Bug 21586 - global-buffer-overflow in decode_pseudodbg_assert_0
Summary: global-buffer-overflow in decode_pseudodbg_assert_0
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-13 20:59 UTC by Alexandre Adamski
Modified: 2017-06-15 10:56 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
testcase_5ddfa (64 bytes, application/octet-stream)
2017-06-13 21:00 UTC, Alexandre Adamski 		Details
report_5ddfa (1.06 KB, text/plain)
2017-06-13 21:01 UTC, Alexandre Adamski 		Details
testcase_eaa0e (58 bytes, application/octet-stream)
2017-06-13 21:01 UTC, Alexandre Adamski 		Details
report_eaa0e (1.04 KB, text/plain)
2017-06-13 21:02 UTC, Alexandre Adamski 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandre Adamski 2017-06-13 20:59:41 UTC 
Hello there,

I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.

Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.

The command I used was `objdump -D <file>`.

Let me know if there is any additional information I can provide.

--

Input: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.min
Output: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.txt

Error in "decode_pseudodbg_assert_0": global-buffer-overflow
  in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4604
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4604)
  in _print_insn_bfin at opcodes/bfin-dis.c:4760
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760)
  in print_insn_bfin at opcodes/bfin-dis.c:4778
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778)
  in disassemble_bytes at binutils/objdump.c:1864
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
  in disassemble_section at binutils/objdump.c:2309
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
  in bfd_map_over_sections at bfd/section.c:1395
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
  in disassemble_data at binutils/objdump.c:2445
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
  in dump_bfd at binutils/objdump.c:3547
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)

Input: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.min
Output: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.txt

Error in "decode_pseudodbg_assert_0": global-buffer-overflow
  in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4596
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4596)
  in _print_insn_bfin at opcodes/bfin-dis.c:4760
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760)
  in print_insn_bfin at opcodes/bfin-dis.c:4778
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778)
  in disassemble_bytes at binutils/objdump.c:1864
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
  in disassemble_section at binutils/objdump.c:2309
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
  in bfd_map_over_sections at bfd/section.c:1395
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
  in disassemble_data at binutils/objdump.c:2445
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
  in dump_bfd at binutils/objdump.c:3547
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Comment 1 Alexandre Adamski 2017-06-13 21:00:42 UTC 
Created attachment 10116 [details]
testcase_5ddfa
Comment 2 Alexandre Adamski 2017-06-13 21:01:06 UTC 
Created attachment 10117 [details]
report_5ddfa
Comment 3 Alexandre Adamski 2017-06-13 21:01:29 UTC 
Created attachment 10118 [details]
testcase_eaa0e
Comment 4 Alexandre Adamski 2017-06-13 21:02:12 UTC 
Created attachment 10119 [details]
report_eaa0e
Comment 5 Alexandre Adamski 2017-06-13 22:39:52 UTC 
Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
Comment 6 Sourceware Commits 2017-06-15 10:53:10 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c7881b814c546efc3996fd1decdf0877f7a779

commit 08c7881b814c546efc3996fd1decdf0877f7a779
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Jun 15 11:52:02 2017 +0100

    Prevent invalid array accesses when disassembling a corrupt bfin binary.
    
    	PR binutils/21586
    	* bfin-dis.c (gregs): Clip index to prevent overflow.
    	(regs): Likewise.
    	(regs_lo): Likewise.
    	(regs_hi): Likewise.
Comment 7 Nick Clifton 2017-06-15 10:56:51 UTC 
Hi Aadamski,

  Thanks for reporting this bug.

  The first testcase (5ddfa) has already been fixed by a previous patch.
  (I did not check to find out which one, but it will have been a recent
  one).

  The second testcase (eaa0e) does trigger the fault you reported and I
  have checked in a patch to fix the cause - an invalid array access.

Cheers
  Nick