Bug 28540 - segmentation fault on NULL byte_get
Summary: segmentation fault on NULL byte_get
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.37
: P2 normal
Target Milestone: 2.38
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-03 22:46 UTC by petryx78
Modified: 2021-11-04 03:55 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2021-11-04 00:00:00

Attachments
Crash File (461 bytes, text/x-matlab)
2021-11-03 22:46 UTC, petryx78 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description petryx78 2021-11-03 22:46:27 UTC 
Created attachment 13755 [details]
Crash File

Hi binutils Team,


I was recently doing security tests with AFL-Fuzz, and I ended up discovering a buffer overflow in the binutils-2.37 package, more specifically in the objdump binary.

I already requested a CVE ID, but have not received it yet.


Reproduce:

$ binutils-2.37/binutils/objdump -D -T -x crash_2.37
[1]    8585 segmentation fault (core dumped)  binutils-2.37/binutils/objdump -D -T -x crash_2.37

Backtrace

#0  0x0000000000000000 in ?? ()
#1  0x000000000044c263 in parse_gnu_debuglink (section=section@entry=0xf65ac0 <debug_displays+4160>, data=data@entry=0x7fffffffdef0) at dwarf.c:10874
#2  0x00000000004517fa in load_separate_debug_info (main_filename=main_filename@entry=0x62100001cd10 "crash_2.37", xlink=xlink@entry=0xf65ac0 <debug_displays+4160>, parse_func=parse_func@entry=0x44c130 <parse_gnu_debuglink>, check_func=check_func@entry=0x44c4f0 <check_gnu_debuglink>, func_data=func_data@entry=0x7fffffffdef0, file=0x61200000bec0) at dwarf.c:11022
#3  0x0000000000452654 in check_for_and_load_links (file=file@entry=0x61200000bec0, filename=filename@entry=0x62100001cd10 "crash_2.37") at dwarf.c:11346
#4  0x00000000004c84d3 in load_separate_debug_files (file=file@entry=0x61200000bec0, filename=0x62100001cd10 "crash_2.37") at dwarf.c:11462
#5  0x0000000000430a0d in dump_bfd (abfd=abfd@entry=0x61200000bec0, is_mainfile=is_mainfile@entry=0x1) at ./objdump.c:4874
#6  0x000000000043361d in display_object_bfd (abfd=0x61200000bec0) at ./objdump.c:5060
#7  display_any_bfd (file=file@entry=0x61200000bec0, level=level@entry=0x0) at ./objdump.c:5150
#8  0x0000000000411c24 in display_file (last_file=0x1, target=<optimized out>, filename=0x7fffffffe727 "crash_2.37") at ./objdump.c:5171
#9  main (argc=0x5, argv=0x7fffffffe488) at ./objdump.c:5521
Comment 1 Alan Modra 2021-11-04 03:37:23 UTC 
Not a buffer overflow.  byte_get is being called to read a possible separate debug info file crc, but byte_get is NULL for tekhex files.
Comment 2 Sourceware Commits 2021-11-04 03:50:37 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2f105f518413ea3e4c212f89585f9a8a5dddcdd

commit f2f105f518413ea3e4c212f89585f9a8a5dddcdd
Author: Alan Modra <amodra@gmail.com>
Date:   Thu Nov 4 14:11:02 2021 +1030

    PR28540, segmentation fault on NULL byte_get
    
            PR 28540
            * objdump.c (dump_bfd): Don't attempt load_separate_debug_files
            when byte_get is NULL.
Comment 3 Alan Modra 2021-11-04 03:51:26 UTC 
Fixed.
Comment 4 Sourceware Commits 2021-11-04 03:55:20 UTC 
The binutils-2_37-branch branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=96eb21265ebffbc28f767bed9a2b7650ecb9818d

commit 96eb21265ebffbc28f767bed9a2b7650ecb9818d
Author: Alan Modra <amodra@gmail.com>
Date:   Thu Nov 4 14:11:02 2021 +1030

    PR28540, segmentation fault on NULL byte_get
    
            PR 28540
            * objdump.c (dump_bfd): Don't attempt load_separate_debug_files
            when byte_get is NULL.
    
    (cherry picked from commit f2f105f518413ea3e4c212f89585f9a8a5dddcdd)