Bug 21576

Summary: global-buffer-overflow in print_insn_score16
Product: binutils Reporter: Alexandre Adamski <aadamski>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.29   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: testcase
report

Description Alexandre Adamski 2017-06-13 17:38:21 UTC 
Hello there,

I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.

Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.

The command I used was `objdump -D <file>`.

Let me know if there is any additional information I can provide.

--

Input: 2a13a720199253614962e0bb4402d98c.9149a6478708ae7cb458345e7cbc9354.min
Output: 2a13a720199253614962e0bb4402d98c.9149a6478708ae7cb458345e7cbc9354.txt

Error in "print_insn_score16": global-buffer-overflow
  in print_insn_score16 at opcodes/score7-dis.c:723
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/score7-dis.c#L723)
  in s7_print_insn at opcodes/score7-dis.c:954
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/score7-dis.c#L954)
  in disassemble_bytes at binutils/objdump.c:1864
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
  in disassemble_section at binutils/objdump.c:2309
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
  in bfd_map_over_sections at bfd/section.c:1395
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
  in disassemble_data at binutils/objdump.c:2445
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
  in dump_bfd at binutils/objdump.c:3547
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Comment 1 Alexandre Adamski 2017-06-13 17:38:55 UTC 
Created attachment 10098 [details]
testcase
Comment 2 Alexandre Adamski 2017-06-13 17:39:13 UTC 
Created attachment 10099 [details]
report
Comment 3 Alexandre Adamski 2017-06-13 22:37:40 UTC 
Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
Comment 4 cvs-commit@gcc.gnu.org 2017-06-14 16:11:47 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e64519d1ed7fd8f990f05a5562d5b5c0c44b7d7e

commit e64519d1ed7fd8f990f05a5562d5b5c0c44b7d7e
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jun 14 17:10:28 2017 +0100

    Fix seg-fault when trying to disassemble a corrupt score binary.
    
    	PR binutils/21576
    	* score7-dis.c (score_opcodes): Add sentinel.
Comment 5 Nick Clifton 2017-06-14 16:13:22 UTC 
Hi Aadamski,

  Thanks for reporting this bug.  This time it was a good old fashioned bug.
  The disassembler was expecting its opcode table to end with a NULL sentinel
  but it had been omitted from the table.  I have checked in a patch to fix
  this.

Cheers