22769 – crash when running 32-bit objdump on corrupted file

Bug 22769 - crash when running 32-bit objdump on corrupted file

Summary: crash when running 32-bit objdump on corrupted file

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.31

Importance:	P2 normal
Target Milestone:	2.31
Assignee:	Alan Modra

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-02-01 01:39 UTC by Ruikai Liu
Modified:	2018-03-31 12:41 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:	2018-02-01 00:00:00

Attachments
POC file (529 bytes, application/x-object) 2018-02-01 01:39 UTC, Ruikai Liu	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ruikai Liu 2018-02-01 01:39:12 UTC

Created attachment 10765 [details]
POC file

Hi,

Here's another file that crashes `objdump -g`. The build environment is the same as https://sourceware.org/bugzilla/show_bug.cgi?id=22746(I built 32-bit objdump on a 64-bit machine by setting CFLAGS and LDFLAGS to `-m32`).

The code we're using is update to the HEAD: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=35f48e217ab6f909510bf9ca07325ec16122ae88

Here's the output on the POC file:

----

root@debian:~# ~/src/binutils-32/binutils/objdump -g c3

c3:     file format elf32-i386

*** Error in `/root/src/binutils-32/binutils/objdump': free(): invalid next size (fast): 0x56fd21e0 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xf764337a]
/lib/i386-linux-gnu/libc.so.6(+0x6dfb7)[0xf7649fb7]
/lib/i386-linux-gnu/libc.so.6(+0x6e7f6)[0xf764a7f6]
/root/src/binutils-32/binutils/objdump(+0x26617)[0x565ed617]
/root/src/binutils-32/binutils/objdump(+0x262cd)[0x565ed2cd]
/root/src/binutils-32/binutils/objdump(+0x267fd)[0x565ed7fd]
/root/src/binutils-32/binutils/objdump(+0x90242)[0x56657242]
/root/src/binutils-32/binutils/objdump(+0x269b3)[0x565ed9b3]
/root/src/binutils-32/binutils/objdump(+0x28e15)[0x565efe15]
/root/src/binutils-32/binutils/objdump(+0x28ee6)[0x565efee6]
/root/src/binutils-32/binutils/objdump(+0x2913a)[0x565f013a]
/root/src/binutils-32/binutils/objdump(+0x291b5)[0x565f01b5]
/root/src/binutils-32/binutils/objdump(main+0x9f6)[0x565f0bd7]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xf75f4276]
/root/src/binutils-32/binutils/objdump(+0x20cf1)[0x565e7cf1]
======= Memory map: ========
565c7000-567aa000 r-xp 00000000 08:01 673613                             /root/src/binutils-32/binutils/objdump
567ab000-56814000 r--p 001e3000 08:01 673613                             /root/src/binutils-32/binutils/objdump
56814000-56819000 rw-p 0024c000 08:01 673613                             /root/src/binutils-32/binutils/objdump
56819000-56820000 rw-p 00000000 00:00 0
56fcd000-56fee000 rw-p 00000000 00:00 0                                  [heap]
f7300000-f7321000 rw-p 00000000 00:00 0
f7321000-f7400000 ---p 00000000 00:00 0
f740c000-f7428000 r-xp 00000000 08:01 1047386                            /lib/i386-linux-gnu/libgcc_s.so.1
f7428000-f7429000 r--p 0001b000 08:01 1047386                            /lib/i386-linux-gnu/libgcc_s.so.1
f7429000-f742a000 rw-p 0001c000 08:01 1047386                            /lib/i386-linux-gnu/libgcc_s.so.1
f743f000-f75da000 r--p 00000000 08:01 921179                             /usr/lib/locale/locale-archive
f75da000-f75dc000 rw-p 00000000 00:00 0
f75dc000-f778d000 r-xp 00000000 08:01 1047406                            /lib/i386-linux-gnu/libc-2.24.so
f778d000-f778e000 ---p 001b1000 08:01 1047406                            /lib/i386-linux-gnu/libc-2.24.so
f778e000-f7790000 r--p 001b1000 08:01 1047406                            /lib/i386-linux-gnu/libc-2.24.so
f7790000-f7791000 rw-p 001b3000 08:01 1047406                            /lib/i386-linux-gnu/libc-2.24.so
f7791000-f7794000 rw-p 00000000 00:00 0
f7794000-f7797000 r-xp 00000000 08:01 1047460                            /lib/i386-linux-gnu/libdl-2.24.so
f7797000-f7798000 r--p 00002000 08:01 1047460                            /lib/i386-linux-gnu/libdl-2.24.so
f7798000-f7799000 rw-p 00003000 08:01 1047460                            /lib/i386-linux-gnu/libdl-2.24.so
f77a4000-f77a5000 rw-p 00000000 00:00 0
f77a5000-f77ac000 r--s 00000000 08:01 131640                             /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
f77ac000-f77ae000 r--p 00199000 08:01 921179                             /usr/lib/locale/locale-archive
f77ae000-f77b1000 rw-p 00000000 00:00 0
f77b1000-f77b3000 r--p 00000000 00:00 0                                  [vvar]
f77b3000-f77b5000 r-xp 00000000 00:00 0                                  [vdso]
f77b5000-f77d8000 r-xp 00000000 08:01 1045240                            /lib/i386-linux-gnu/ld-2.24.so
f77d8000-f77d9000 r--p 00022000 08:01 1045240                            /lib/i386-linux-gnu/ld-2.24.so
f77d9000-f77da000 rw-p 00023000 08:01 1045240                            /lib/i386-linux-gnu/ld-2.24.so
ffbe3000-ffc04000 rw-p 00000000 00:00 0                                  [stack]
Aborted

----

Thanks!

Comment 1 Sourceware Commits 2018-02-01 11:10:39 UTC

The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2023ce7e8d70b0155cc6206c901e185260918f0

commit f2023ce7e8d70b0155cc6206c901e185260918f0
Author: Alan Modra <amodra@gmail.com>
Date:   Thu Feb 1 18:01:00 2018 +1030

    PR22769, crash when running 32-bit objdump on corrupted file
    
    	PR 22769
    	* objdump.c (load_specific_debug_section): Check for overflow
    	when adding one to section size for a string section terminator.

Comment 2 Alan Modra 2018-02-01 11:11:17 UTC

Fixed