bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23771] New: A memory exhaustion problem in program objdump


From: wcventure at 126 dot com
Subject: [Bug binutils/23771] New: A memory exhaustion problem in program objdump via a crafted ELF file
Date: Sat, 13 Oct 2018 08:52:25 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=23771

            Bug ID: 23771
           Summary: A memory exhaustion problem in program objdump via a
                    crafted ELF file
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: wcventure at 126 dot com
  Target Milestone: ---

Created attachment 11323
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11323&action=edit
POC_MEM_EXHAU

Hi, there.

We are doing research on Fuzz testing. Our fuzzer caught a memory exhaustion
problem in program objdump of the latest binutils(v2.31.1) code base. A crafted
ELF file can cause the memory allocations corresponding to large length values

I have confirmed it with address sanitizer too. Please use the "./objdump -xg
-W $POC" to reproduce the bug. If you have any questions, please let me know.


The ASAN dumps the stack trace as follows:
objdump: error message was: Memory exhausted
==14605==ERROR: AddressSanitizer failed to allocate 0x1000003000 (68719489024)
bytes of LargeMmapAllocator (error code: 12)
==14605==Process memory map follows:
...
==14605==End of process memory map.
==14605==AddressSanitizer CHECK failed:
/build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
"((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c2bed in __asan::AsanCheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
(binutils_gdb/build/bin/objdump+0x4c2bed)
    #1 0x4c9813 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
(binutils_gdb/build/bin/objdump+0x4c9813)
    #2 0x4c9a01 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char
const*, char const*, int, bool) (binutils_gdb/build/bin/objdump+0x4c9a01)
    #3 0x4d2972 in __sanitizer::MmapOrDie(unsigned long, char const*, bool)
(binutils_gdb/build/bin/objdump+0x4d2972)
    #4 0x41f5ff in __asan::asan_malloc(unsigned long,
__sanitizer::BufferedStackTrace*) (binutils_gdb/build/bin/objdump+0x41f5ff)
    #5 0x4b95c1 in malloc (binutils_gdb/build/bin/objdump+0x4b95c1)
    #6 0x26935ff in _objalloc_alloc binutils_gdb/libiberty/./objalloc.c:143:22
    #7 0xb1996e in bfd_alloc binutils_gdb/bfd/opncls.c:949:9
    #8 0xeb464a in bfd_elf64_slurp_reloc_table
binutils_gdb/bfd/./elfcode.h:1556:25
    #9 0x10fb2f2 in _bfd_elf_canonicalize_reloc binutils_gdb/bfd/elf.c:8231:9
    #10 0xa2bce5 in bfd_canonicalize_reloc binutils_gdb/bfd/bfd.c:1359:10
    #11 0x21a7623 in bfd_generic_get_relocated_section_contents
binutils_gdb/bfd/reloc.c:8297:17
    #12 0xa373c7 in bfd_get_relocated_section_contents
binutils_gdb/bfd/bfd.c:1926:10
    #13 0xb45b58 in bfd_simple_get_relocated_section_contents
binutils_gdb/bfd/simple.c:264:14
    #14 0x4ee41c in load_specific_debug_section
binutils_gdb/binutils/./objdump.c:2529:13
    #15 0x520386 in dump_dwarf_section binutils_gdb/binutils/./objdump.c:2691:6
    #16 0xb3cfb7 in bfd_map_over_sections binutils_gdb/bfd/section.c:1374:5
    #17 0x513470 in dump_dwarf binutils_gdb/binutils/./objdump.c:2774:3
    #18 0x50155f in dump_bfd binutils_gdb/binutils/./objdump.c:3627:5
    #19 0x4fa7d3 in display_object_bfd binutils_gdb/binutils/./objdump.c:3714:7
    #20 0x4fa7d3 in display_any_bfd binutils_gdb/binutils/./objdump.c:3783
    #21 0x4f6c61 in display_file binutils_gdb/binutils/./objdump.c:3804:3
    #22 0x4f6c61 in main binutils_gdb/binutils/./objdump.c:4106
    #23 0x7f5a6cce582f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #24 0x4194d8 in _start (binutils_gdb/build/bin/objdump+0x4194d8)

Aborted

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]