Created attachment 10760 [details] POC file Hi, We fuzzed 32-bit objdump and found a heap corruption when running `objdump -x` with the attached file. Here's the output of a clean build on HEAD code(commit 3e53a58e1f557f9b799506b62ac1cbf456b34647): root@debian:~# src/binutils-32/binutils/objdump -x ~/fuzzing/objdump-c/c2 src/binutils-32/binutils/objdump: /root/fuzzing/objdump-c/c2: File truncated *** Error in `src/binutils-32/binutils/objdump': free(): invalid pointer: 0x572ffaa0 *** ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xf764737a] /lib/i386-linux-gnu/libc.so.6(+0x6dfb7)[0xf764dfb7] /lib/i386-linux-gnu/libc.so.6(+0x6e7f6)[0xf764e7f6] src/binutils-32/binutils/objdump(+0x1805b0)[0x5677d5b0] src/binutils-32/binutils/objdump(+0x8ac0a)[0x56687c0a] src/binutils-32/binutils/objdump(+0x8d52f)[0x5668a52f] src/binutils-32/binutils/objdump(+0x8df16)[0x5668af16] src/binutils-32/binutils/objdump(+0x291d9)[0x566261d9] src/binutils-32/binutils/objdump(main+0x9f6)[0x56626bd7] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xf75f8276] src/binutils-32/binutils/objdump(+0x20cf1)[0x5661dcf1] ======= Memory map: ======== 565fd000-567e0000 r-xp 00000000 08:01 669129 /root/src/binutils-32/binutils/objdump 567e1000-5684a000 r--p 001e3000 08:01 669129 /root/src/binutils-32/binutils/objdump 5684a000-5684f000 rw-p 0024c000 08:01 669129 /root/src/binutils-32/binutils/objdump 5684f000-56856000 rw-p 00000000 00:00 0 572fe000-5731f000 rw-p 00000000 00:00 0 [heap] f7300000-f7321000 rw-p 00000000 00:00 0 f7321000-f7400000 ---p 00000000 00:00 0 f7411000-f742d000 r-xp 00000000 08:01 1047386 /lib/i386-linux-gnu/libgcc_s.so.1 f742d000-f742e000 r--p 0001b000 08:01 1047386 /lib/i386-linux-gnu/libgcc_s.so.1 f742e000-f742f000 rw-p 0001c000 08:01 1047386 /lib/i386-linux-gnu/libgcc_s.so.1 f7443000-f75de000 r--p 00000000 08:01 921179 /usr/lib/locale/locale-archive f75de000-f75e0000 rw-p 00000000 00:00 0 f75e0000-f7791000 r-xp 00000000 08:01 1047406 /lib/i386-linux-gnu/libc-2.24.so f7791000-f7792000 ---p 001b1000 08:01 1047406 /lib/i386-linux-gnu/libc-2.24.so f7792000-f7794000 r--p 001b1000 08:01 1047406 /lib/i386-linux-gnu/libc-2.24.so f7794000-f7795000 rw-p 001b3000 08:01 1047406 /lib/i386-linux-gnu/libc-2.24.so f7795000-f7798000 rw-p 00000000 00:00 0 f7798000-f779b000 r-xp 00000000 08:01 1047460 /lib/i386-linux-gnu/libdl-2.24.so f779b000-f779c000 r--p 00002000 08:01 1047460 /lib/i386-linux-gnu/libdl-2.24.so f779c000-f779d000 rw-p 00003000 08:01 1047460 /lib/i386-linux-gnu/libdl-2.24.so f77a7000-f77a8000 rw-p 00000000 00:00 0 f77a8000-f77af000 r--s 00000000 08:01 131640 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache f77af000-f77b1000 r--p 00199000 08:01 921179 /usr/lib/locale/locale-archive f77b1000-f77b4000 rw-p 00000000 00:00 0 f77b4000-f77b6000 r--p 00000000 00:00 0 [vvar] f77b6000-f77b8000 r-xp 00000000 00:00 0 [vdso] f77b8000-f77db000 r-xp 00000000 08:01 1045240 /lib/i386-linux-gnu/ld-2.24.so f77db000-f77dc000 r--p 00022000 08:01 1045240 /lib/i386-linux-gnu/ld-2.24.so f77dc000-f77dd000 rw-p 00023000 08:01 1045240 /lib/i386-linux-gnu/ld-2.24.so ffa24000-ffa45000 rw-p 00000000 00:00 0 [stack] Aborted And 64-bit objdump is not affected.
On a 32-bit i686-linux binutils build, I just get "File format not recognised". Also, commit 3e53a58e1f557f9b799506b62ac1cbf456b34647 is not in mainline binutils.
Hmm, so i686-linux with --enable-64-bit-bfd reproduces the crash. It would be useful to report such configuration parameters when reporting bugs.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=38e64b0ecc7f4ee64a02514b8d532782ac057fa2 commit 38e64b0ecc7f4ee64a02514b8d532782ac057fa2 Author: Alan Modra <amodra@gmail.com> Date: Thu Jan 25 21:47:41 2018 +1030 PR22746, crash when running 32-bit objdump on corrupted file Avoid unsigned int overflow by performing bfd_size_type multiplication. PR 22746 * elfcode.h (elf_object_p): Avoid integer overflow.
Fixed mainline.