Bug 23057

Summary: Multiple memory corruptions in objdump (binuitils-2.30-15ubuntu1)
Product: binutils Reporter: Sergej Schumilo <sergej>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED MOVED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.30   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: objdump ASAN executable, ASAN reports and crashing inputs

Description Sergej Schumilo 2018-04-13 13:26:45 UTC 
Created attachment 10945 [details]
objdump ASAN executable, ASAN reports and crashing inputs

Dear all,
after reporting the following bugs to the Ubuntu security team (https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102), we were ask to report them directly to the binutils developers: 

----------------------------------------------------

Dear all,
The following binutils objdump memory corruptions were found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL). I have attached the crashing inputs and each ASAN report.

Steps to reproduce:

Build current verison of binutils:
```
pull-lp-source binutils
cd binutils-2.30
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" ./configure
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb" CXXFLAGS="-fsanitize=address
-fsanitize-recover=address -ggdb" LDFLAGS="-fsanitize=address" make
```

Run inputs under ASAN:

```
ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true ./objdump --dwarf-check -C -g -f -dwarf -x $file
```

We can verify those issues for objdump binuitils-2.30-15ubuntu1 (Ubuntu 16.04.4 LTS / sources from "pull-lp-source bintuils").

Credits: Sergej Schumilo, Cornelius Aschermann (both of Ruhr-Universität Bochum)

Best regards,
Sergej Schumilo
Comment 1 Nick Clifton 2018-04-17 13:08:57 UTC 
Hi Sergej,

  Thanks for reporting these bugs.  The problem however is in the C++ name
  demangler, which is part of the libiberty library.  This library is
  maintained by the gcc project, not the binutils project.  (It is used
  by the binutils, but now owned by them).  Therefore, please could you
  refile this bug report on the gcc bugzilla system:

https://gcc.gnu.org/bugzilla/enter_bug.cgi?product=gcc

  Thanks very much.

Cheers
  Nick