[Bug binutils/22746] New: crash when running 32-bit objdump on corrupted

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22746] New: crash when running 32-bit objdump on corrupted

From:	lrk700 at gmail dot com
Subject:	[Bug binutils/22746] New: crash when running 32-bit objdump on corrupted file
Date:	Thu, 25 Jan 2018 06:11:55 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22746

            Bug ID: 22746
           Summary: crash when running 32-bit objdump on corrupted file
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: lrk700 at gmail dot com
  Target Milestone: ---

Created attachment 10760
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10760&action=edit
POC file

Hi,

We fuzzed 32-bit objdump and found a heap corruption when running `objdump -x`
with the attached file.

Here's the output of a clean build on HEAD code(commit
3e53a58e1f557f9b799506b62ac1cbf456b34647):

address@hidden:~# src/binutils-32/binutils/objdump -x ~/fuzzing/objdump-c/c2
src/binutils-32/binutils/objdump: /root/fuzzing/objdump-c/c2: File truncated
*** Error in `src/binutils-32/binutils/objdump': free(): invalid pointer:
0x572ffaa0 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xf764737a]
/lib/i386-linux-gnu/libc.so.6(+0x6dfb7)[0xf764dfb7]
/lib/i386-linux-gnu/libc.so.6(+0x6e7f6)[0xf764e7f6]
src/binutils-32/binutils/objdump(+0x1805b0)[0x5677d5b0]
src/binutils-32/binutils/objdump(+0x8ac0a)[0x56687c0a]
src/binutils-32/binutils/objdump(+0x8d52f)[0x5668a52f]
src/binutils-32/binutils/objdump(+0x8df16)[0x5668af16]
src/binutils-32/binutils/objdump(+0x291d9)[0x566261d9]
src/binutils-32/binutils/objdump(main+0x9f6)[0x56626bd7]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xf75f8276]
src/binutils-32/binutils/objdump(+0x20cf1)[0x5661dcf1]
======= Memory map: ========
565fd000-567e0000 r-xp 00000000 08:01 669129                            
/root/src/binutils-32/binutils/objdump
567e1000-5684a000 r--p 001e3000 08:01 669129                            
/root/src/binutils-32/binutils/objdump
5684a000-5684f000 rw-p 0024c000 08:01 669129                            
/root/src/binutils-32/binutils/objdump
5684f000-56856000 rw-p 00000000 00:00 0
572fe000-5731f000 rw-p 00000000 00:00 0                                  [heap]
f7300000-f7321000 rw-p 00000000 00:00 0
f7321000-f7400000 ---p 00000000 00:00 0
f7411000-f742d000 r-xp 00000000 08:01 1047386                           
/lib/i386-linux-gnu/libgcc_s.so.1
f742d000-f742e000 r--p 0001b000 08:01 1047386                           
/lib/i386-linux-gnu/libgcc_s.so.1
f742e000-f742f000 rw-p 0001c000 08:01 1047386                           
/lib/i386-linux-gnu/libgcc_s.so.1
f7443000-f75de000 r--p 00000000 08:01 921179                            
/usr/lib/locale/locale-archive
f75de000-f75e0000 rw-p 00000000 00:00 0
f75e0000-f7791000 r-xp 00000000 08:01 1047406                           
/lib/i386-linux-gnu/libc-2.24.so
f7791000-f7792000 ---p 001b1000 08:01 1047406                           
/lib/i386-linux-gnu/libc-2.24.so
f7792000-f7794000 r--p 001b1000 08:01 1047406                           
/lib/i386-linux-gnu/libc-2.24.so
f7794000-f7795000 rw-p 001b3000 08:01 1047406                           
/lib/i386-linux-gnu/libc-2.24.so
f7795000-f7798000 rw-p 00000000 00:00 0
f7798000-f779b000 r-xp 00000000 08:01 1047460                           
/lib/i386-linux-gnu/libdl-2.24.so
f779b000-f779c000 r--p 00002000 08:01 1047460                           
/lib/i386-linux-gnu/libdl-2.24.so
f779c000-f779d000 rw-p 00003000 08:01 1047460                           
/lib/i386-linux-gnu/libdl-2.24.so
f77a7000-f77a8000 rw-p 00000000 00:00 0
f77a8000-f77af000 r--s 00000000 08:01 131640                            
/usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
f77af000-f77b1000 r--p 00199000 08:01 921179                            
/usr/lib/locale/locale-archive
f77b1000-f77b4000 rw-p 00000000 00:00 0
f77b4000-f77b6000 r--p 00000000 00:00 0                                  [vvar]
f77b6000-f77b8000 r-xp 00000000 00:00 0                                  [vdso]
f77b8000-f77db000 r-xp 00000000 08:01 1045240                           
/lib/i386-linux-gnu/ld-2.24.so
f77db000-f77dc000 r--p 00022000 08:01 1045240                           
/lib/i386-linux-gnu/ld-2.24.so
f77dc000-f77dd000 rw-p 00023000 08:01 1045240                           
/lib/i386-linux-gnu/ld-2.24.so
ffa24000-ffa45000 rw-p 00000000 00:00 0                                 
[stack]
Aborted

And 64-bit objdump is not affected.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/22746] New: crash when running 32-bit objdump on corrupted file, lrk700 at gmail dot com <=
- [Bug binutils/22746] crash when running 32-bit objdump on corrupted file, amodra at gmail dot com, 2018/01/25
- [Bug binutils/22746] crash when running 32-bit objdump on corrupted file, amodra at gmail dot com, 2018/01/25
- [Bug binutils/22746] crash when running 32-bit objdump on corrupted file, cvs-commit at gcc dot gnu.org, 2018/01/25
- [Bug binutils/22746] crash when running 32-bit objdump on corrupted file, amodra at gmail dot com, 2018/01/25

Prev by Date: [Bug binutils/22741] New: objcopy segfault
Next by Date: [Bug binutils/22746] crash when running 32-bit objdump on corrupted file
Previous by thread: [Bug binutils/22741] New: objcopy segfault
Next by thread: [Bug binutils/22746] crash when running 32-bit objdump on corrupted file
Index(es):
- Date
- Thread