[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/20892] New: Segfault in objdump
|
From: |
thuanpv at comp dot nus.edu.sg |
|
Subject: |
[Bug binutils/20892] New: Segfault in objdump |
|
Date: |
Thu, 01 Dec 2016 10:03:05 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=20892
Bug ID: 20892
Summary: Segfault in objdump
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: thuanpv at comp dot nus.edu.sg
Target Milestone: ---
Dear all,
Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, we found an
input causing objdump to crash. Valgrind says that it is an invalid write.
The bug was found on Ubuntu 14.04 & binutils was checked out from
https://github.com/bminor/binutils-gdb repository. Its commit is
268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016)
To reproduce:
printf
"\x07\x01\x00\x30\x04\x00\x00\x00\x1a\x00\x00\x00\x30\x30\x30\x30\x0d\x00\x00\x00\x30\x30\x30\x30\x04\x00\x00\x00\x40\x00\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x24\x30\x30\x30\x30\x30\x30\x30\x30\x04\x00\x00\x00"
> fd
objdump -x -l fd
ASAN says:
../../bfd/aoutx.h:2832:11: runtime error: store to null pointer of type 'char'
Valgrind says:
==52909== Invalid write of size 1
==52909== at 0x7F8349: aout_32_find_nearest_line (aoutx.h:2832)
==52909== by 0x41C8A9: dump_reloc_set (objdump.c:3162)
==52909== by 0x41E502: dump_relocs_in_section (objdump.c:3328)
==52909== by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==52909== by 0x422A9E: dump_relocs (objdump.c:3337)
==52909== by 0x422A9E: dump_bfd (objdump.c:3463)
==52909== by 0x4234FF: display_object_bfd (objdump.c:3526)
==52909== by 0x4234FF: display_any_bfd (objdump.c:3615)
==52909== by 0x40CFC9: display_file (objdump.c:3636)
==52909== by 0x40CFC9: main (objdump.c:3919)
==52909== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==52909==
==52909==
==52909== Process terminating with default action of signal 11 (SIGSEGV)
==52909== Access not within mapped region at address 0x0
==52909== at 0x7F8349: aout_32_find_nearest_line (aoutx.h:2832)
==52909== by 0x41C8A9: dump_reloc_set (objdump.c:3162)
==52909== by 0x41E502: dump_relocs_in_section (objdump.c:3328)
==52909== by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==52909== by 0x422A9E: dump_relocs (objdump.c:3337)
==52909== by 0x422A9E: dump_bfd (objdump.c:3463)
==52909== by 0x4234FF: display_object_bfd (objdump.c:3526)
==52909== by 0x4234FF: display_any_bfd (objdump.c:3615)
==52909== by 0x40CFC9: display_file (objdump.c:3636)
==52909== by 0x40CFC9: main (objdump.c:3919)
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/20892] New: Segfault in objdump,
thuanpv at comp dot nus.edu.sg <=