Bug 21651 - heap-buffer-overflow in add_symbol
Summary: heap-buffer-overflow in add_symbol
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-21 09:00 UTC by Alexandre Adamski
Modified: 2017-10-02 05:35 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
282cc553a70cccddc4535d4bb3db5692.6a1a70e215d3fd538023ab8e5737b3c8.min (28 bytes, application/octet-stream)
2017-06-21 09:01 UTC, Alexandre Adamski
Details
282cc553a70cccddc4535d4bb3db5692.6a1a70e215d3fd538023ab8e5737b3c8.txt (1.07 KB, text/plain)
2017-06-21 09:01 UTC, Alexandre Adamski
Details
5deafefa1ca077a686a06b18e93f6e2e.484ddbe005142cc897588a715f2572f7.min (37 bytes, application/octet-stream)
2017-06-21 09:01 UTC, Alexandre Adamski
Details
5deafefa1ca077a686a06b18e93f6e2e.484ddbe005142cc897588a715f2572f7.txt (1.05 KB, text/plain)
2017-06-21 09:02 UTC, Alexandre Adamski
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandre Adamski 2017-06-21 09:00:51 UTC
Hello there,

I have been fuzzing objdump with American Fuzzy Lop + ASAN/UBSAN.

Please find attached the minimized file causing the issue ("Input") and the ASAN report log ("Output"). Below is the reduced stacktrace with links to the corresponding source lines on a GitHub mirror.

The configuration settings used were `--enable-targets=all --disable-shared`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=all`. The command used was `objdump -afpxDSsgetTrR <file>`.

Let me know if there is any additional information I can provide.

--

Input: 282cc553a70cccddc4535d4bb3db5692.6a1a70e215d3fd538023ab8e5737b3c8.min
Output: 282cc553a70cccddc4535d4bb3db5692.6a1a70e215d3fd538023ab8e5737b3c8.txt

Error in "add_symbol": heap-buffer-overflow
  in add_symbol at bfd/vms-alpha.c:1125
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/vms-alpha.c#L1125)
  in _bfd_vms_slurp_egsd at bfd/vms-alpha.c:1307
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/vms-alpha.c#L1307)
  in _bfd_vms_slurp_object_records at bfd/vms-alpha.c:2456
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/vms-alpha.c#L2456)
  in alpha_vms_object_p at bfd/vms-alpha.c:2640
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/vms-alpha.c#L2640)
  in bfd_check_format_matches at bfd/format.c:311
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/format.c#L311)
  in display_object_bfd at binutils/objdump.c:3608
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/binutils/objdump.c#L3608)
  in display_any_bfd at binutils/objdump.c:3699
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/binutils/objdump.c#L3699)
  in display_file at binutils/objdump.c:3720
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/binutils/objdump.c#L3720)
  in main at binutils/objdump.c:4024
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/binutils/objdump.c#L4024)

Input: 5deafefa1ca077a686a06b18e93f6e2e.484ddbe005142cc897588a715f2572f7.min
Output: 5deafefa1ca077a686a06b18e93f6e2e.484ddbe005142cc897588a715f2572f7.txt

Error in "add_symbol": heap-buffer-overflow
  in add_symbol at bfd/vms-alpha.c:1120
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/vms-alpha.c#L1120)
  in _bfd_vms_slurp_egsd at bfd/vms-alpha.c:1265
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/vms-alpha.c#L1265)
  in _bfd_vms_slurp_object_records at bfd/vms-alpha.c:2456
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/vms-alpha.c#L2456)
  in alpha_vms_object_p at bfd/vms-alpha.c:2640
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/vms-alpha.c#L2640)
  in bfd_check_format_matches at bfd/format.c:311
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/bfd/format.c#L311)
  in display_object_bfd at binutils/objdump.c:3608
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/binutils/objdump.c#L3608)
  in display_any_bfd at binutils/objdump.c:3699
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/binutils/objdump.c#L3699)
  in display_file at binutils/objdump.c:3720
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/binutils/objdump.c#L3720)
  in main at binutils/objdump.c:4024
    (see https://github.com/bminor/binutils-gdb/blob/a6cab9afd2c81465265c8d09569e3e6ef43d2954/binutils/objdump.c#L4024)
Comment 1 Alexandre Adamski 2017-06-21 09:01:16 UTC
Created attachment 10204 [details]
282cc553a70cccddc4535d4bb3db5692.6a1a70e215d3fd538023ab8e5737b3c8.min
Comment 2 Alexandre Adamski 2017-06-21 09:01:35 UTC
Created attachment 10205 [details]
282cc553a70cccddc4535d4bb3db5692.6a1a70e215d3fd538023ab8e5737b3c8.txt
Comment 3 Alexandre Adamski 2017-06-21 09:01:55 UTC
Created attachment 10206 [details]
5deafefa1ca077a686a06b18e93f6e2e.484ddbe005142cc897588a715f2572f7.min
Comment 4 Alexandre Adamski 2017-06-21 09:02:11 UTC
Created attachment 10207 [details]
5deafefa1ca077a686a06b18e93f6e2e.484ddbe005142cc897588a715f2572f7.txt
Comment 5 Nick Clifton 2017-06-22 09:43:06 UTC
Hi Alexandre,

  I cannot reproduce these failures - either of them.  Please could you
  check to see if they have already been fixed, and if so, close this PR.

Cheers
  Nick
Comment 6 Alan Modra 2017-10-02 05:35:56 UTC
Both testcases no longer result in overflows on current 2.29 or master.  Both fail with 2.28.