Bug 24278 - pdata section wrong filepos - segmentation fault
Summary: pdata section wrong filepos - segmentation fault
Status: RESOLVED DUPLICATE of bug 24235
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.32
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2019-02-27 17:38 UTC by Jorge P.
Modified: 2019-03-01 04:11 UTC (History)
1 user (show)

See Also:
Last reconfirmed:

Example of binary file that triggers the crash, simply run it as objdump -x c01 (3.48 KB, application/x-ms-dos-executable)
2019-02-27 17:38 UTC, Jorge P.

Note You need to log in before you can comment on or make changes to this bug.
Description Jorge P. 2019-02-27 17:38:07 UTC
Created attachment 11655 [details]
Example of binary file that triggers the crash, simply run it as objdump -x c01


I was doing some testing with fuzzing when I realised that the fuzzer was finding some segmentation faults with some entries.

I attach one example.
I have run it on objdump 2.32. to reproduce it just run objdump -x c01

Doing a little bit of backtracing I found all of the problems reside on the when trying to read the pdata section.

The backtrace is as follow:
#0  0x0000555555738348 in bfd_getl32 (p=0x555582ee3b7c) at libbfd.c:699
#1  0x00005555559761f6 in pex64_get_runtime_function (abfd=0x555555bca630, data=0x555582ee3b7c, rf=<synthetic pointer>) at pei-x86_64.c:94
#2  pex64_bfd_print_pdata_section (abfd=0x555555bca630, vfile=0x7ffff7f76760 <_IO_2_1_stdout_>, pdata_section=0x555555bcbba0) at pei-x86_64.c:730
#3  0x0000555555991a34 in _bfd_pex64_print_private_bfd_data_common (abfd=0x555555bca630, vfile=0x7ffff7f76760 <_IO_2_1_stdout_>) at pex64igen.c:2911
#4  0x000055555596a081 in pe_print_private_bfd_data (abfd=<optimized out>, vfile=<optimized out>) at peicode.h:336
#5  0x00005555555c67d5 in dump_bfd_private_header (abfd=0x555555bca630) at ./objdump.c:3782
#6  dump_bfd (abfd=0x555555bca630) at ./objdump.c:3782
#7  0x00005555555c8688 in display_object_bfd (abfd=0x555555bca630) at ./objdump.c:3883
#8  display_any_bfd (file=0x555555bca630, level=0x0) at ./objdump.c:3973
#9  0x00005555555b5ad9 in display_file (last_file=0x1, target=0x0, filename=0x7fffffffe299 "crashes/c01") at ./objdump.c:3994
#10 display_file (last_file=0x1, target=<optimized out>, filename=0x7fffffffe299 "crashes/c01") at ./objdump.c:3977
#11 main (argc=<optimized out>, argc@entry=0x3, argv=<optimized out>, argv@entry=0x7fffffffdef8) at ./objdump.c:4304
#12 0x00007ffff7dde09b in __libc_start_main (main=0x5555555b49e0 <main>, argc=0x3, argv=0x7fffffffdef8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdee8) at ../csu/libc-start.c:308
#13 0x00005555555b63aa in _start () at ./objdump.c:4083

Taking a closer look at the code it seems like the pdata section is not well mapped as the filepos field of the pdata_section struct doesnt match with the begining byte of the section. Therefore the variables altent and pdata_vam don't make sense so when peforming at line 731 of bfd/pei-x86_64.c:
 pex64_get_runtime_function (abfd, &arf, &pdata[altent - pdata_vma]);

It produces a segmentation fault, I pretty possitive because it goes out of bounds or the value of altent - pdata_vma doesn't make sense.

Please keep in mind that the imput is wrong formated as its the result from fuzzing.

I am pretty new to all of this so please fell totally free to correct me if I am wrong. I will try to dig deeper trying to find the source of the bug, if anyone could help I would greatly appreciate it
Comment 1 Alan Modra 2019-03-01 04:11:40 UTC
Fixed by the patch for pr24235

*** This bug has been marked as a duplicate of bug 24235 ***