Bug 25070 - SEGV in function _bfd_dwarf2_find_nearest_line
Summary: SEGV in function _bfd_dwarf2_find_nearest_line
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.34 (HEAD)
: P2 normal
Target Milestone: 2.34
Assignee: Alan Modra
URL:
Keywords:
: 25072 25073 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-10-07 16:33 UTC by zjuchenyuan
Modified: 2019-10-24 09:45 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-10-09 00:00:00


Attachments
poc file (11.00 KB, application/x-executable)
2019-10-07 16:33 UTC, zjuchenyuan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description zjuchenyuan 2019-10-07 16:33:50 UTC
Created attachment 12025 [details]
poc file

I'm using latest binutils-gdb to fuzz, and find some crashes.

git version: 816228ed09dc867fa16dc5458277d649885d98fe

```
# ./nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (2aaaabac4ec1) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (ffffd5555453b140) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: unknown type [0xff000001] section `.debug_aranges'
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (2aaaabac4ec1) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (ffffd5555453b140) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: warning: sh_link not set for section `.debug_aranges'
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: version count (11) does not match symbol count (16)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0)
ASAN:SIGSEGV
=================================================================
==45359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000007200 (pc 0x0000006aa438 bp 0x0ffffffffb7e sp 0x7fffffffdb50 T0)
    #0 0x6aa437 in _bfd_dwarf2_find_nearest_line dwarf2.c:4724
    #1 0x5862a1 in _bfd_elf_find_nearest_line /d/prog/binutils-gdb/bfd/elf.c:9005
    #2 0x40da6e in print_symbol /d/prog/binutils-gdb/binutils/nm.c:1008
    #3 0x40ed78 in print_symbols /d/prog/binutils-gdb/binutils/nm.c:1088
    #4 0x40ed78 in display_rel_file /d/prog/binutils-gdb/binutils/nm.c:1210
    #5 0x4119f5 in display_file /d/prog/binutils-gdb/binutils/nm.c:1377
    #6 0x407bc7 in main /d/prog/binutils-gdb/binutils/nm.c:1858
    #7 0x7ffff6679b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x409958 in _start (/d/p/aflasan/binutils-latest/nm-new+0x409958)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV dwarf2.c:4724 _bfd_dwarf2_find_nearest_line
==45359==ABORTING
```

Reproducible docker image has been pushed to `zjuchenyuan/dockerized_poc:binutils-pocs`

Dockerfile:

```
FROM zjuchenyuan/afl
ENV AFL_USE_ASAN=1
RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\
    cd binutils-gdb &&\
    git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\
    ./configure --disable-shared &&\
    for i in bfd libiberty opcodes libctf; do cd $i; ./configure --disable-shared && make -j; cd ..; done  &&\
    cd binutils  &&\
    ./configure --disable-shared &&\
    make objdump nm-new size readelf cxxfilt

RUN apt install -y gdb &&\
    echo -e "set pagination off\nset confirm off" > /root/.gdbinit

ADD . /
RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line || exit 0
```
Comment 1 Alan Modra 2019-10-09 01:02:13 UTC
*** Bug 25072 has been marked as a duplicate of this bug. ***
Comment 2 Alan Modra 2019-10-09 01:06:52 UTC
*** Bug 25073 has been marked as a duplicate of this bug. ***
Comment 3 cvs-commit@gcc.gnu.org 2019-10-09 04:32:08 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848f4b9558456fdcf283ee8a32d7fd1

commit 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Oct 9 10:47:13 2019 +1030

    PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
    
    Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
    and ffffd5555453b140 result in a total size of 1.  Reading the first
    section of course overflows the buffer and tramples on other memory.
    
    	PR 25070
    	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
    	total_size calculation.
Comment 4 Alan Modra 2019-10-09 04:38:18 UTC
Fixed.
Comment 5 Trupti Pardeshi 2019-10-23 11:35:10 UTC
Hello,

May I know if Binutils-2.31 is also affected and requires this fix? Any heads up will be appreciated.

Thank you in advance.

Best Regards,
Comment 6 Nick Clifton 2019-10-24 09:17:31 UTC
(In reply to Trupti Pardeshi from comment #5)
Hi Trupti,

> May I know if Binutils-2.31 is also affected and requires this fix? Any
> heads up will be appreciated.

Yes.  The 2.32 and 2.33 releases (and branches) are also vulnerable to 
this problem.  Only the mainline development sources are currently fixed.

Cheers
  Nick
Comment 7 Trupti Pardeshi 2019-10-24 09:45:49 UTC
(In reply to Nick Clifton from comment #6)
> (In reply to Trupti Pardeshi from comment #5)
> Hi Trupti,
> 
> > May I know if Binutils-2.31 is also affected and requires this fix? Any
> > heads up will be appreciated.
> 
> Yes.  The 2.32 and 2.33 releases (and branches) are also vulnerable to 
> this problem.  Only the mainline development sources are currently fixed.
> 
> Cheers
>   Nick

Thank you so much Nick for the clarification. Appreciate your reply for mentioning 2.33 version as well. Thanks.