Created attachment 11322 [details] POC Hi, there. We are doing research on Fuzz testing. Our fuzzer caught an An Invalid memory address dereference problem in program objdump of the latest binutils(v2.31.1) code base, The POC file I gave can cause the segment faults and I have confirmed them with address sanitizer too. Please use the "./objdump -xg -W $POC" to reproduce the bug. If you have any questions, please let me know. The ASAN dumps the stack trace as follows: ASAN:DEADLYSIGNAL ================================================================= ==17439==ERROR: AddressSanitizer: SEGV on unknown address 0x612208051814 (pc 0x0000021a0ef0 bp 0x7ffcdefe0820 sp 0x7ffcdefe0800 T0) #0 0x21a0eef in read_reloc /binutils_gdb/bfd/reloc.c:557:14 #1 0x21a44ff in _bfd_clear_contents /binutils_gdb/bfd/reloc.c:1516:7 #2 0x21ac758 in bfd_generic_get_relocated_section_contents /binutils_gdb/bf #3 0xa373c7 in bfd_get_relocated_section_contents /binutils_gdb/bfd/bfd.c:1 #4 0xb45b58 in bfd_simple_get_relocated_section_contents /binutils_gdb/bfd/ #5 0x4ee41c in load_specific_debug_section /binutils_gdb/binutils/./objdump #6 0x520386 in dump_dwarf_section /binutils_gdb/binutils/./objdump.c:2691:6 #7 0xb3cfb7 in bfd_map_over_sections /binutils_gdb/bfd/section.c:1374:5 #8 0x513470 in dump_dwarf /binutils_gdb/binutils/./objdump.c:2774:3 #9 0x50155f in dump_bfd /binutils_gdb/binutils/./objdump.c:3627:5 #10 0x4fa7d3 in display_object_bfd /binutils_gdb/binutils/./objdump.c:3714: #11 0x4fa7d3 in display_any_bfd /binutils_gdb/binutils/./objdump.c:3783 #12 0x4f6c61 in display_file /binutils_gdb/binutils/./objdump.c:3804:3 #13 0x4f6c61 in main /binutils_gdb/binutils/./objdump.c:4106 #14 0x7fe049d8b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #15 0x4194d8 in _start (/binutils_gdb/build/bin/objdump+0x4194d8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /binutils_gdb/bfd/reloc.c:557:14 in read_reloc ==17439==ABORTING Aborted
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0930cb3021b8078b34cf216e79eb8608d017864f commit 0930cb3021b8078b34cf216e79eb8608d017864f Author: Alan Modra <amodra@gmail.com> Date: Sat Oct 13 22:03:02 2018 +1030 _bfd_clear_contents bounds checking This PR shows a fuzzed binary triggering a segfault via a bad relocation in .debug_line. It turns out that unlike normal relocations applied to a section, the linker applies those with symbols from discarded sections via _bfd_clear_contents without checking that the relocation is within the section bounds. The same thing now happens when reading debug sections since commit a4cd947aca23, the PR23425 fix. PR 23770 PR 23425 * reloc.c (_bfd_clear_contents): Replace "location" param with "buf" and "off". Bounds check "off". Return status. * cofflink.c (_bfd_coff_generic_relocate_section): Update _bfd_clear_contents call. * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise. * elf32-arc.c (elf_arc_relocate_section): Likewise. * elf32-i386.c (elf_i386_relocate_section): Likewise. * elf32-metag.c (metag_final_link_relocate): Likewise. * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise. * elf32-ppc.c (ppc_elf_relocate_section): Likewise. * elf32-visium.c (visium_elf_relocate_section): Likewise. * elf64-ppc.c (ppc64_elf_relocate_section): Likewise. * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise. * libbfd-in.h (_bfd_clear_contents): Update prototype. * libbfd.h: Regenerate.
Fixed
Thanks for paying attention to this problem and fixing it in time. This issue was raised by NTU Cyber-Security-Lab, for fuzzing research work.
What the version in which this fix is promoted?
(In reply to tanaya patil from comment #4) > What the version in which this fix is promoted? https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0930cb3021b8078b34cf216e79eb8608d017864f