| Summary: | objdump - off-by-one global-buffer-overflow | ||
|---|---|---|---|
| Product: | binutils | Reporter: | Thuan Pham <thuanpv> |
| Component: | binutils | Assignee: | Not yet assigned to anyone <unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | nickc |
| Priority: | P2 | ||
| Version: | 2.29 | ||
| Target Milestone: | --- | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | ||
| Attachments: | Bug triggering input | ||
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=92134dc19b4bf6407a88a306b771c9c6c88658d6 commit 92134dc19b4bf6407a88a306b771c9c6c88658d6 Author: Nick Clifton <nickc@redhat.com> Date: Tue Feb 14 14:17:09 2017 +0000 Fix an illegal memory access parsing corrupt STABD debug information. PR binutils/21158 * rddbg.c (read_symbol_stabs_debugging_info): Check for a null or empty symbol name. Hi Thuan, Thanks for reporting this bug. I have checked in a patch to fix the problem. This was a simple case of the code assuming that a symbol always has a name. The patch fixes this specific problem, although I suspect that there will be more like it to come. Cheers Nick |
Created attachment 9825 [details] Bug triggering input Dear all, This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 61697d017e114d7667fbb340fb73f8184d48ee5a (Tue Feb 14 00:00:30 2017) binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was: CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim To reproduce: Download the attached file - objdump_bug_2 objdump -g objdump_bug_2 ASAN says: ==34445==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001d1cc3f at pc 0x621346 bp 0x7ffe1e819070 sp 0x7ffe1e819068 READ of size 1 at 0x000001d1cc3f thread T0 #0 0x621345 in read_symbol_stabs_debugging_info /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/rddbg.c:303 #1 0x61aecd in read_debugging_info /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/rddbg.c:62 #2 0x498f7b in dump_bfd /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3513 #3 0x4978fb in display_object_bfd /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3564 #4 0x497698 in display_any_bfd /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3653 #5 0x495ebe in display_file /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3674 #6 0x493edd in main /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3969 #7 0x7fdc72255f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #8 0x48c95c in _start (/home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/objdump+0x48c95c)