| Summary: | objdump SEGV in concat_filename() at dwarf2.c:2060 | ||
|---|---|---|---|
| Product: | binutils | Reporter: | 曾思維 <13579and24680> |
| Component: | binutils | Assignee: | Nick Clifton <nickc> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | nickc |
| Priority: | P2 | ||
| Version: | 2.39 | ||
| Target Milestone: | --- | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | 2022-12-23 00:00:00 | |
| Attachments: | found by my fuzzer, trimed with afl-tmin | ||
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09 commit 8af23b30edbaedf009bc9b243cd4dfa10ae1ac09 Author: Nick Clifton <nickc@redhat.com> Date: Fri Dec 23 13:02:04 2022 +0000 Fix illegal memory access parsing corrupt DWARF information. PR 29936 * dwarf2.c (concat_filename): Fix check for a directory index off the end of the directory table. Hi, Thanks for reporting this bug. I have applied a small patch to add a check for a directory index when extends off the end of the directory table. Cheers Nick |
Created attachment 14536 [details] found by my fuzzer, trimed with afl-tmin # version $ ./binutils-gdb/binutils/objdump -v GNU objdump (GNU Binutils) 2.39.50.20221223 Copyright (C) 2022 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. --------------------------------------------------------------------- # git log $ git log --oneline -1 110028744cd (HEAD -> master, origin/master, origin/HEAD) sim: lm32/m32r: drop redundant opcode/cgen.h include --------------------------------------------------------------------- # make $ git clone git://sourceware.org/git/binutils-gdb.git $ cd binutils-gdb $ ./configure $ make --------------------------------------------------------------------- # crash $ ./binutils-gdb/binutils/objdump -S poc ./binutils-gdb/binutils/objdump: warning: poc has a section extending past end of file poc: file format elf64-x86-64 Disassembly of section 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info: 3030303030303030 <000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info>: ./binutils-gdb/binutils/objdump: DWARF error: can't find .debug_str section. ./binutils-gdb/binutils/objdump: DWARF error: can't find .debug_str section. ./binutils-gdb/binutils/objdump: DWARF error: can't find .debug_str section. ./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV (Address boundary error) --------------------------------------------------------------------- # ASAN report $ ./binutils-gdb_asan/binutils/objdump -S poc ./binutils-gdb_asan/binutils/objdump: warning: poc has a section extending past end of file poc: file format elf64-x86-64 Disassembly of section 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info: 3030303030303030 <000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info>: ./binutils-gdb_asan/binutils/objdump: DWARF error: can't find .debug_str section. ./binutils-gdb_asan/binutils/objdump: DWARF error: can't find .debug_str section. ./binutils-gdb_asan/binutils/objdump: DWARF error: can't find .debug_str section. ./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) ./binutils-gdb_asan/binutils/objdump: DWARF error: offset (808464432) greater than or equal to .debug_line_str size (12336) AddressSanitizer:DEADLYSIGNAL ================================================================= ==2466233==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55f76c40748c bp 0x7ffcf161a580 sp 0x7ffcf161a530 T0) ==2466233==The signal is caused by a READ memory access. ==2466233==Hint: address points to the zero page. #0 0x55f76c40748b in concat_filename dwarf2.c:2060 #1 0x55f76c40b28a in decode_line_info dwarf2.c:2891 #2 0x55f76c414771 in comp_unit_maybe_decode_line_info dwarf2.c:4706 #3 0x55f76c4144a7 in comp_unit_find_nearest_line dwarf2.c:4673 #4 0x55f76c41a8ce in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5986 #5 0x55f76c36c26d in _bfd_elf_find_nearest_line_with_alt /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338 #6 0x55f76c36c0fc in _bfd_elf_find_nearest_line /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315 #7 0x55f76c15ee2b in show_line objdump.c:2180 #8 0x55f76c164871 in disassemble_bytes objdump.c:3339 #9 0x55f76c16892d in disassemble_section objdump.c:4050 #10 0x55f76c2bb721 in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366 #11 0x55f76c1698bc in disassemble_data objdump.c:4194 #12 0x55f76c1716d0 in dump_bfd objdump.c:5676 #13 0x55f76c1719ab in display_object_bfd objdump.c:5739 #14 0x55f76c171cdc in display_any_bfd objdump.c:5825 #15 0x55f76c171d56 in display_file objdump.c:5846 #16 0x55f76c173690 in main objdump.c:6254 #17 0x7fd90c174082 in __libc_start_main ../csu/libc-start.c:308 #18 0x55f76c1573bd in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b3bd) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV dwarf2.c:2060 in concat_filename ==2466233==ABORTING