Bug 20605 - SEGFAULT in objdump.c on fuzzed PE32 executable
Summary: SEGFAULT in objdump.c on fuzzed PE32 executable
Status: VERIFIED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.27
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-13 22:44 UTC by scottgriffy
Modified: 2016-09-14 18:22 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
The problem file (12.46 KB, application/x-ms-dos-executable)
2016-09-13 22:44 UTC, scottgriffy 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description scottgriffy 2016-09-13 22:44:59 UTC 
Created attachment 9511 [details]
The problem file

I fuzzed a file and came up with 'crash.exe' which segfaults when passed to 'objdump -x' using the latest build I could find: GNU objdump (GNU Binutils) 2.27.51.20160913

Here's a log of running gdb with it:
$ gdb ~/checkout/binutils-gdb/binutils/objdump
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
...
Reading symbols from /home/grifball/checkout/binutils-gdb/binutils/objdump...done.
(gdb) set args -x crash.exe
(gdb) r
Starting program: /home/grifball/checkout/binutils-gdb/binutils/objdump -x crash.exe

Program received signal SIGSEGV, Segmentation fault.
bfd_getl32 (p=0x85a000) at libbfd.c:552
552       return v;
(gdb) where
#0  bfd_getl32 (p=0x85a000) at libbfd.c:552
#1  0x00000000004acaea in _bfd_pei_swap_debugdir_in (abfd=abfd@entry=0x83a1c0, ext1=0x85a000, in1=in1@entry=0x7fffffffcfa0) at peigen.c:1116
#2  0x00000000004a89dc in pe_bfd_read_buildid (abfd=0x83a1c0) at peicode.h:1342
#3  pe_bfd_object_p (abfd=0x83a1c0) at peicode.h:1486
#4  0x000000000044913d in bfd_check_format_matches (abfd=abfd@entry=0x83a1c0, format=format@entry=bfd_object, matching=matching@entry=0x7fffffffded0) at format.c:308
#5  0x0000000000408888 in display_object_bfd (abfd=0x83a1c0) at ./objdump.c:3461
#6  display_any_bfd (file=file@entry=0x83a1c0, level=level@entry=0) at ./objdump.c:3552
#7  0x000000000040a9a3 in display_file (filename=0x7fffffffe2f0 "crash.exe", target=<optimized out>) at ./objdump.c:3573
#8  0x0000000000404cca in main (argc=3, argv=0x7fffffffe078) at ./objdump.c:3856
(gdb)

I built objdump from the git repo here:
git://sourceware.org/git/binutils-gdb.git
by cd'ing into "./binutils/" then running "./configure" and "make objdump"

I created the offending exe following a tutorial:
https://fuzzing-project.org/tutorial1.html
and found that this will create the exe (after you've downloaded the win9x.exe from the site):
zzuf -r 0.004 -s 16915 < win9x.exe > crash.exe

Let me know if you have any question or want me to run any tests. I used zzuf version 0.15 to fuzz it.
Comment 1 Sourceware Commits 2016-09-14 14:33:07 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6d042fe27102cb789407ccb2ec1663aa9c65129

commit e6d042fe27102cb789407ccb2ec1663aa9c65129
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Sep 14 15:32:01 2016 +0100

    Fix seg-fault in objdump when run on a fuzzed PE binary.
    
    	PR binutils/20605
    	* peicode.h (pe_bfd_read_buildid): Check that the Data Directory
    	contains a valid size for the Debug directory.
Comment 2 Nick Clifton 2016-09-14 14:36:23 UTC 
Hi Scott,

  Thanks for reporting this bug.

  I have checked in a patch to fix the problem.  If you find any more bugs,
  please feel free to open a new PR.  Or, if you find problems with my
  solution to this problem, please feel free to reopen this PR.

Cheers
  Nick
Comment 3 scottgriffy 2016-09-14 18:22:59 UTC 
Hi Nick,

I double checked your solution to make sure that it fixed the problem.
Looks like it's working.
It's putting the error you added into stderr when I run the same test that segfaulted before.

Thanks,
-Scott