Bug 25070 - SEGV in function _bfd_dwarf2_find_nearest_line
Summary: SEGV in function _bfd_dwarf2_find_nearest_line
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.34
: P2 normal
Target Milestone: 2.34
Assignee: Alan Modra
URL:
Keywords:
: 25072 25073 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-10-07 16:33 UTC by zjuchenyuan
Modified: 2019-10-24 09:45 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-10-09 00:00:00

Attachments
poc file (11.00 KB, application/x-executable)
2019-10-07 16:33 UTC, zjuchenyuan 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description zjuchenyuan 2019-10-07 16:33:50 UTC 
Created attachment 12025 [details]
poc file

I'm using latest binutils-gdb to fuzz, and find some crashes.

git version: 816228ed09dc867fa16dc5458277d649885d98fe

```
# ./nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (2aaaabac4ec1) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (ffffd5555453b140) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: unknown type [0xff000001] section `.debug_aranges'
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (2aaaabac4ec1) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (ffffd5555453b140) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: warning: sh_link not set for section `.debug_aranges'
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: version count (11) does not match symbol count (16)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
ASAN:SIGSEGV
=================================================================
==45359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000007200 (pc 0x0000006aa438 bp 0x0ffffffffb7e sp 0x7fffffffdb50 T0)
    #0 0x6aa437 in _bfd_dwarf2_find_nearest_line dwarf2.c:4724
    #1 0x5862a1 in _bfd_elf_find_nearest_line /d/prog/binutils-gdb/bfd/elf.c:9005
    #2 0x40da6e in print_symbol /d/prog/binutils-gdb/binutils/nm.c:1008
    #3 0x40ed78 in print_symbols /d/prog/binutils-gdb/binutils/nm.c:1088
    #4 0x40ed78 in display_rel_file /d/prog/binutils-gdb/binutils/nm.c:1210
    #5 0x4119f5 in display_file /d/prog/binutils-gdb/binutils/nm.c:1377
    #6 0x407bc7 in main /d/prog/binutils-gdb/binutils/nm.c:1858
    #7 0x7ffff6679b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x409958 in _start (/d/p/aflasan/binutils-latest/nm-new+0x409958)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV dwarf2.c:4724 _bfd_dwarf2_find_nearest_line
==45359==ABORTING
```

Reproducible docker image has been pushed to `zjuchenyuan/dockerized_poc:binutils-pocs`

Dockerfile:

```
FROM zjuchenyuan/afl
ENV AFL_USE_ASAN=1
RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\
    cd binutils-gdb &&\
    git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\
    ./configure --disable-shared &&\
    for i in bfd libiberty opcodes libctf; do cd $i; ./configure --disable-shared && make -j; cd ..; done  &&\
    cd binutils  &&\
    ./configure --disable-shared &&\
    make objdump nm-new size readelf cxxfilt

RUN apt install -y gdb &&\
    echo -e "set pagination off\nset confirm off" > /root/.gdbinit

ADD . /
RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line || exit 0
```
Comment 1 Alan Modra 2019-10-09 01:02:13 UTC 
*** Bug 25072 has been marked as a duplicate of this bug. ***
Comment 2 Alan Modra 2019-10-09 01:06:52 UTC 
*** Bug 25073 has been marked as a duplicate of this bug. ***
Comment 3 Sourceware Commits 2019-10-09 04:32:08 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848f4b9558456fdcf283ee8a32d7fd1

commit 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Oct 9 10:47:13 2019 +1030

    PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
    
    Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
    and ffffd5555453b140 result in a total size of 1.  Reading the first
    section of course overflows the buffer and tramples on other memory.
    
    	PR 25070
    	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
    	total_size calculation.
Comment 4 Alan Modra 2019-10-09 04:38:18 UTC 
Fixed.
Comment 5 Trupti Pardeshi 2019-10-23 11:35:10 UTC 
Hello,

May I know if Binutils-2.31 is also affected and requires this fix? Any heads up will be appreciated.

Thank you in advance.

Best Regards,
Comment 6 Nick Clifton 2019-10-24 09:17:31 UTC 
(In reply to Trupti Pardeshi from comment #5)
Hi Trupti,

> May I know if Binutils-2.31 is also affected and requires this fix? Any
> heads up will be appreciated.

Yes.  The 2.32 and 2.33 releases (and branches) are also vulnerable to 
this problem.  Only the mainline development sources are currently fixed.

Cheers
  Nick
Comment 7 Trupti Pardeshi 2019-10-24 09:45:49 UTC 
(In reply to Nick Clifton from comment #6)
> (In reply to Trupti Pardeshi from comment #5)
> Hi Trupti,
> 
> > May I know if Binutils-2.31 is also affected and requires this fix? Any
> > heads up will be appreciated.
> 
> Yes.  The 2.32 and 2.33 releases (and branches) are also vulnerable to 
> this problem.  Only the mainline development sources are currently fixed.
> 
> Cheers
>   Nick

Thank you so much Nick for the clarification. Appreciate your reply for mentioning 2.33 version as well. Thanks.