bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/29893] New: SEGV of objdump caused by heap-buffer-overflow


From: 13579and24680 at gmail dot com
Subject: [Bug binutils/29893] New: SEGV of objdump caused by heap-buffer-overflow at elfcomm.c:124 in byte_get_little_endian()
Date: Mon, 12 Dec 2022 12:07:55 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=29893

            Bug ID: 29893
           Summary: SEGV of objdump caused by heap-buffer-overflow at
                    elfcomm.c:124 in byte_get_little_endian()
           Product: binutils
           Version: 2.39
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 13579and24680 at gmail dot com
  Target Milestone: ---

Created attachment 14514
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14514&action=edit
Generated by my fuzzer and AFL_TMIN_EXACT=1 afl-tmin

# version

$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.39.50.20221210
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make

---------------------------------------------------------------------
# crash

$ ./binutils-gdb/binutils/objdump -W poc
poc:     file format elf64-x86-64

Contents of the .eh_frame section:


00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 48
  Data alignment factor: -8
  Return address column: 16
  Augmentation data:     1b
  DW_CFA_def_cfa: r48 (mm7) ofs 48
  DW_CFA_offset: r16 (rip) at cfa-384
  DW_CFA_nop
  DW_CFA_nop

00000018 0000000000000014 0000001c FDE cie=00000000
pc=000000003030aab0..000000006060dae0
  DW_CFA_advance_loc: 192 to 000000003030ab70
  DW_CFA_undefined: r16 (rip)
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop

(... to long ignore)

        79052:  0000000000
        79053:  0000000000
        79054:  0000000000
        79055:  0000000000
        79056:  0000000000
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV
(Address boundary error)

---------------------------------------------------------------------
# ASAN report

$ ./binutils-gdb_asan_no_fuzz/binutils/objdump -W poc

poc:     file format elf64-x86-64

Contents of the .eh_frame section:


00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 48
  Data alignment factor: -8
  Return address column: 16
  Augmentation data:     1b
  DW_CFA_def_cfa: r48 (mm7) ofs 48
  DW_CFA_offset: r16 (rip) at cfa-384
  DW_CFA_nop
  DW_CFA_nop

00000018 0000000000000014 0000001c FDE cie=00000000
pc=000000003030aab0..000000006060dae0
  DW_CFA_advance_loc: 192 to 000000003030ab70
  DW_CFA_undefined: r16 (rip)
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop

(... to long ignore)

        526:    3030303030
        527:    3030303030
        528:    3030303030
        529:    3030303030
        530:    3030303030
        531:    3030303030
        532:    0030303030
=================================================================
==328005==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61e000000af1 at pc 0x55c0c650c0ca bp 0x7fff74880ac0 sp 0x7fff74880ab0
READ of size 1 at 0x61e000000af1 thread T0
    #0 0x55c0c650c0c9 in byte_get_little_endian
/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/elfcomm.c:124
    #1 0x55c0c64b15f8 in display_debug_addr dwarf.c:7740
    #2 0x55c0c64748c4 in dump_dwarf_section objdump.c:4396
    #3 0x55c0c65c315d in bfd_map_over_sections
/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/bfd/section.c:1366
    #4 0x55c0c6474af3 in dump_dwarf objdump.c:4434
    #5 0x55c0c647b110 in dump_bfd objdump.c:5636
    #6 0x55c0c647b4e5 in display_object_bfd objdump.c:5715
    #7 0x55c0c647b816 in display_any_bfd objdump.c:5801
    #8 0x55c0c647b890 in display_file objdump.c:5822
    #9 0x55c0c647d1b9 in main objdump.c:6230
    #10 0x7ff561d5d082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x55c0c646139d in _start
(/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/objdump+0x13b39d)

0x61e000000af1 is located 0 bytes to the right of 2673-byte region
[0x61e000000080,0x61e000000af1)
allocated by thread T0 here:
    #0 0x7ff56203e808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55c0c6857b00 in xmalloc xmalloc.c:149
    #2 0x55c0c64739c8 in load_specific_debug_section objdump.c:4216
    #3 0x55c0c6474148 in load_debug_section objdump.c:4317
    #4 0x55c0c64d0856 in load_separate_debug_files dwarf.c:11929
    #5 0x55c0c647a7bd in dump_bfd objdump.c:5520
    #6 0x55c0c647b4e5 in display_object_bfd objdump.c:5715
    #7 0x55c0c647b816 in display_any_bfd objdump.c:5801
    #8 0x55c0c647b890 in display_file objdump.c:5822
    #9 0x55c0c647d1b9 in main objdump.c:6230
    #10 0x7ff561d5d082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/elfcomm.c:124
in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
  0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==328005==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]