Bug 25840 - Null pointer dereference in objdump
Summary: Null pointer dereference in objdump
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.35
: P2 normal
Target Milestone: 2.35
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-16 18:22 UTC by Manh-Dung Nguyen
Modified: 2021-01-06 05:50 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2020-04-17 00:00:00
siddhesh: security-


Attachments
PoC (339 bytes, application/x-ms-dos-executable)
2020-04-16 18:22 UTC, Manh-Dung Nguyen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Manh-Dung Nguyen 2020-04-16 18:22:19 UTC
Created attachment 12472 [details]
PoC

Hi,

A null pointer dereference was discovered in objdump (the latest commit 8e4979a) in debug_get_real_type(), that can cause a denial of service via a crafted file.

To reproduce: objdump -g PoC

ASAN says:
==6516==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000462b53 bp 0x7ffc368a4570 sp 0x7ffc368a44c0 T0)
    #0 0x462b52 in debug_get_real_type ../../binutils/debug.c:2038
    #1 0x46bc41 in debug_class_type_samep ../../binutils/debug.c:3280
    #2 0x469b12 in debug_type_samep ../../binutils/debug.c:3088
    #3 0x468dac in debug_set_class_id ../../binutils/debug.c:2970
    #4 0x465370 in debug_write_type ../../binutils/debug.c:2505
    #5 0x465c7e in debug_write_type ../../binutils/debug.c:2554
    #6 0x4658d3 in debug_write_type ../../binutils/debug.c:2536
    #7 0x465c7e in debug_write_type ../../binutils/debug.c:2554
    #8 0x466b3d in debug_write_type ../../binutils/debug.c:2649
    #9 0x46424d in debug_write_name ../../binutils/debug.c:2378
    #10 0x463feb in debug_write ../../binutils/debug.c:2350
    #11 0x452a41 in print_debugging_info ../../binutils/prdbg.c:319
    #12 0x4184ce in dump_bfd ../../binutils/objdump.c:4897
    #13 0x418701 in display_object_bfd ../../binutils/objdump.c:4950
    #14 0x418a09 in display_any_bfd ../../binutils/objdump.c:5040
    #15 0x418a7e in display_file ../../binutils/objdump.c:5061
    #16 0x419d4c in main ../../binutils/objdump.c:5407
    #17 0x7fa59a0c182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x403418 in _start (/home/dungnguyen/PoCs/binutils_f717994/objdump-asan+0x403418)

Thanks,
Manh Dung
Comment 1 Sourceware Commits 2020-04-17 01:30:15 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca3f923f82a079dcf441419f4a50a50f8b4b33c2

commit ca3f923f82a079dcf441419f4a50a50f8b4b33c2
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Apr 17 10:38:16 2020 +0930

    PR25840, Null pointer dereference in objdump
    
            PR 25840
            * debug.c (debug_class_type_samep): Don't segfault on NULL type.
Comment 2 Alan Modra 2020-04-17 02:00:19 UTC
.
Comment 3 Siddhesh Poyarekar 2021-01-06 05:50:29 UTC
The bug is not in bfd or in any library shipped by binutils; it is limited to programs (objcopy, objdump, etc.).

Hence, the crash is unlikely to result in a DoS unless a service invokes these commands and crashes if they don't succeed, in which case it is a flaw in the service and not binutils.