Bug 21151 - Heap buffer overflow in drwarf2.c
Summary: Heap buffer overflow in drwarf2.c
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2017-02-13 16:01 UTC by Thuan Pham
Modified: 2017-02-13 17:54 UTC (History)
1 user (show)

See Also:
Last reconfirmed:

Bug triggering input (570 bytes, application/octet-stream)
2017-02-13 16:01 UTC, Thuan Pham

Note You need to log in before you can comment on or make changes to this bug.
Description Thuan Pham 2017-02-13 16:01:21 UTC
Created attachment 9819 [details]
Bug triggering input

Dear all,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also to Marcel Böhme. 

This bug was found on Ubuntu 14.04 64-bit & binutils was checkout from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d (Fri Feb 10 00:00:16 2017) 

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download the attached file - bug_17
objdump -S bug_17

ASAN says:
==107235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000bf72 at pc 0x10b6f9e bp 0x7ffd0f6e24f0 sp 0x7ffd0f6e24e8
READ of size 1 at 0x60800000bf72 thread T0
    #0 0x10b6f9d in read_1_byte /home/ubuntu/thesis/subjects/binutils-newest/build-asan/bfd/../../bfd/dwarf2.c:573
    #1 0x10accd0 in parse_comp_unit /home/ubuntu/thesis/subjects/binutils-newest/build-asan/bfd/../../bfd/dwarf2.c:2970
    #2 0x10a17df in _bfd_dwarf2_find_nearest_line /home/ubuntu/thesis/subjects/binutils-newest/build-asan/bfd/../../bfd/dwarf2.c:4297
    #3 0xcc0b5a in _bfd_elf_find_nearest_line /home/ubuntu/thesis/subjects/binutils-newest/build-asan/bfd/../../bfd/elf.c:8554
    #4 0x4d306f in show_line /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/objdump.c:1472
    #5 0x4c8043 in disassemble_bytes /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/objdump.c:1766
    #6 0x4b80e2 in disassemble_section /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/objdump.c:2279
    #7 0x999603 in bfd_map_over_sections /home/ubuntu/thesis/subjects/binutils-newest/build-asan/bfd/../../bfd/section.c:1395
    #8 0x4a63eb in disassemble_data /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/objdump.c:2413
    #9 0x498f1f in dump_bfd /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/objdump.c:3507
    #10 0x4978fb in display_object_bfd /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/objdump.c:3564
    #11 0x497698 in display_any_bfd /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/objdump.c:3653
    #12 0x495ebe in display_file /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/objdump.c:3674
    #13 0x493edd in main /home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/../../binutils/objdump.c:3969
    #14 0x7f5fdb405f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #15 0x48c95c in _start (/home/ubuntu/thesis/subjects/binutils-newest/build-asan/binutils/objdump+0x48c95c)
Comment 1 cvs-commit@gcc.gnu.org 2017-02-13 17:52:48 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit d11135f55294d75099ad03f81bacbe8ae93a6b28
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Feb 13 17:51:27 2017 +0000

    Fix invalid memory access in the BFD library's DWARF parser.
    	PR binutils/21151
    	* dwarf2.c (_bfd_dwarf2_find_nearest_line): Check for an invalid
    	unit length field.
Comment 2 Nick Clifton 2017-02-13 17:54:14 UTC
Hi Thuan,

  Thanks for the bug report.  I have applied a small patch to fix the problem.

  At issue here was the fact that the BFD library was not checking the unit_length field in the DWARF header before attempting to read in the DWARF debug information.