Bug 28046

Summary: Segment fault on objdump -S
Product: binutils Reporter: Shaohua Li <shaohua.li>
Component: binutilsAssignee: Nick Clifton <nickc>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.37   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed: 2021-07-02 00:00:00
Attachments: poc

Description Shaohua Li 2021-07-02 08:03:11 UTC
Created attachment 13524 [details]
poc

Hi there,

I crashed `objdump -S` with a fuzzer.

- Compiler: clang12
- Platform: Ubuntu 18.04.5 LTS, x86_64
- Reproduce: run `objdump -S poc`

AddressSanitizer output:

=================================================================
==56007==ERROR: AddressSanitizer: SEGV on unknown address 0x604000f8010f (pc 0x00000093caef bp 0x7ffef046fe90 sp 0x7ffef046fd30 T0)
==56007==The signal is caused by a READ memory access.
    #0 0x93caef in bfd_getl32 /objdump/repo/bfd/libbfd.c:727:23
    #1 0xa8e42d in read_ranges /objdump/repo/bfd/./dwarf2.c:3110:16
    #2 0xa8e42d in read_rangelist /objdump/repo/bfd/./dwarf2.c:3213:12
    #3 0xa851c7 in parse_comp_unit /objdump/repo/bfd/./dwarf2.c:3802:9
    #4 0xa851c7 in stash_comp_unit /objdump/repo/bfd/./dwarf2.c:4832:32
    #5 0xa80186 in _bfd_dwarf2_find_nearest_line /objdump/repo/bfd/./dwarf2.c:5139:18
    #6 0x9df408 in _bfd_elf_find_nearest_line /objdump/repo/bfd/elf.c:9199:7
    #7 0x4dabf7 in show_line /objdump/repo/binutils/./objdump.c:1784:9
    #8 0x4dabf7 in disassemble_bytes /objdump/repo/binutils/./objdump.c:2770:6
    #9 0x4dabf7 in disassemble_section /objdump/repo/binutils/./objdump.c:3455:4
    #10 0x9465eb in bfd_map_over_sections /objdump/repo/bfd/section.c:1383:5
    #11 0x4ce8a3 in disassemble_data /objdump/repo/binutils/./objdump.c:3599:3
    #12 0x4ce8a3 in dump_bfd /objdump/repo/binutils/./objdump.c:4998:5
    #13 0x4cb567 in display_object_bfd /objdump/repo/binutils/./objdump.c
    #14 0x4cb567 in display_any_bfd /objdump/repo/binutils/./objdump.c:5150:5
    #15 0x4ca1c6 in display_file /objdump/repo/binutils/./objdump.c:5171:3
    #16 0x4ca1c6 in main /objdump/repo/binutils/./objdump.c:5521:6
    #17 0x7f41b5ad2bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #18 0x41c4d9 in _start (/out_bin/objdump+0x41c4d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /objdump/repo/bfd/libbfd.c:727:23 in bfd_getl32
==56007==ABORTING
Comment 1 Nick Clifton 2021-07-02 13:44:07 UTC
under investigation....
Comment 2 Sourceware Commits 2021-07-02 13:57:10 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8

commit 49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Jul 2 14:56:36 2021 +0100

    Fix an illegal memory access triggered by an attempt to parse a corrupt input file.
    
            PR 28046
            * dwarf2.c (read_ranges): Check that range_ptr does not exceed
            range_end.
Comment 3 Nick Clifton 2021-07-02 13:58:02 UTC
Hi Shaohua,

  Thanks for reporting this bug.  I have checked in a small patch to fix it.

Cheers
  Nick