Created attachment 12472 [details] PoC Hi, A null pointer dereference was discovered in objdump (the latest commit 8e4979a) in debug_get_real_type(), that can cause a denial of service via a crafted file. To reproduce: objdump -g PoC ASAN says: ==6516==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000462b53 bp 0x7ffc368a4570 sp 0x7ffc368a44c0 T0) #0 0x462b52 in debug_get_real_type ../../binutils/debug.c:2038 #1 0x46bc41 in debug_class_type_samep ../../binutils/debug.c:3280 #2 0x469b12 in debug_type_samep ../../binutils/debug.c:3088 #3 0x468dac in debug_set_class_id ../../binutils/debug.c:2970 #4 0x465370 in debug_write_type ../../binutils/debug.c:2505 #5 0x465c7e in debug_write_type ../../binutils/debug.c:2554 #6 0x4658d3 in debug_write_type ../../binutils/debug.c:2536 #7 0x465c7e in debug_write_type ../../binutils/debug.c:2554 #8 0x466b3d in debug_write_type ../../binutils/debug.c:2649 #9 0x46424d in debug_write_name ../../binutils/debug.c:2378 #10 0x463feb in debug_write ../../binutils/debug.c:2350 #11 0x452a41 in print_debugging_info ../../binutils/prdbg.c:319 #12 0x4184ce in dump_bfd ../../binutils/objdump.c:4897 #13 0x418701 in display_object_bfd ../../binutils/objdump.c:4950 #14 0x418a09 in display_any_bfd ../../binutils/objdump.c:5040 #15 0x418a7e in display_file ../../binutils/objdump.c:5061 #16 0x419d4c in main ../../binutils/objdump.c:5407 #17 0x7fa59a0c182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #18 0x403418 in _start (/home/dungnguyen/PoCs/binutils_f717994/objdump-asan+0x403418) Thanks, Manh Dung
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca3f923f82a079dcf441419f4a50a50f8b4b33c2 commit ca3f923f82a079dcf441419f4a50a50f8b4b33c2 Author: Alan Modra <amodra@gmail.com> Date: Fri Apr 17 10:38:16 2020 +0930 PR25840, Null pointer dereference in objdump PR 25840 * debug.c (debug_class_type_samep): Don't segfault on NULL type.
.
The bug is not in bfd or in any library shipped by binutils; it is limited to programs (objcopy, objdump, etc.). Hence, the crash is unlikely to result in a DoS unless a service invokes these commands and crashes if they don't succeed, in which case it is a flaw in the service and not binutils.