Bug 20893 - Sigabrt in objdump
Summary: Sigabrt in objdump
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.28
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-01 10:07 UTC by Thuan Pham
Modified: 2016-12-07 04:10 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thuan Pham 2016-12-01 10:07:16 UTC 
Dear all,
Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, we found an input causing objdump to crash. 

The bug was found on Ubuntu 14.04 & binutils was checked out from https://github.com/bminor/binutils-gdb repository. Its commit is  268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016)

To reproduce:

printf "\x0b\x01\x00\x30\x30\x30\x30\x00\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x62\xe3\x65\x30\x20" > fd

objdump -D fd 

OR

objdump -d fd


ASAN says:
../../binutils/objdump.c:2274:3: runtime error: null pointer passed as argument 2, which is declared to never be null
Signal 1

Valgrind says:
==53754== Conditional jump or move depends on uninitialised value(s)                                                                                                                                [16/1855]
==53754==    at 0x5A97AD: get_valid_dis386 (i386-dis.c:12916)
==53754==    by 0x5A97AD: print_insn (i386-dis.c:13239)
==53754==    by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754==    by 0x42879D: disassemble_section (objdump.c:2241)
==53754==    by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754==    by 0x418307: disassemble_data (objdump.c:2375)
==53754==    by 0x4229D7: dump_bfd (objdump.c:3469)
==53754==    by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754==    by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754==    by 0x40CFC9: display_file (objdump.c:3636)
==53754==    by 0x40CFC9: main (objdump.c:3919)
==53754== 
==53754== Conditional jump or move depends on uninitialised value(s)
==53754==    at 0x58E4AF: get_sib (i386-dis.c:12957)
==53754==    by 0x5A89F6: print_insn (i386-dis.c:13242)
==53754==    by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754==    by 0x42879D: disassemble_section (objdump.c:2241)
==53754==    by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754==    by 0x418307: disassemble_data (objdump.c:2375)
==53754==    by 0x4229D7: dump_bfd (objdump.c:3469)
==53754==    by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754==    by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754==    by 0x40CFC9: display_file (objdump.c:3636)
==53754==    by 0x40CFC9: main (objdump.c:3919)
==53754== 
==53754== Conditional jump or move depends on uninitialised value(s)
==53754==    at 0x58E4F7: get_sib (i386-dis.c:12958)
==53754==    by 0x5A89F6: print_insn (i386-dis.c:13242)
==53754==    by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754==    by 0x42879D: disassemble_section (objdump.c:2241)
==53754==    by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754==    by 0x418307: disassemble_data (objdump.c:2375)
==53754==    by 0x4229D7: dump_bfd (objdump.c:3469)
==53754==    by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754==    by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754==    by 0x40CFC9: display_file (objdump.c:3636)
==53754==    by 0x40CFC9: main (objdump.c:3919)
==53754== 
==53754== Use of uninitialised value of size 8
==53754==    at 0x5858E6: stpcpy (string3.h:111)
==53754==    by 0x5858E6: oappend (i386-dis.c:14387)
==53754==    by 0x5858E6: OP_XMM (i386-dis.c:16241)
==53754==    by 0x5A8A90: print_insn (i386-dis.c:13248)
==53754==    by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754==    by 0x42879D: disassemble_section (objdump.c:2241)
==53754==    by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754==    by 0x418307: disassemble_data (objdump.c:2375)
==53754==    by 0x4229D7: dump_bfd (objdump.c:3469)
==53754==    by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754==    by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754==    by 0x40CFC9: display_file (objdump.c:3636)
==53754==    by 0x40CFC9: main (objdump.c:3919)
Comment 1 Sourceware Commits 2016-12-01 10:27:36 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a37a2806e3289294ed214aed3c8a45db46026b39

commit a37a2806e3289294ed214aed3c8a45db46026b39
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Dec 1 10:26:32 2016 +0000

    Fix abort in x86 disassembler.
    
    	PR binutils/20893
    	* i386-dis.c (OP_VEX): Replace call to abort with a append of bad
    	opcode designator.
Comment 2 Nick Clifton 2016-12-01 10:31:40 UTC 
Hi Thuan,

I am unable to reproduce this problem as you reported it. :-(

> binutils was checked out from

How were the binutils configured ?

> Its commit is  268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e 
> (Fri Nov 18 14:15:12 2016

Would you mind trying a more recent version ?  It is possible that this bug has already been fixed.

> To reproduce:

For me the reproducer triggers an abort() in the x86 disassembler,
but it does not incite any reports from the address sanitizer.

I have checked in a patch to replace the call to abort with an
error return so, for me at least, your test program disassembles 
without triggering any faults.

Cheers
  Nick
Comment 3 Thuan Pham 2016-12-02 02:03:45 UTC 
Hi Nick,
I have checked out the newest version of binutils and run the test case I reported. There is no abort anymore, so it should be fixed already.
Thanks,
Thuan
Comment 4 Thuan Pham 2016-12-07 04:10:52 UTC 
No abort anymore.