Created attachment 11687 [details]
objdump -g  heap overflow

I use 32bit objdump which build by commit-4faa59bb.

./objdump -g poc

The part of crash output show as follow.

*** Error in `../../binutils-gdb/binutils/objdump': malloc(): memory corruption (fast): 0x09846880 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7dce377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7dd42f7]
/lib/i386-linux-gnu/libc.so.6(+0x6f7cc)[0xf7dd67cc]
/lib/i386-linux-gnu/libc.so.6(__libc_malloc+0xc5)[0xf7dd7fc5]
/lib/i386-linux-gnu/libc.so.6(+0x29171)[0xf7d90171]
/lib/i386-linux-gnu/libc.so.6(+0x270a2)[0xf7d8e0a2]
/lib/i386-linux-gnu/libc.so.6(+0x26a20)[0xf7d8da20]
/lib/i386-linux-gnu/libc.so.6(dcgettext+0x26)[0xf7d8c8b6]
/lib/i386-linux-gnu/libc.so.6(gettext+0x10)[0xf7d8c8f0]
../../binutils-gdb/binutils/objdump[0x804f259]
../../binutils-gdb/binutils/objdump[0x804f6fe]
../../binutils-gdb/binutils/objdump[0x80a6f34]
../../binutils-gdb/binutils/objdump[0x804f869]
../../binutils-gdb/binutils/objdump[0x8051b10]
../../binutils-gdb/binutils/objdump[0x8051bfd]
../../binutils-gdb/binutils/objdump[0x8051e6d]
../../binutils-gdb/binutils/objdump[0x8051eda]
../../binutils-gdb/binutils/objdump[0x8052847]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d7f637]
../../binutils-gdb/binutils/objdump[0x8049af1]
======= Memory map: ========

gdb output:
gef➤  bt
#0  0xf7fd7dc9 in __kernel_vsyscall ()
#1  0xf7e1dea9 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7e1f407 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0xf7e5937c in ?? () from /lib/i386-linux-gnu/libc.so.6
#4  0xf7e5f2f7 in ?? () from /lib/i386-linux-gnu/libc.so.6
#5  0xf7e617cc in ?? () from /lib/i386-linux-gnu/libc.so.6
#6  0xf7e62fc5 in malloc () from /lib/i386-linux-gnu/libc.so.6
#7  0xf7e1b171 in ?? () from /lib/i386-linux-gnu/libc.so.6
#8  0xf7e190a2 in ?? () from /lib/i386-linux-gnu/libc.so.6
#9  0xf7e18a20 in ?? () from /lib/i386-linux-gnu/libc.so.6
#10 0xf7e178b6 in dcgettext () from /lib/i386-linux-gnu/libc.so.6
#11 0xf7e178f0 in gettext () from /lib/i386-linux-gnu/libc.so.6
#12 0x0804f259 in load_specific_debug_section (debug=eh_frame, sec=0x824c54c, file=0x824aa08) at ./objdump.c:2712
#13 0x0804f6fe in dump_dwarf_section (abfd=0x824aa08, section=0x824c54c, arg=0x0) at ./objdump.c:2888
#14 0x080a6f34 in bfd_map_over_sections (abfd=0x824aa08, operation=0x804f5fb <dump_dwarf_section>, user_storage=0x0) at section.c:1374
#15 0x0804f869 in dump_dwarf (abfd=0x824aa08) at ./objdump.c:2963
#16 0x08051b10 in dump_bfd (abfd=0x824aa08, is_mainfile=0x1) at ./objdump.c:3903
#17 0x08051bfd in display_object_bfd (abfd=0x824aa08) at ./objdump.c:3940
#18 0x08051e6d in display_any_bfd (file=0x824aa08, level=0x0) at ./objdump.c:4030
#19 0x08051eda in display_file (filename=0xffffd046 "crashes20190319/id:000006,sig:06,src:002800+001543,op:splice,rep:16", target=0x0, last_file=0x1) at ./objdump.c:4051
#20 0x08052847 in main (argc=0x3, argv=0xffffcde4) at ./objdump.c:4361




objdump.c --> load_specific_debug_section

>2696
  section->size = bfd_get_section_size (sec);
  amt = section->size + 1;
  if (amt == 0)
    {
      section->start = NULL;
      free_debug_section (debug);
      printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
	      sanitize_string (section->name),
	      (unsigned long long) section->size);
      return FALSE;
    }
  section->start = contents = malloc (amt);
  if (section->start == NULL
      || !bfd_get_full_section_contents (abfd, sec, &contents))
    {
      free_debug_section (debug);
      printf (_("\nCan't get contents for section '%s'.\n"),
	      sanitize_string (section->name));
      return FALSE;
    }

if section->size == 0xFFFFFFFF
amt = 0x100000000 
malloc(0)  // Integer overflow

Finally it will trigger heap overflow in bfd_get_full_section_contents.


I go back to the git log and find this bug is caused by commit-7a6e0d89. 
The commit cause PR24005 to reappear.

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=634557801d909982b47b1723f4216ebe8bc784aa

commit 634557801d909982b47b1723f4216ebe8bc784aa
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Mar 19 13:39:30 2019 +0000

    Prevent an illegal memory access by objdump when parsing a corrupt file on a 32-bit host.
    
    	PR 24360
    	* objdump.c (load_specific_debug_section): Check that the amount
    	of memory to be allocated matches the size of the section.

Hi tfx,

  Thanks for reporting this problem.  I have checked in a new patch which
  tests to make sure that the amount being malloc'ed is non-zero, and that
  it matches the size of the section (plus one).

Cheers
  Nick