bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/20893] New: Sigabrt in objdump


From: thuanpv at comp dot nus.edu.sg
Subject: [Bug binutils/20893] New: Sigabrt in objdump
Date: Thu, 01 Dec 2016 10:07:16 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=20893

            Bug ID: 20893
           Summary: Sigabrt in objdump
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: thuanpv at comp dot nus.edu.sg
  Target Milestone: ---

Dear all,
Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, we found an
input causing objdump to crash. 

The bug was found on Ubuntu 14.04 & binutils was checked out from
https://github.com/bminor/binutils-gdb repository. Its commit is 
268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016)

To reproduce:

printf
"\x0b\x01\x00\x30\x30\x30\x30\x00\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x62\xe3\x65\x30\x20"
> fd

objdump -D fd 

OR

objdump -d fd


ASAN says:
../../binutils/objdump.c:2274:3: runtime error: null pointer passed as argument
2, which is declared to never be null
Signal 1

Valgrind says:
==53754== Conditional jump or move depends on uninitialised value(s)           
                                                                               
                                    [16/1855]
==53754==    at 0x5A97AD: get_valid_dis386 (i386-dis.c:12916)
==53754==    by 0x5A97AD: print_insn (i386-dis.c:13239)
==53754==    by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754==    by 0x42879D: disassemble_section (objdump.c:2241)
==53754==    by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754==    by 0x418307: disassemble_data (objdump.c:2375)
==53754==    by 0x4229D7: dump_bfd (objdump.c:3469)
==53754==    by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754==    by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754==    by 0x40CFC9: display_file (objdump.c:3636)
==53754==    by 0x40CFC9: main (objdump.c:3919)
==53754== 
==53754== Conditional jump or move depends on uninitialised value(s)
==53754==    at 0x58E4AF: get_sib (i386-dis.c:12957)
==53754==    by 0x5A89F6: print_insn (i386-dis.c:13242)
==53754==    by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754==    by 0x42879D: disassemble_section (objdump.c:2241)
==53754==    by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754==    by 0x418307: disassemble_data (objdump.c:2375)
==53754==    by 0x4229D7: dump_bfd (objdump.c:3469)
==53754==    by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754==    by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754==    by 0x40CFC9: display_file (objdump.c:3636)
==53754==    by 0x40CFC9: main (objdump.c:3919)
==53754== 
==53754== Conditional jump or move depends on uninitialised value(s)
==53754==    at 0x58E4F7: get_sib (i386-dis.c:12958)
==53754==    by 0x5A89F6: print_insn (i386-dis.c:13242)
==53754==    by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754==    by 0x42879D: disassemble_section (objdump.c:2241)
==53754==    by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754==    by 0x418307: disassemble_data (objdump.c:2375)
==53754==    by 0x4229D7: dump_bfd (objdump.c:3469)
==53754==    by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754==    by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754==    by 0x40CFC9: display_file (objdump.c:3636)
==53754==    by 0x40CFC9: main (objdump.c:3919)
==53754== 
==53754== Use of uninitialised value of size 8
==53754==    at 0x5858E6: stpcpy (string3.h:111)
==53754==    by 0x5858E6: oappend (i386-dis.c:14387)
==53754==    by 0x5858E6: OP_XMM (i386-dis.c:16241)
==53754==    by 0x5A8A90: print_insn (i386-dis.c:13248)
==53754==    by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754==    by 0x42879D: disassemble_section (objdump.c:2241)
==53754==    by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754==    by 0x418307: disassemble_data (objdump.c:2375)
==53754==    by 0x4229D7: dump_bfd (objdump.c:3469)
==53754==    by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754==    by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754==    by 0x40CFC9: display_file (objdump.c:3636)
==53754==    by 0x40CFC9: main (objdump.c:3919)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]