Bug 29870

Summary: objdump SEGV in display_debug_lines_decoded dwarf.c:5524
Product: binutils Reporter: 曾思維 <13579and24680>
Component: binutilsAssignee: Alan Modra <amodra>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 2.39   
Target Milestone: 2.40   
Host: Target:
Build: Last reconfirmed: 2022-12-11 00:00:00
Attachments: Generated by my fuzzer and afl-tmin

Description 曾思維 2022-12-10 15:53:17 UTC
Created attachment 14490 [details]
Generated by my fuzzer and afl-tmin

# version

$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.39.50.20221210
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make

---------------------------------------------------------------------
# crash

$ ./binutils-gdb/binutils/objdump -WL poc
./binutils-gdb/binutils/objdump: warning: poc has a section extending past end of file

poc:     file format elf64-little

Contents of the .debug_line section:

./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30
(null):
File name                            Line number    Starting address    View    Stmt
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV (Address boundary error)

---------------------------------------------------------------------
# ASAN report

$ ./binutils-gdb_asan_no_fuzz/binutils/objdump  -WL poc
./binutils-gdb_asan_no_fuzz/binutils/objdump: warning: poc has a section extending past end of file

poc:     file format elf64-little

Contents of the .debug_line section:

./binutils-gdb_asan_no_fuzz/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb_asan_no_fuzz/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb_asan_no_fuzz/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb_asan_no_fuzz/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb_asan_no_fuzz/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb_asan_no_fuzz/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb_asan_no_fuzz/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb_asan_no_fuzz/binutils/objdump: Warning: Unrecognized form: 0x30
./binutils-gdb_asan_no_fuzz/binutils/objdump: Warning: Unrecognized form: 0x30
(null):
File name                            Line number    Starting address    View    Stmt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2950647==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe9cffcc6e5 bp 0x7fffa374a870 sp 0x7fffa3749fe8 T0)
==2950647==The signal is caused by a READ memory access.
==2950647==Hint: address points to the zero page.
    #0 0x7fe9cffcc6e4  (/lib/x86_64-linux-gnu/libc.so.6+0x1886e4)
    #1 0x7fe9d00a390b in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:352
    #2 0x555ec916594d in display_debug_lines_decoded dwarf.c:5524
    #3 0x555ec9166061 in display_debug_lines dwarf.c:5655
    #4 0x555ec913b8c4 in dump_dwarf_section objdump.c:4396
    #5 0x555ec928a15d in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/bfd/section.c:1366
    #6 0x555ec913baf3 in dump_dwarf objdump.c:4434
    #7 0x555ec9142110 in dump_bfd objdump.c:5636
    #8 0x555ec91424e5 in display_object_bfd objdump.c:5715
    #9 0x555ec9142816 in display_any_bfd objdump.c:5801
    #10 0x555ec9142890 in display_file objdump.c:5822
    #11 0x555ec91441b9 in main objdump.c:6230
    #12 0x7fe9cfe68082 in __libc_start_main ../csu/libc-start.c:308
    #13 0x555ec912839d in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdb_asan_no_fuzz/binutils/objdump+0x13b39d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x1886e4) 
==2950647==ABORTING
Comment 1 Sourceware Commits 2022-12-11 13:22:07 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2f58a399cf3f946983398cdfe52d0eaa72bf877

commit f2f58a399cf3f946983398cdfe52d0eaa72bf877
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Dec 11 14:47:57 2022 +1030

    PR29870, objdump SEGV in display_debug_lines_decoded dwarf.c:5524
    
    DWARF5 directory and file table allow more opportunity for fuzzers
    to break things.  There are likely other places in dwarf.c that should
    be fixed too.
    
            PR 29870
            * dwarf.c (display_debug_lines_decoded): Handle NULL file_table
            name entry.
Comment 2 Alan Modra 2022-12-11 13:22:51 UTC
Fixed for 2.40