Bug 21158

Summary: objdump - off-by-one global-buffer-overflow
Product: binutils Reporter: Thuan Pham <thuanpv>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Severity: normal CC: nickc
Priority: P2    
Version: 2.29   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: Bug triggering input

Description Thuan Pham 2017-02-14 10:15:20 UTC
Created attachment 9825 [details]
Bug triggering input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 61697d017e114d7667fbb340fb73f8184d48ee5a (Tue Feb 14 00:00:30 2017) 

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - objdump_bug_2
objdump -g objdump_bug_2

ASAN says:
==34445==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001d1cc3f at pc 0x621346 bp 0x7ffe1e819070 sp 0x7ffe1e819068
READ of size 1 at 0x000001d1cc3f thread T0
    #0 0x621345 in read_symbol_stabs_debugging_info /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/rddbg.c:303
    #1 0x61aecd in read_debugging_info /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/rddbg.c:62
    #2 0x498f7b in dump_bfd /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3513
    #3 0x4978fb in display_object_bfd /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3564
    #4 0x497698 in display_any_bfd /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3653
    #5 0x495ebe in display_file /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3674
    #6 0x493edd in main /home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/../../binutils/objdump.c:3969
    #7 0x7fdc72255f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #8 0x48c95c in _start (/home/ubuntu/thesis/subjects/binutils-gdb-nick/build-asan/binutils/objdump+0x48c95c)
Comment 1 cvs-commit@gcc.gnu.org 2017-02-14 14:18:15 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit 92134dc19b4bf6407a88a306b771c9c6c88658d6
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Feb 14 14:17:09 2017 +0000

    Fix an illegal memory access parsing corrupt STABD debug information.
    	PR binutils/21158
    	* rddbg.c (read_symbol_stabs_debugging_info): Check for a null or
    	empty symbol name.
Comment 2 Nick Clifton 2017-02-14 14:21:21 UTC
Hi Thuan,

  Thanks for reporting this bug.  I have checked in a patch to fix the problem.

  This was a simple case of the code assuming that a symbol always has a name.
  The patch fixes this specific problem, although I suspect that there will
  be more like it to come.