[Bug binutils/20605] New: SEGFAULT in objdump.c on fuzzed PE32 executabl

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/20605] New: SEGFAULT in objdump.c on fuzzed PE32 executabl

From:	scottgriffy at gmail dot com
Subject:	[Bug binutils/20605] New: SEGFAULT in objdump.c on fuzzed PE32 executable
Date:	Tue, 13 Sep 2016 22:44:59 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=20605

            Bug ID: 20605
           Summary: SEGFAULT in objdump.c on fuzzed PE32 executable
           Product: binutils
           Version: 2.27
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: scottgriffy at gmail dot com
  Target Milestone: ---

Created attachment 9511
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9511&action=edit
The problem file

I fuzzed a file and came up with 'crash.exe' which segfaults when passed to
'objdump -x' using the latest build I could find: GNU objdump (GNU Binutils)
2.27.51.20160913

Here's a log of running gdb with it:
$ gdb ~/checkout/binutils-gdb/binutils/objdump
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
...
Reading symbols from
/home/grifball/checkout/binutils-gdb/binutils/objdump...done.
(gdb) set args -x crash.exe
(gdb) r
Starting program: /home/grifball/checkout/binutils-gdb/binutils/objdump -x
crash.exe

Program received signal SIGSEGV, Segmentation fault.
bfd_getl32 (p=0x85a000) at libbfd.c:552
552       return v;
(gdb) where
#0  bfd_getl32 (p=0x85a000) at libbfd.c:552
#1  0x00000000004acaea in _bfd_pei_swap_debugdir_in (address@hidden,
ext1=0x85a000, address@hidden) at peigen.c:1116
#2  0x00000000004a89dc in pe_bfd_read_buildid (abfd=0x83a1c0) at peicode.h:1342
#3  pe_bfd_object_p (abfd=0x83a1c0) at peicode.h:1486
#4  0x000000000044913d in bfd_check_format_matches (address@hidden,
address@hidden, address@hidden) at
format.c:308
#5  0x0000000000408888 in display_object_bfd (abfd=0x83a1c0) at
./objdump.c:3461
#6  display_any_bfd (address@hidden, address@hidden) at
./objdump.c:3552
#7  0x000000000040a9a3 in display_file (filename=0x7fffffffe2f0 "crash.exe",
target=<optimized out>) at ./objdump.c:3573
#8  0x0000000000404cca in main (argc=3, argv=0x7fffffffe078) at
./objdump.c:3856
(gdb)

I built objdump from the git repo here:
git://sourceware.org/git/binutils-gdb.git
by cd'ing into "./binutils/" then running "./configure" and "make objdump"

I created the offending exe following a tutorial:
https://fuzzing-project.org/tutorial1.html
and found that this will create the exe (after you've downloaded the win9x.exe
from the site):
zzuf -r 0.004 -s 16915 < win9x.exe > crash.exe

Let me know if you have any question or want me to run any tests. I used zzuf
version 0.15 to fuzz it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/20605] New: SEGFAULT in objdump.c on fuzzed PE32 executable, scottgriffy at gmail dot com <=
- [Bug binutils/20605] SEGFAULT in objdump.c on fuzzed PE32 executable, cvs-commit at gcc dot gnu.org, 2016/09/14
- [Bug binutils/20605] SEGFAULT in objdump.c on fuzzed PE32 executable, nickc at redhat dot com, 2016/09/14
- [Bug binutils/20605] SEGFAULT in objdump.c on fuzzed PE32 executable, scottgriffy at gmail dot com, 2016/09/14

Prev by Date: [Bug binutils/20595] excessive relocation for .ARM.exidx
Next by Date: [Bug ld/20537] Do not fail on overlapping FDEs in .eh_frame_hdr
Previous by thread: [Bug binutils/19248] assertion fail cofflink.c:264
Next by thread: [Bug binutils/20605] SEGFAULT in objdump.c on fuzzed PE32 executable
Index(es):
- Date
- Thread