Bug 29914

Summary: Asan reported heap-buffer-overflow of objdump at dwarf.c:744 in fetch_indexed_value()
Product: binutils Reporter: 曾思維 <13579and24680>
Component: binutilsAssignee: Nick Clifton <nickc>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.39   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed: 2022-12-19 00:00:00
Attachments: Generated by my fuzzer and afl-tmin

Description 曾思維 2022-12-17 10:52:25 UTC 
Created attachment 14522 [details]
Generated by my fuzzer and afl-tmin

I found a heap-buffer-overflow with my fuzzer on objdump compiled with Asan.

It didn't crash objdump compiled without Asan this time.

---------------------------------------------------------------------
# version

$ ./binutils-gdb_asan/binutils/objdump --version
GNU objdump (GNU Binutils) 2.39.50.20221216
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# git log

$ git log --oneline -1
fa501b69309 (HEAD -> master, origin/master, origin/HEAD) Fix a potential illegal memory access when parsing corrupt DWARF information.

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure CFLAGS='-fsanitize=address -g3' CXXFALGS='-fsanitize=address -g3'
$ make

---------------------------------------------------------------------
# ASAN report

$ ./binutils-gdb_asan/binutils/objdump -W poc
./binutils-gdb_asan/binutils/objdump: warning: poc has a section extending past end of file
=================================================================
==2765629==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b1 at pc 0x55a51efcd89b bp 0x7ffdbdd5d8e0 sp 0x7ffdbdd5d8d0
READ of size 1 at 0x6020000000b1 thread T0
    #0 0x55a51efcd89a in byte_get_little_endian /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:119
    #1 0x55a51ef40ca3 in fetch_indexed_value dwarf.c:744
    #2 0x55a51ef4e156 in read_and_display_attr_value dwarf.c:2879
    #3 0x55a51ef50363 in read_and_display_attr dwarf.c:3443
    #4 0x55a51ef53f4d in process_debug_info dwarf.c:4044
    #5 0x55a51ef91ad9 in load_separate_debug_files dwarf.c:11982
    #6 0x55a51ef3b95b in dump_bfd objdump.c:5520
    #7 0x55a51ef3c688 in display_object_bfd objdump.c:5715
    #8 0x55a51ef3c9b9 in display_any_bfd objdump.c:5801
    #9 0x55a51ef3ca33 in display_file objdump.c:5822
    #10 0x55a51ef3e36d in main objdump.c:6230
    #11 0x7f123ccf7082 in __libc_start_main ../csu/libc-start.c:308
    #12 0x55a51ef2239d in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b39d)

0x6020000000b1 is located 0 bytes to the right of 1-byte region [0x6020000000b0,0x6020000000b1)
allocated by thread T0 here:
    #0 0x7f123cfd8808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55a51f31d620 in xmalloc xmalloc.c:149
    #2 0x55a51ef34b25 in load_specific_debug_section objdump.c:4216
    #3 0x55a51ef352a6 in load_debug_section objdump.c:4317
    #4 0x55a51ef91aa0 in load_separate_debug_files dwarf.c:11976
    #5 0x55a51ef3b95b in dump_bfd objdump.c:5520
    #6 0x55a51ef3c688 in display_object_bfd objdump.c:5715
    #7 0x55a51ef3c9b9 in display_any_bfd objdump.c:5801
    #8 0x55a51ef3ca33 in display_file objdump.c:5822
    #9 0x55a51ef3e36d in main objdump.c:6230
    #10 0x7f123ccf7082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:119 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff8010: fa fa 00 01 fa fa[01]fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2765629==ABORTING
Comment 1 Sourceware Commits 2022-12-19 11:14:30 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=42f39fdedcf3321cab9964945d3f5bca58967b80

commit 42f39fdedcf3321cab9964945d3f5bca58967b80
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Dec 19 11:13:46 2022 +0000

    Fix potential illegal memory accesses when parsing corrupt DWARF data.
    
            PR 29914
            * dwarf.c (fetch_indexed_value): Fail if the section is not big
            enough to contain a header size field.
            (display_debug_addr): Fail if the computed address size is too big
            or too small.
Comment 2 Nick Clifton 2022-12-19 11:14:47 UTC 
Fixed