Bug 26337

Summary: Malloc size error in objdump
Product: binutils Reporter: zhouan <seviezhou>
Component: binutilsAssignee: Alan Modra <amodra>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 2.36   
Target Milestone: 2.36   
Host: Target:
Build: Last reconfirmed: 2020-08-05 00:00:00
Attachments: malloc-size-error-load_specific_debug_section-objdump-3567

Description zhouan 2020-08-04 17:18:37 UTC 
Created attachment 12746 [details]
malloc-size-error-load_specific_debug_section-objdump-3567

## System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), binutils (master 8c4c18181ea382adf407df235c7991feb0647bab)

## Configure

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

## Command line

./objdump -a -f -p -P -h -x -D -S -s -g -t -T -r -R @@

## AddressSanitizer output

```
==79091==WARNING: AddressSanitizer failed to allocate 0x8000000000fd bytes
==79091==AddressSanitizer's allocator is terminating the process instead of returning 0
==79091==If you don't like this behavior set allocator_may_return_null=1
==79091==AddressSanitizer CHECK failed: /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225 "((0)) != (0)" (0x0, 0x0)
    #0 0x4e865f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_rtl.cc:69
    #1 0x5055d5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x4ee486 in __sanitizer::ReportAllocatorCannotReturnNull() /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225
    #3 0x4ee4c3 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:241
    #4 0x41f596 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_allocator.cc:856
    #5 0x4df144 in malloc /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:89
    #6 0x517059 in load_specific_debug_section /home/seviezhou/AlphaFuzz/targets/binutils/binutils/./objdump.c:3567:31
    #7 0x51e77d in dump_dwarf_section /home/seviezhou/AlphaFuzz/targets/binutils/binutils/./objdump.c:3776:6
    #8 0x63cd8c in bfd_map_over_sections /home/seviezhou/AlphaFuzz/targets/binutils/bfd/section.c:1379:5
    #9 0x51d552 in dump_dwarf /home/seviezhou/AlphaFuzz/targets/binutils/binutils/./objdump.c:3817:3
    #10 0x51c728 in dump_bfd /home/seviezhou/AlphaFuzz/targets/binutils/binutils/./objdump.c:4954:4
    #11 0x519983 in display_any_bfd /home/seviezhou/AlphaFuzz/targets/binutils/binutils/./objdump.c
    #12 0x5196fe in display_file /home/seviezhou/AlphaFuzz/targets/binutils/binutils/./objdump.c:5102:3
    #13 0x518b14 in main /home/seviezhou/AlphaFuzz/targets/binutils/binutils/./objdump.c:5450:6
    #14 0x7faa5d96883f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x41af58 in _start (/home/seviezhou/experiment-5/AlphaFuzz-objdump/test/objdump+0x41af58)

```
Comment 1 Sourceware Commits 2020-08-05 05:51:24 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0b97e818464a42305c8243a980a5c13967554fd9

commit 0b97e818464a42305c8243a980a5c13967554fd9
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Aug 5 10:03:00 2020 +0930

    PR26337, Malloc size error in objdump
    
    A malloc failure triggered by a fuzzed object file isn't a real
    problem unless objdump doesn't exit cleanly after the failure, which
    it does.  However we have bfd_malloc_and_get_section to sanity check
    size of uncompressed sections before allocating memory.  Use it.
    
            PR 26337
            * objdump.c (load_specific_debug_section): Don't malloc space for
            section contents, use bfd_malloc_and_get_section.
Comment 2 Alan Modra 2020-08-05 06:05:14 UTC 
fixed