Summary: | SEGV of objdump caused by heap-buffer-overflow at dwarf.c:7756 in display_debug_addr() | ||
---|---|---|---|
Product: | binutils | Reporter: | 曾思維 <13579and24680> |
Component: | binutils | Assignee: | Nick Clifton <nickc> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nickc |
Priority: | P2 | ||
Version: | 2.39 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | 2022-12-16 00:00:00 | |
Attachments: | Generated by my fuzzer and afl-tmin |
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fa501b69309ccb03ec957101f24109ed7f737733 commit fa501b69309ccb03ec957101f24109ed7f737733 Author: Nick Clifton <nickc@redhat.com> Date: Fri Dec 16 12:06:43 2022 +0000 Fix a potential illegal memory access when parsing corrupt DWARF information. PR 29908 * dwarf.c (display_debug_addr): Check for corrupt header lengths. Hi, Thanks for reporting this bug. I have applied a small patch to add a check for an undersized length field in the address range header. Cheers Nick The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=956bc7a29fd952d709db29667b38f98cdd3db4c9 commit 956bc7a29fd952d709db29667b38f98cdd3db4c9 Author: Alan Modra <amodra@gmail.com> Date: Sun Dec 18 13:07:51 2022 +1030 Tidy PR29893 and PR29908 fix PR 29893 PR 29908 * dwarf.c (display_debug_addr): Combine dwarf5 unit_length checks. Delete dead code. |
Created attachment 14520 [details] Generated by my fuzzer and afl-tmin # version $ ./binutils-gdb/binutils/objdump --version GNU objdump (GNU Binutils) 2.39.50.20221213 Copyright (C) 2022 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. --------------------------------------------------------------------- # git log $ git log --oneline -1 d0d41b77c0c (HEAD -> master, origin/master, origin/HEAD) Replace gdbpy_should_stop with gdbpy_breakpoint_cond_says_stop --------------------------------------------------------------------- # make $ git clone git://sourceware.org/git/binutils-gdb.git $ cd binutils-gdb $ ./configure $ make --------------------------------------------------------------------- # crash $ ./binutils-gdb/binutils/objdump -W poc ./binutils-gdb/binutils/objdump: Warning: Corrupt attribute block length: 0x30303030 poc: file format elf64-x86-64 Contents of the .eh_frame section: 00000000 0000000000000014 00000000 CIE Version: 1 Augmentation: "zR" Code alignment factor: 48 (... too long ignore) 49894: 0000000000000000 49895: 0000000000000000 49896: 0000000000000000 49897: 0000000000000000 49898: 0000000000000000 49899: 0000000000000000 49900: 0000000000000000 49901: 0000000000000000 49902: 0000000000000000 49903: 0000000000000000 49904: 0000000000000000 49905: 0000000000000000 49906: 0000000000000000 49907: 0000000000000000 49908: 0000000000000000 49909: 0000000000000000 49910: 0000000000000000 49911: 0000000000000000 49912: 0000000000000000 49913: 0000000000000000 fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV (Address boundary error) --------------------------------------------------------------------- # ASAN report $ ./binutils-gdb_asan/binutils/objdump -W poc ./binutils-gdb_asan/binutils/objdump: Warning: Corrupt attribute block length: 0x30303030 poc: file format elf64-x86-64 Contents of the .eh_frame section: 00000000 0000000000000014 00000000 CIE Version: 1 Augmentation: "zR" Code alignment factor: 48 (... too long ignore) 300: 3030303030303030 301: 3030303030303030 302: 3030303030303030 303: 3030303030303030 304: 3030303030303030 305: 3030303030303030 306: 3030303030303030 307: 3030303030303030 308: 3030303030303030 309: 3030303030303030 310: 3030303030303030 311: 3030303030303030 312: 3030303030303030 313: 3030303030303030 314: 3030303030303030 315: 3030303030303030 ================================================================= ==2848799==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000ab1 at pc 0x55f9366f07ac bp 0x7ffc73f785f0 sp 0x7ffc73f785e0 READ of size 1 at 0x61e000000ab1 thread T0 #0 0x55f9366f07ab in byte_get_little_endian /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149 #1 0x55f936695768 in display_debug_addr dwarf.c:7756 #2 0x55f9366588c4 in dump_dwarf_section objdump.c:4396 #3 0x55f9367a72d9 in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366 #4 0x55f936658af3 in dump_dwarf objdump.c:4434 #5 0x55f93665f110 in dump_bfd objdump.c:5636 #6 0x55f93665f4e5 in display_object_bfd objdump.c:5715 #7 0x55f93665f816 in display_any_bfd objdump.c:5801 #8 0x55f93665f890 in display_file objdump.c:5822 #9 0x55f9366611b9 in main objdump.c:6230 #10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308 #11 0x55f93664539d in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b39d) 0x61e000000ab1 is located 0 bytes to the right of 2609-byte region [0x61e000000080,0x61e000000ab1) allocated by thread T0 here: #0 0x7fae0f435808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x55f936a3bc7c in xmalloc xmalloc.c:149 #2 0x55f9366579c8 in load_specific_debug_section objdump.c:4216 #3 0x55f936658148 in load_debug_section objdump.c:4317 #4 0x55f9366b49d2 in load_separate_debug_files dwarf.c:11945 #5 0x55f93665e7bd in dump_bfd objdump.c:5520 #6 0x55f93665f4e5 in display_object_bfd objdump.c:5715 #7 0x55f93665f816 in display_any_bfd objdump.c:5801 #8 0x55f93665f890 in display_file objdump.c:5822 #9 0x55f9366611b9 in main objdump.c:6230 #10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149 in byte_get_little_endian Shadow bytes around the buggy address: 0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3c7fff8150: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa 0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2848799==ABORTING