Created attachment 11655 [details]
Example of binary file that triggers the crash, simply run it as objdump -x c01
I was doing some testing with fuzzing when I realised that the fuzzer was finding some segmentation faults with some entries.
I attach one example.
I have run it on objdump 2.32. to reproduce it just run objdump -x c01
Doing a little bit of backtracing I found all of the problems reside on the when trying to read the pdata section.
The backtrace is as follow:
#0 0x0000555555738348 in bfd_getl32 (p=0x555582ee3b7c) at libbfd.c:699
#1 0x00005555559761f6 in pex64_get_runtime_function (abfd=0x555555bca630, data=0x555582ee3b7c, rf=<synthetic pointer>) at pei-x86_64.c:94
#2 pex64_bfd_print_pdata_section (abfd=0x555555bca630, vfile=0x7ffff7f76760 <_IO_2_1_stdout_>, pdata_section=0x555555bcbba0) at pei-x86_64.c:730
#3 0x0000555555991a34 in _bfd_pex64_print_private_bfd_data_common (abfd=0x555555bca630, vfile=0x7ffff7f76760 <_IO_2_1_stdout_>) at pex64igen.c:2911
#4 0x000055555596a081 in pe_print_private_bfd_data (abfd=<optimized out>, vfile=<optimized out>) at peicode.h:336
#5 0x00005555555c67d5 in dump_bfd_private_header (abfd=0x555555bca630) at ./objdump.c:3782
#6 dump_bfd (abfd=0x555555bca630) at ./objdump.c:3782
#7 0x00005555555c8688 in display_object_bfd (abfd=0x555555bca630) at ./objdump.c:3883
#8 display_any_bfd (file=0x555555bca630, level=0x0) at ./objdump.c:3973
#9 0x00005555555b5ad9 in display_file (last_file=0x1, target=0x0, filename=0x7fffffffe299 "crashes/c01") at ./objdump.c:3994
#10 display_file (last_file=0x1, target=<optimized out>, filename=0x7fffffffe299 "crashes/c01") at ./objdump.c:3977
#11 main (argc=<optimized out>, argc@entry=0x3, argv=<optimized out>, argv@entry=0x7fffffffdef8) at ./objdump.c:4304
#12 0x00007ffff7dde09b in __libc_start_main (main=0x5555555b49e0 <main>, argc=0x3, argv=0x7fffffffdef8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdee8) at ../csu/libc-start.c:308
#13 0x00005555555b63aa in _start () at ./objdump.c:4083
Taking a closer look at the code it seems like the pdata section is not well mapped as the filepos field of the pdata_section struct doesnt match with the begining byte of the section. Therefore the variables altent and pdata_vam don't make sense so when peforming at line 731 of bfd/pei-x86_64.c:
pex64_get_runtime_function (abfd, &arf, &pdata[altent - pdata_vma]);
It produces a segmentation fault, I pretty possitive because it goes out of bounds or the value of altent - pdata_vma doesn't make sense.
Please keep in mind that the imput is wrong formated as its the result from fuzzing.
I am pretty new to all of this so please fell totally free to correct me if I am wrong. I will try to dig deeper trying to find the source of the bug, if anyone could help I would greatly appreciate it
Fixed by the patch for pr24235
*** This bug has been marked as a duplicate of bug 24235 ***