Bug 20605 - SEGFAULT in objdump.c on fuzzed PE32 executable
Summary: SEGFAULT in objdump.c on fuzzed PE32 executable
Status: VERIFIED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.27
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-13 22:44 UTC by scottgriffy
Modified: 2016-09-14 18:22 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
The problem file (12.46 KB, application/x-ms-dos-executable)
2016-09-13 22:44 UTC, scottgriffy
Details

Note You need to log in before you can comment on or make changes to this bug.
Description scottgriffy 2016-09-13 22:44:59 UTC
Created attachment 9511 [details]
The problem file

I fuzzed a file and came up with 'crash.exe' which segfaults when passed to 'objdump -x' using the latest build I could find: GNU objdump (GNU Binutils) 2.27.51.20160913

Here's a log of running gdb with it:
$ gdb ~/checkout/binutils-gdb/binutils/objdump
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
...
Reading symbols from /home/grifball/checkout/binutils-gdb/binutils/objdump...done.
(gdb) set args -x crash.exe
(gdb) r
Starting program: /home/grifball/checkout/binutils-gdb/binutils/objdump -x crash.exe

Program received signal SIGSEGV, Segmentation fault.
bfd_getl32 (p=0x85a000) at libbfd.c:552
552       return v;
(gdb) where
#0  bfd_getl32 (p=0x85a000) at libbfd.c:552
#1  0x00000000004acaea in _bfd_pei_swap_debugdir_in (abfd=abfd@entry=0x83a1c0, ext1=0x85a000, in1=in1@entry=0x7fffffffcfa0) at peigen.c:1116
#2  0x00000000004a89dc in pe_bfd_read_buildid (abfd=0x83a1c0) at peicode.h:1342
#3  pe_bfd_object_p (abfd=0x83a1c0) at peicode.h:1486
#4  0x000000000044913d in bfd_check_format_matches (abfd=abfd@entry=0x83a1c0, format=format@entry=bfd_object, matching=matching@entry=0x7fffffffded0) at format.c:308
#5  0x0000000000408888 in display_object_bfd (abfd=0x83a1c0) at ./objdump.c:3461
#6  display_any_bfd (file=file@entry=0x83a1c0, level=level@entry=0) at ./objdump.c:3552
#7  0x000000000040a9a3 in display_file (filename=0x7fffffffe2f0 "crash.exe", target=<optimized out>) at ./objdump.c:3573
#8  0x0000000000404cca in main (argc=3, argv=0x7fffffffe078) at ./objdump.c:3856
(gdb)

I built objdump from the git repo here:
git://sourceware.org/git/binutils-gdb.git
by cd'ing into "./binutils/" then running "./configure" and "make objdump"

I created the offending exe following a tutorial:
https://fuzzing-project.org/tutorial1.html
and found that this will create the exe (after you've downloaded the win9x.exe from the site):
zzuf -r 0.004 -s 16915 < win9x.exe > crash.exe

Let me know if you have any question or want me to run any tests. I used zzuf version 0.15 to fuzz it.
Comment 1 cvs-commit@gcc.gnu.org 2016-09-14 14:33:07 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6d042fe27102cb789407ccb2ec1663aa9c65129

commit e6d042fe27102cb789407ccb2ec1663aa9c65129
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Sep 14 15:32:01 2016 +0100

    Fix seg-fault in objdump when run on a fuzzed PE binary.
    
    	PR binutils/20605
    	* peicode.h (pe_bfd_read_buildid): Check that the Data Directory
    	contains a valid size for the Debug directory.
Comment 2 Nick Clifton 2016-09-14 14:36:23 UTC
Hi Scott,

  Thanks for reporting this bug.

  I have checked in a patch to fix the problem.  If you find any more bugs,
  please feel free to open a new PR.  Or, if you find problems with my
  solution to this problem, please feel free to reopen this PR.

Cheers
  Nick
Comment 3 scottgriffy 2016-09-14 18:22:59 UTC
Hi Nick,

I double checked your solution to make sure that it fixed the problem.
Looks like it's working.
It's putting the error you added into stderr when I run the same test that segfaulted before.

Thanks,
-Scott