24278 – pdata section wrong filepos - segmentation fault

Bug 24278 - pdata section wrong filepos - segmentation fault

Summary: pdata section wrong filepos - segmentation fault

Status:	RESOLVED DUPLICATE of bug 24235

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.32

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-27 17:38 UTC by Jorge P.
Modified:	2019-03-01 04:11 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Example of binary file that triggers the crash, simply run it as objdump -x c01 (3.48 KB, application/x-ms-dos-executable) 2019-02-27 17:38 UTC, Jorge P.	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jorge P. 2019-02-27 17:38:07 UTC

Created attachment 11655 [details]
Example of binary file that triggers the crash, simply run it as objdump -x c01

Hello.

I was doing some testing with fuzzing when I realised that the fuzzer was finding some segmentation faults with some entries.

I attach one example.
I have run it on objdump 2.32. to reproduce it just run objdump -x c01

Doing a little bit of backtracing I found all of the problems reside on the when trying to read the pdata section.

The backtrace is as follow:
#0  0x0000555555738348 in bfd_getl32 (p=0x555582ee3b7c) at libbfd.c:699
#1  0x00005555559761f6 in pex64_get_runtime_function (abfd=0x555555bca630, data=0x555582ee3b7c, rf=<synthetic pointer>) at pei-x86_64.c:94
#2  pex64_bfd_print_pdata_section (abfd=0x555555bca630, vfile=0x7ffff7f76760 <_IO_2_1_stdout_>, pdata_section=0x555555bcbba0) at pei-x86_64.c:730
#3  0x0000555555991a34 in _bfd_pex64_print_private_bfd_data_common (abfd=0x555555bca630, vfile=0x7ffff7f76760 <_IO_2_1_stdout_>) at pex64igen.c:2911
#4  0x000055555596a081 in pe_print_private_bfd_data (abfd=<optimized out>, vfile=<optimized out>) at peicode.h:336
#5  0x00005555555c67d5 in dump_bfd_private_header (abfd=0x555555bca630) at ./objdump.c:3782
#6  dump_bfd (abfd=0x555555bca630) at ./objdump.c:3782
#7  0x00005555555c8688 in display_object_bfd (abfd=0x555555bca630) at ./objdump.c:3883
#8  display_any_bfd (file=0x555555bca630, level=0x0) at ./objdump.c:3973
#9  0x00005555555b5ad9 in display_file (last_file=0x1, target=0x0, filename=0x7fffffffe299 "crashes/c01") at ./objdump.c:3994
#10 display_file (last_file=0x1, target=<optimized out>, filename=0x7fffffffe299 "crashes/c01") at ./objdump.c:3977
#11 main (argc=<optimized out>, argc@entry=0x3, argv=<optimized out>, argv@entry=0x7fffffffdef8) at ./objdump.c:4304
#12 0x00007ffff7dde09b in __libc_start_main (main=0x5555555b49e0 <main>, argc=0x3, argv=0x7fffffffdef8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdee8) at ../csu/libc-start.c:308
#13 0x00005555555b63aa in _start () at ./objdump.c:4083

Taking a closer look at the code it seems like the pdata section is not well mapped as the filepos field of the pdata_section struct doesnt match with the begining byte of the section. Therefore the variables altent and pdata_vam don't make sense so when peforming at line 731 of bfd/pei-x86_64.c:
 pex64_get_runtime_function (abfd, &arf, &pdata[altent - pdata_vma]);

It produces a segmentation fault, I pretty possitive because it goes out of bounds or the value of altent - pdata_vma doesn't make sense.

Please keep in mind that the imput is wrong formated as its the result from fuzzing.

I am pretty new to all of this so please fell totally free to correct me if I am wrong. I will try to dig deeper trying to find the source of the bug, if anyone could help I would greatly appreciate it

Comment 1 Alan Modra 2019-03-01 04:11:40 UTC

Fixed by the patch for pr24235

*** This bug has been marked as a duplicate of bug 24235 ***