bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/28165] New: objdump: global-buffer-overflow on rx_info_to

From: shaohua.li at inf dot ethz.ch
Subject: [Bug binutils/28165] New: objdump: global-buffer-overflow on rx_info_to_howto_rela in elf32-rx.c
Date: Mon, 02 Aug 2021 13:55:22 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=28165

            Bug ID: 28165
           Summary: objdump:  global-buffer-overflow on
                    rx_info_to_howto_rela in elf32-rx.c
           Product: binutils
           Version: 2.38 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: shaohua.li at inf dot ethz.ch
  Target Milestone: ---

Created attachment 13576
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13576&action=edit
poc

Hi there,

I crashed `objdump -S` with a fuzzer. It's global-buffer-overflow as reported
by AddressSanitize.

- binutils version: 2.38(Head), commit af51804103a08cd1e12edc4f4a30eec2c5c4f9e8
- Compiler: clang12
- Platform: Ubuntu 18.04.5 LTS, x86_64
- Reproduce: run `objdump -S poc`


AddressSanitizer report:

==330==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000002fe4450 at pc 0x000001726735 bp 0x7ffc3d23fb30 sp 0x7ffc3d23fb28
READ of size 8 at 0x000002fe4450 thread T0
    #0 0x1726734 in rx_info_to_howto_rela
/binutils_latest/repo/bfd/elf32-rx.c:319:25
    #1 0xcf89b0 in elf_slurp_reloc_table_from_section
/binutils_latest/repo/bfd/./elfcode.h:1523:8
    #2 0xcf7eee in bfd_elf32_slurp_reloc_table
/binutils_latest/repo/bfd/./elfcode.h:1609:11
    #3 0xbcf73e in _bfd_elf_canonicalize_reloc
/binutils_latest/repo/bfd/elf.c:8577:9
    #4 0xae51ab in bfd_canonicalize_reloc
/binutils_latest/repo/bfd/bfd.c:1579:10
    #5 0x1b4d1ba in bfd_generic_get_relocated_section_contents
/binutils_latest/repo/bfd/reloc.c:8406:17
    #6 0xae653f in bfd_get_relocated_section_contents
/binutils_latest/repo/bfd/bfd.c:2166:10
    #7 0xb0fe68 in bfd_simple_get_relocated_section_contents
/binutils_latest/repo/bfd/simple.c:298:14
    #8 0xcab59c in read_section /binutils_latest/repo/bfd/./dwarf2.c:582:7
    #9 0xca8237 in _bfd_dwarf2_slurp_debug_info
/binutils_latest/repo/bfd/./dwarf2.c:4737:13
    #10 0xcac7c1 in _bfd_dwarf2_find_nearest_line
/binutils_latest/repo/bfd/./dwarf2.c:4985:9
    #11 0xbd1379 in _bfd_elf_find_nearest_line
/binutils_latest/repo/bfd/elf.c:9199:7
    #12 0x4e496a in show_line /binutils_latest/repo/binutils/./objdump.c:1784:9
    #13 0x4e0b1f in disassemble_bytes
/binutils_latest/repo/binutils/./objdump.c:2770:6
    #14 0x4dae9a in disassemble_section
/binutils_latest/repo/binutils/./objdump.c:3455:4
    #15 0xb0e04a in bfd_map_over_sections
/binutils_latest/repo/bfd/section.c:1383:5
    #16 0x4d1ae0 in disassemble_data
/binutils_latest/repo/binutils/./objdump.c:3599:3
    #17 0x4cda84 in dump_bfd /binutils_latest/repo/binutils/./objdump.c:5006:5
    #18 0x4ccb9f in display_object_bfd
/binutils_latest/repo/binutils/./objdump.c:5068:7
    #19 0x4ccaa9 in display_any_bfd
/binutils_latest/repo/binutils/./objdump.c:5158:5
    #20 0x4cc65c in display_file
/binutils_latest/repo/binutils/./objdump.c:5179:3
    #21 0x4cb063 in main /binutils_latest/repo/binutils/./objdump.c:5529:6
    #22 0x7f39a0aad0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #23 0x41c61d in _start (/out_bin/objdump+0x41c61d)

0x000002fe4450 is located 72 bytes to the right of global variable
'rx_elf_howto_table' defined in 'elf32-rx.c:50:25' (0x2fe2d60) of size 5800
SUMMARY: AddressSanitizer: global-buffer-overflow
/binutils_latest/repo/bfd/elf32-rx.c:319:25 in rx_info_to_howto_rela
Shadow bytes around the buggy address:
  0x0000805f4830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000805f4840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000805f4850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000805f4860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000805f4870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000805f4880: 00 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9
  0x0000805f4890: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000805f48a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000805f48b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000805f48c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000805f48d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==330==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]