[Bug binutils/27289] New: Undefined negation/ Negation Overflow in _bfd

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/27289] New: Undefined negation/ Negation Overflow in _bfd_

From:	dennis.r at columbia dot edu
Subject:	[Bug binutils/27289] New: Undefined negation/ Negation Overflow in _bfd_doprnt_scan() potentially crashing on some systems
Date:	Sun, 31 Jan 2021 03:39:11 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=27289

            Bug ID: 27289
           Summary: Undefined negation/ Negation Overflow in
                    _bfd_doprnt_scan() potentially crashing on some
                    systems
           Product: binutils
           Version: 2.36
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dennis.r at columbia dot edu
  Target Milestone: ---

Created attachment 13180
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13180&action=edit
poc

= Attachment = 
./poc

= Reproduce =
Compile with ./configure -enable=avr
objdump --private=mem-usage poc

= Location =
../bfd/bfd.c:1169
../bfd/bfd.c:928

= Description =
Variable arg_no is statically assigned to an undefined value (-1u)      which
is undefined.

= UBSan =
../../bfd/bfd.c:1169:13: runtime error: negation of 1 cannot be represented in
type 'unsigned int'

./objdump: warning: ../../bfd/bfd.c:928:13: runtime error: negation of 1 cannot
be represented in type 'unsigned int'

= Stack Trace =
Breakpoint 1, error_handler_internal (fmt=<optimized out>, ap=<optimized out>)
at ../../bfd/bfd.c:1169
1169              arg_no = -1u;
(gdb) bt
#0  error_handler_internal (fmt=<optimized out>, ap=<optimized out>) at
../../bfd/bfd.c:1169
#1  0x0000000000b3da50 in _bfd_error_handler (fmt=<optimized out>) at
../../bfd/bfd.c:1411
#2  0x0000000000d65911 in bfd_elf32_object_p (abfd=<optimized out>) at
../../bfd/elfcode.h:819
#3  0x0000000000b56b8e in bfd_check_format_matches (abfd=<optimized out>,
format=<optimized out>, matching=<optimized out>) at ../../bfd/format.c:343
#4  0x000000000041b2a0 in display_object_bfd (abfd=0x37c5c90) at
../../binutils/objdump.c:5006
#5  display_any_bfd (file=0x37c5c90, level=0) at ../../binutils/objdump.c:5098
#6  0x000000000040757d in display_file (filename=<optimized out>,
target=<optimized out>, last_file=<optimized out>) at
../../binutils/objdump.c:5119
#7  main (argc=<optimized out>, argv=<optimized out>) at
../../binutils/objdump.c:5467
(gdb) c
Continuing.
../../bfd/bfd.c:1169:13: runtime error: negation of 1 cannot be represented in
type 'unsigned int'
./objdump: warning: ../../bfd/bfd.c:928:13: runtime error: negation of 1 cannot
be represented in type 'unsigned int'
out/master/crashes/id:000002,sig:11,src:000000,op:havoc,rep:16 has a program
header with invalid alignment

= Fix =
Cast to signed type

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/27289] New: Undefined negation/ Negation Overflow in _bfd_doprnt_scan() potentially crashing on some systems, dennis.r at columbia dot edu <=

Prev by Date: [Bug binutils/27288] New: Undefined negations and integer overflows in elf_object_p() potentially crashing on some systems
Next by Date: [Bug binutils/27290] New: Out-of-memory (OOM) Denial of Service via unprotected memory allocation in elf32_avr_get_note_section_contents()
Previous by thread: [Bug binutils/27288] New: Undefined negations and integer overflows in elf_object_p() potentially crashing on some systems
Next by thread: [Bug binutils/27290] New: Out-of-memory (OOM) Denial of Service via unprotected memory allocation in elf32_avr_get_note_section_contents()
Index(es):
- Date
- Thread