[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24278] New: pdata section wrong filepos - segmentation fau
From: |
u6759601 at anu dot edu.au |
Subject: |
[Bug binutils/24278] New: pdata section wrong filepos - segmentation fault |
Date: |
Wed, 27 Feb 2019 17:38:07 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24278
Bug ID: 24278
Summary: pdata section wrong filepos - segmentation fault
Product: binutils
Version: 2.32
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: u6759601 at anu dot edu.au
Target Milestone: ---
Created attachment 11655
--> https://sourceware.org/bugzilla/attachment.cgi?id=11655&action=edit
Example of binary file that triggers the crash, simply run it as objdump -x c01
Hello.
I was doing some testing with fuzzing when I realised that the fuzzer was
finding some segmentation faults with some entries.
I attach one example.
I have run it on objdump 2.32. to reproduce it just run objdump -x c01
Doing a little bit of backtracing I found all of the problems reside on the
when trying to read the pdata section.
The backtrace is as follow:
#0 0x0000555555738348 in bfd_getl32 (p=0x555582ee3b7c) at libbfd.c:699
#1 0x00005555559761f6 in pex64_get_runtime_function (abfd=0x555555bca630,
data=0x555582ee3b7c, rf=<synthetic pointer>) at pei-x86_64.c:94
#2 pex64_bfd_print_pdata_section (abfd=0x555555bca630, vfile=0x7ffff7f76760
<_IO_2_1_stdout_>, pdata_section=0x555555bcbba0) at pei-x86_64.c:730
#3 0x0000555555991a34 in _bfd_pex64_print_private_bfd_data_common
(abfd=0x555555bca630, vfile=0x7ffff7f76760 <_IO_2_1_stdout_>) at
pex64igen.c:2911
#4 0x000055555596a081 in pe_print_private_bfd_data (abfd=<optimized out>,
vfile=<optimized out>) at peicode.h:336
#5 0x00005555555c67d5 in dump_bfd_private_header (abfd=0x555555bca630) at
./objdump.c:3782
#6 dump_bfd (abfd=0x555555bca630) at ./objdump.c:3782
#7 0x00005555555c8688 in display_object_bfd (abfd=0x555555bca630) at
./objdump.c:3883
#8 display_any_bfd (file=0x555555bca630, level=0x0) at ./objdump.c:3973
#9 0x00005555555b5ad9 in display_file (last_file=0x1, target=0x0,
filename=0x7fffffffe299 "crashes/c01") at ./objdump.c:3994
#10 display_file (last_file=0x1, target=<optimized out>,
filename=0x7fffffffe299 "crashes/c01") at ./objdump.c:3977
#11 main (argc=<optimized out>, address@hidden, argv=<optimized out>,
address@hidden) at ./objdump.c:4304
#12 0x00007ffff7dde09b in __libc_start_main (main=0x5555555b49e0 <main>,
argc=0x3, argv=0x7fffffffdef8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffdee8) at ../csu/libc-start.c:308
#13 0x00005555555b63aa in _start () at ./objdump.c:4083
Taking a closer look at the code it seems like the pdata section is not well
mapped as the filepos field of the pdata_section struct doesnt match with the
begining byte of the section. Therefore the variables altent and pdata_vam
don't make sense so when peforming at line 731 of bfd/pei-x86_64.c:
pex64_get_runtime_function (abfd, &arf, &pdata[altent - pdata_vma]);
It produces a segmentation fault, I pretty possitive because it goes out of
bounds or the value of altent - pdata_vma doesn't make sense.
Please keep in mind that the imput is wrong formated as its the result from
fuzzing.
I am pretty new to all of this so please fell totally free to correct me if I
am wrong. I will try to dig deeper trying to find the source of the bug, if
anyone could help I would greatly appreciate it
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24278] New: pdata section wrong filepos - segmentation fault,
u6759601 at anu dot edu.au <=