Bug 29908

Summary: SEGV of objdump caused by heap-buffer-overflow at dwarf.c:7756 in display_debug_addr()
Product: binutils Reporter: 曾思維 <13579and24680>
Component: binutilsAssignee: Nick Clifton <nickc>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.39   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed: 2022-12-16 00:00:00
Attachments: Generated by my fuzzer and afl-tmin

Description 曾思維 2022-12-16 09:02:06 UTC
Created attachment 14520 [details]
Generated by my fuzzer and afl-tmin

# version

$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.39.50.20221213
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# git log

$ git log --oneline -1
d0d41b77c0c (HEAD -> master, origin/master, origin/HEAD) Replace gdbpy_should_stop with gdbpy_breakpoint_cond_says_stop

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make

---------------------------------------------------------------------
# crash

$ ./binutils-gdb/binutils/objdump -W poc
./binutils-gdb/binutils/objdump: Warning: Corrupt attribute block length: 0x30303030

poc:     file format elf64-x86-64

Contents of the .eh_frame section:


00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 48

(... too long ignore)

	49894:	0000000000000000
	49895:	0000000000000000
	49896:	0000000000000000
	49897:	0000000000000000
	49898:	0000000000000000
	49899:	0000000000000000
	49900:	0000000000000000
	49901:	0000000000000000
	49902:	0000000000000000
	49903:	0000000000000000
	49904:	0000000000000000
	49905:	0000000000000000
	49906:	0000000000000000
	49907:	0000000000000000
	49908:	0000000000000000
	49909:	0000000000000000
	49910:	0000000000000000
	49911:	0000000000000000
	49912:	0000000000000000
	49913:	0000000000000000
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV (Address boundary error)

---------------------------------------------------------------------
# ASAN report

$ ./binutils-gdb_asan/binutils/objdump -W poc
./binutils-gdb_asan/binutils/objdump: Warning: Corrupt attribute block length: 0x30303030

poc:     file format elf64-x86-64

Contents of the .eh_frame section:


00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 48

(... too long ignore)

	300:	3030303030303030
	301:	3030303030303030
	302:	3030303030303030
	303:	3030303030303030
	304:	3030303030303030
	305:	3030303030303030
	306:	3030303030303030
	307:	3030303030303030
	308:	3030303030303030
	309:	3030303030303030
	310:	3030303030303030
	311:	3030303030303030
	312:	3030303030303030
	313:	3030303030303030
	314:	3030303030303030
	315:	3030303030303030
=================================================================
==2848799==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000ab1 at pc 0x55f9366f07ac bp 0x7ffc73f785f0 sp 0x7ffc73f785e0
READ of size 1 at 0x61e000000ab1 thread T0
    #0 0x55f9366f07ab in byte_get_little_endian /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149
    #1 0x55f936695768 in display_debug_addr dwarf.c:7756
    #2 0x55f9366588c4 in dump_dwarf_section objdump.c:4396
    #3 0x55f9367a72d9 in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
    #4 0x55f936658af3 in dump_dwarf objdump.c:4434
    #5 0x55f93665f110 in dump_bfd objdump.c:5636
    #6 0x55f93665f4e5 in display_object_bfd objdump.c:5715
    #7 0x55f93665f816 in display_any_bfd objdump.c:5801
    #8 0x55f93665f890 in display_file objdump.c:5822
    #9 0x55f9366611b9 in main objdump.c:6230
    #10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x55f93664539d in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b39d)

0x61e000000ab1 is located 0 bytes to the right of 2609-byte region [0x61e000000080,0x61e000000ab1)
allocated by thread T0 here:
    #0 0x7fae0f435808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55f936a3bc7c in xmalloc xmalloc.c:149
    #2 0x55f9366579c8 in load_specific_debug_section objdump.c:4216
    #3 0x55f936658148 in load_debug_section objdump.c:4317
    #4 0x55f9366b49d2 in load_separate_debug_files dwarf.c:11945
    #5 0x55f93665e7bd in dump_bfd objdump.c:5520
    #6 0x55f93665f4e5 in display_object_bfd objdump.c:5715
    #7 0x55f93665f816 in display_any_bfd objdump.c:5801
    #8 0x55f93665f890 in display_file objdump.c:5822
    #9 0x55f9366611b9 in main objdump.c:6230
    #10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8150: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2848799==ABORTING
Comment 1 Sourceware Commits 2022-12-16 12:07:27 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fa501b69309ccb03ec957101f24109ed7f737733

commit fa501b69309ccb03ec957101f24109ed7f737733
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Dec 16 12:06:43 2022 +0000

    Fix a potential illegal memory access when parsing corrupt DWARF information.
    
            PR 29908
            * dwarf.c (display_debug_addr): Check for corrupt header lengths.
Comment 2 Nick Clifton 2022-12-16 12:08:38 UTC
Hi,

  Thanks for reporting this bug.  I have applied a small patch to add a check
  for an undersized length field in the address range header.

Cheers
  Nick
Comment 3 Sourceware Commits 2022-12-19 13:27:52 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=956bc7a29fd952d709db29667b38f98cdd3db4c9

commit 956bc7a29fd952d709db29667b38f98cdd3db4c9
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Dec 18 13:07:51 2022 +1030

    Tidy PR29893 and PR29908 fix
    
            PR 29893
            PR 29908
            * dwarf.c (display_debug_addr): Combine dwarf5 unit_length checks.
            Delete dead code.