[Bug binutils/22905] New: integer overflow in display_debug

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22905] New: integer overflow in display_debug_ranges

From:	luanjunchao at 163 dot com
Subject:	[Bug binutils/22905] New: integer overflow in display_debug_ranges
Date:	Thu, 01 Mar 2018 03:08:52 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22905

            Bug ID: 22905
           Summary: integer overflow in display_debug_ranges
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: luanjunchao at 163 dot com
  Target Milestone: ---

The command I test is "objdump -x -D -S -s -g -e -G --dwarf -t -T -r -R
--special-syms --inlines --dwarf-check $POC". The binutils tools are compile in
32 bit mode.

Part of gdb debugging output:
Program received signal SIGSEGV, Segmentation fault.                            
byte_get_little_endian (field=0x725e9e0 <error: Cannot access memory at address
0x725e9e0>, size=8) at /work/binutils-gdb/binutils/elfcomm.c:209
209             return  ((elf_vma) (field[0]))                                  
(gdb) bt                                                                        
#0  byte_get_little_endian (field=0x725e9e0 <error: Cannot access memory at
address 0x725e9e0>, size=8) at /work/binutils-gdb/binutils/elfcomm.c:209        
#1  0x08054311 in display_debug_ranges_list (start=0x725e9e0 <error: Cannot
access memory at address 0x725e9e0>, finish=0x825ebf0 "", pointer_size=8,
offset=4278190080, base_address=0) at /work/binutils-gdb/binutils/dwarf.c:6541
#2  0x0805fa10 in display_debug_ranges (section=0x824b960
<debug_displays+1024>, file=0x8257058) at
/work/binutils-gdb/binutils/dwarf.c:6831
#3  0x08052ce9 in dump_dwarf_section (abfd=0x8257058, section=0x825c820,
arg=0x0) at /work/binutils-gdb/binutils/objdump.c:2671

It's clear that there is something wrong with display_debug_ranges. Here is
snippt of function display_debug_ranges.

6801: offset = range_entry->ranges_offset;
6802: next = section_begin + offset;
....
6828: start = next;
6829: last_start = next;
6830: 
6831: (is_rnglists ? display_debug_rnglists_list : display_debug_ranges_list)
6832:   (start, finish, pointer_size, offset, base_address);

(gdb) p/x *range_entry                                             
$7 = {ranges_offset = 0xff000000, debug_info_p = 0x825e4b8}   
(gdb) p/x section_begin                                            
$4 = 0x825e9e0 

We can see that range_entry->ranges_offset is 0xff000000, and section_begin is
0x825e9e0, thus when executes line 6802 in dwarf.c, integer overflow occurs.

The poc file is
https://github.com/skysider/FuzzVuln/blob/master/binutils_objdump_integer_overflow_display_debug_ranges.elf

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/22905] New: integer overflow in display_debug_ranges, luanjunchao at 163 dot com <=

Prev by Date: [Bug ld/22831] ld causes massive thrashing if object files are not fully memory-resident: new algorithm needed
Next by Date: [Bug ld/22831] ld causes massive thrashing if object files are not fully memory-resident: new algorithm needed
Previous by thread: [Bug ld/22903] New: [AArch64] Insufficient veneer stub alignment
Index(es):
- Date
- Thread