Hello there, I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer. Please find attached the minimized file causing the issue ("Input") and the ASAN report log ("Output"). Below is the reduced stacktrace with links to the corresponding source lines on a GitHub mirror. The command I used was `objdump -D <file>`. Let me know if there is any additional information I can provide. -- Input: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.min Output: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.txt Error in "decode_pseudodbg_assert_0": global-buffer-overflow in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4604 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4604) in _print_insn_bfin at opcodes/bfin-dis.c:4760 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760) in print_insn_bfin at opcodes/bfin-dis.c:4778 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778) in disassemble_bytes at binutils/objdump.c:1864 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864) in disassemble_section at binutils/objdump.c:2309 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) in bfd_map_over_sections at bfd/section.c:1395 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) in disassemble_data at binutils/objdump.c:2445 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) in dump_bfd at binutils/objdump.c:3547 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) in display_file at binutils/objdump.c:3714 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) in main at binutils/objdump.c:4016 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016) Input: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.min Output: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.txt Error in "decode_pseudodbg_assert_0": global-buffer-overflow in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4596 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4596) in _print_insn_bfin at opcodes/bfin-dis.c:4760 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760) in print_insn_bfin at opcodes/bfin-dis.c:4778 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778) in disassemble_bytes at binutils/objdump.c:1864 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864) in disassemble_section at binutils/objdump.c:2309 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309) in bfd_map_over_sections at bfd/section.c:1395 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395) in disassemble_data at binutils/objdump.c:2445 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445) in dump_bfd at binutils/objdump.c:3547 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547) in display_file at binutils/objdump.c:3714 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714) in main at binutils/objdump.c:4016 (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Created attachment 10116 [details] testcase_5ddfa
Created attachment 10117 [details] report_5ddfa
Created attachment 10118 [details] testcase_eaa0e
Created attachment 10119 [details] report_eaa0e
Additional Information: The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c7881b814c546efc3996fd1decdf0877f7a779 commit 08c7881b814c546efc3996fd1decdf0877f7a779 Author: Nick Clifton <nickc@redhat.com> Date: Thu Jun 15 11:52:02 2017 +0100 Prevent invalid array accesses when disassembling a corrupt bfin binary. PR binutils/21586 * bfin-dis.c (gregs): Clip index to prevent overflow. (regs): Likewise. (regs_lo): Likewise. (regs_hi): Likewise.
Hi Aadamski, Thanks for reporting this bug. The first testcase (5ddfa) has already been fixed by a previous patch. (I did not check to find out which one, but it will have been a recent one). The second testcase (eaa0e) does trigger the fault you reported and I have checked in a patch to fix the cause - an invalid array access. Cheers Nick