0xcdb030 --> 0x1200000013
R15: 0x1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x63f840 <bfd_elf_get_elf_syms+304>: mov    r14,rdi
   0x63f843 <bfd_elf_get_elf_syms+307>: nop    DWORD PTR [rax+rax*1+0x0]
   0x63f848 <bfd_elf_get_elf_syms+312>: mov    eax,DWORD PTR [r14+0x28]
=> 0x63f84c <bfd_elf_get_elf_syms+316>: cmp    QWORD PTR [rdx+rax*8],rsi
   0x63f850 <bfd_elf_get_elf_syms+320>: je     0x63f8df
<bfd_elf_get_elf_syms+463>
   0x63f856 <bfd_elf_get_elf_syms+326>: xchg   ax,ax
   0x63f858 <bfd_elf_get_elf_syms+328>: lea    rsp,[rsp-0x98]
   0x63f860 <bfd_elf_get_elf_syms+336>: mov    QWORD PTR [rsp],rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe050 --> 0x7fffffffe160 --> 0xfe
0008| 0x7fffffffe058 --> 0x1
0016| 0x7fffffffe060 --> 0xa7035c --> 0x32312d2500646662 ('bfd')
0024| 0x7fffffffe068 --> 0x7fff00000005
0032| 0x7fffffffe070 --> 0x7fffffffdfc0 --> 0xa77fc0 --> 0xa7436d
("elf64-x86-64")
0040| 0x7fffffffe078 --> 0xcdb1e8 --> 0xcda510 --> 0x200000000
0048| 0x7fffffffe080 --> 0x0
0056| 0x7fffffffe088 --> 0x7ffff7df0515 (<_dl_runtime_resolve+53>:      mov   
r11,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000063f84c in bfd_elf_get_elf_syms (ibfd=0xcd7ff0, symtab_hdr=0xcd8188,
symcount=0x1, symoffset=0x0, intsym_buf=0x7fffffffe140,
extsym_buf=0x7fffffffe170,
    extshndx_buf=0x7fffffffe160) at elf.c:410
410             if (sections[entry->hdr.sh_link] == symtab_hdr)
gdb-peda$

-- 
You are receiving this mail because:
You are on the CC list for the bug.