[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/29908] New: SEGV of objdump caused by heap-buffer-overflow
From: |
13579and24680 at gmail dot com |
Subject: |
[Bug binutils/29908] New: SEGV of objdump caused by heap-buffer-overflow at dwarf.c:7756 in display_debug_addr() |
Date: |
Fri, 16 Dec 2022 09:02:06 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=29908
Bug ID: 29908
Summary: SEGV of objdump caused by heap-buffer-overflow at
dwarf.c:7756 in display_debug_addr()
Product: binutils
Version: 2.39
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 13579and24680 at gmail dot com
Target Milestone: ---
Created attachment 14520
--> https://sourceware.org/bugzilla/attachment.cgi?id=14520&action=edit
Generated by my fuzzer and afl-tmin
# version
$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.39.50.20221213
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
---------------------------------------------------------------------
# git log
$ git log --oneline -1
d0d41b77c0c (HEAD -> master, origin/master, origin/HEAD) Replace
gdbpy_should_stop with gdbpy_breakpoint_cond_says_stop
---------------------------------------------------------------------
# make
$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make
---------------------------------------------------------------------
# crash
$ ./binutils-gdb/binutils/objdump -W poc
./binutils-gdb/binutils/objdump: Warning: Corrupt attribute block length:
0x30303030
poc: file format elf64-x86-64
Contents of the .eh_frame section:
00000000 0000000000000014 00000000 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 48
(... too long ignore)
49894: 0000000000000000
49895: 0000000000000000
49896: 0000000000000000
49897: 0000000000000000
49898: 0000000000000000
49899: 0000000000000000
49900: 0000000000000000
49901: 0000000000000000
49902: 0000000000000000
49903: 0000000000000000
49904: 0000000000000000
49905: 0000000000000000
49906: 0000000000000000
49907: 0000000000000000
49908: 0000000000000000
49909: 0000000000000000
49910: 0000000000000000
49911: 0000000000000000
49912: 0000000000000000
49913: 0000000000000000
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV
(Address boundary error)
---------------------------------------------------------------------
# ASAN report
$ ./binutils-gdb_asan/binutils/objdump -W poc
./binutils-gdb_asan/binutils/objdump: Warning: Corrupt attribute block length:
0x30303030
poc: file format elf64-x86-64
Contents of the .eh_frame section:
00000000 0000000000000014 00000000 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 48
(... too long ignore)
300: 3030303030303030
301: 3030303030303030
302: 3030303030303030
303: 3030303030303030
304: 3030303030303030
305: 3030303030303030
306: 3030303030303030
307: 3030303030303030
308: 3030303030303030
309: 3030303030303030
310: 3030303030303030
311: 3030303030303030
312: 3030303030303030
313: 3030303030303030
314: 3030303030303030
315: 3030303030303030
=================================================================
==2848799==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61e000000ab1 at pc 0x55f9366f07ac bp 0x7ffc73f785f0 sp 0x7ffc73f785e0
READ of size 1 at 0x61e000000ab1 thread T0
#0 0x55f9366f07ab in byte_get_little_endian
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149
#1 0x55f936695768 in display_debug_addr dwarf.c:7756
#2 0x55f9366588c4 in dump_dwarf_section objdump.c:4396
#3 0x55f9367a72d9 in bfd_map_over_sections
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
#4 0x55f936658af3 in dump_dwarf objdump.c:4434
#5 0x55f93665f110 in dump_bfd objdump.c:5636
#6 0x55f93665f4e5 in display_object_bfd objdump.c:5715
#7 0x55f93665f816 in display_any_bfd objdump.c:5801
#8 0x55f93665f890 in display_file objdump.c:5822
#9 0x55f9366611b9 in main objdump.c:6230
#10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308
#11 0x55f93664539d in _start
(/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b39d)
0x61e000000ab1 is located 0 bytes to the right of 2609-byte region
[0x61e000000080,0x61e000000ab1)
allocated by thread T0 here:
#0 0x7fae0f435808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55f936a3bc7c in xmalloc xmalloc.c:149
#2 0x55f9366579c8 in load_specific_debug_section objdump.c:4216
#3 0x55f936658148 in load_debug_section objdump.c:4317
#4 0x55f9366b49d2 in load_separate_debug_files dwarf.c:11945
#5 0x55f93665e7bd in dump_bfd objdump.c:5520
#6 0x55f93665f4e5 in display_object_bfd objdump.c:5715
#7 0x55f93665f816 in display_any_bfd objdump.c:5801
#8 0x55f93665f890 in display_file objdump.c:5822
#9 0x55f9366611b9 in main objdump.c:6230
#10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149
in byte_get_little_endian
Shadow bytes around the buggy address:
0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8150: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2848799==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/29908] New: SEGV of objdump caused by heap-buffer-overflow at dwarf.c:7756 in display_debug_addr(),
13579and24680 at gmail dot com <=