[Bug binutils/27839] New: Segmentation fault on objdump -D

[shaohua.li at inf dot ethz.ch]

https://sourceware.org/bugzilla/show_bug.cgi?id=27839

            Bug ID: 27839
           Summary: Segmentation fault on objdump -D
           Product: binutils
           Version: 2.37 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: shaohua.li at inf dot ethz.ch
  Target Milestone: ---

Created attachment 13430
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13430&action=edit
poc for `objdump -D`

Hi there,

I crashes objdump (with flag -D) with a crafted executable using a fuzzer.

The crash look like:

(gdb) r -D poc
Starting program:
/data/afl_compiler/programs/binutils/src/binutils-gdb-clean-gcc11/binutils/objdump
-D poc
warning: Error disabling address space randomization: Operation not permitted
/data/afl_compiler/programs/binutils/src/binutils-gdb-clean-gcc11/binutils/objdump:
poc: attempt to load strings from a non-string section (number 20)
/data/afl_compiler/programs/binutils/src/binutils-gdb-clean-gcc11/binutils/objdump:
poc: attempt to load strings from a non-string section (number 20)
/data/afl_compiler/programs/binutils/src/binutils-gdb-clean-gcc11/binutils/objdump:
poc: attempt to load strings from a non-string section (number 20)
/data/afl_compiler/programs/binutils/src/binutils-gdb-clean-gcc11/binutils/objdump:
poc: attempt to load strings from a non-string section (number 20)
/data/afl_compiler/programs/binutils/src/binutils-gdb-clean-gcc11/binutils/objdump:
poc: attempt to load strings from a non-string section (number 20)
/data/afl_compiler/programs/binutils/src/binutils-gdb-clean-gcc11/binutils/objdump:
poc: attempt to load strings from a non-string section (number 20)

Program received signal SIGSEGV, Segmentation fault.

(gdb) bt
#0  0x000055cfb7177650 in ?? ()
#1  0x000055cfb5814349 in _bfd_generic_link_add_one_symbol
(info=info@entry=0x7fff2f7142f0, abfd=abfd@entry=0x55cfb7176310, 
    name=0x55cfb5a3586d "(null)", flags=<optimized out>, section=0x55cfb65ac6c0
<_bfd_std_section>, value=8, 
    string=0x55cfb5a3586d "(null)", copy=false, collect=false,
hashp=0x7fff2f7141a0) at linker.c:1667
#2  0x000055cfb5814a4f in generic_link_add_symbol_list (symbols=<optimized
out>, symbol_count=<optimized out>, 
    info=0x7fff2f7142f0, abfd=0x55cfb7176310) at linker.c:1192
#3  generic_link_add_object_symbols (info=0x7fff2f7142f0, abfd=0x55cfb7176310)
at linker.c:886
#4  _bfd_generic_link_add_symbols (abfd=abfd@entry=0x55cfb7176310,
info=info@entry=0x7fff2f7142f0) at linker.c:859
#5  0x000055cfb54f75bb in bfd_simple_get_relocated_section_contents
(abfd=abfd@entry=0x55cfb7176310, 
    sec=sec@entry=0x55cfb7179bb8, outbuf=0x55cfb7177730 "\340\061\003O{\177",
symbol_table=0x0) at simple.c:254
#6  0x000055cfb5396595 in load_specific_debug_section (file=0x55cfb7176310,
sec=0x55cfb7179bb8, debug=<optimized out>)
    at ./objdump.c:3591
#7  load_specific_debug_section (debug=<optimized out>, sec=0x55cfb7179bb8,
file=0x55cfb7176310) at ./objdump.c:3549
#8  0x000055cfb53bf24b in load_separate_debug_files
(file=file@entry=0x55cfb7176310, filename=0x55cfb7176470 "poc")
    at dwarf.c:11474
#9  0x000055cfb539700a in dump_bfd (abfd=abfd@entry=0x55cfb7176310,
is_mainfile=is_mainfile@entry=true) at ./objdump.c:4815
#10 0x000055cfb5397e25 in display_object_bfd (abfd=0x55cfb7176310) at
./objdump.c:5001
#11 display_any_bfd (file=0x55cfb7176310, level=0) at ./objdump.c:5091
#12 0x000055cfb5397fb3 in display_file (last_file=true, target=<optimized out>,
filename=0x7fff2f71587c "poc")
    at ./objdump.c:5112
#13 display_file (filename=0x7fff2f71587c "poc", target=<optimized out>,
last_file=<optimized out>) at ./objdump.c:5095
#14 0x000055cfb5392bf0 in main (argc=<optimized out>, argv=<optimized out>) at
./objdump.c:5462

-- 
You are receiving this mail because:
You are on the CC list for the bug.