Created attachment 13755 [details] Crash File Hi binutils Team, I was recently doing security tests with AFL-Fuzz, and I ended up discovering a buffer overflow in the binutils-2.37 package, more specifically in the objdump binary. I already requested a CVE ID, but have not received it yet. Reproduce: $ binutils-2.37/binutils/objdump -D -T -x crash_2.37 [1] 8585 segmentation fault (core dumped) binutils-2.37/binutils/objdump -D -T -x crash_2.37 Backtrace #0 0x0000000000000000 in ?? () #1 0x000000000044c263 in parse_gnu_debuglink (section=section@entry=0xf65ac0 <debug_displays+4160>, data=data@entry=0x7fffffffdef0) at dwarf.c:10874 #2 0x00000000004517fa in load_separate_debug_info (main_filename=main_filename@entry=0x62100001cd10 "crash_2.37", xlink=xlink@entry=0xf65ac0 <debug_displays+4160>, parse_func=parse_func@entry=0x44c130 <parse_gnu_debuglink>, check_func=check_func@entry=0x44c4f0 <check_gnu_debuglink>, func_data=func_data@entry=0x7fffffffdef0, file=0x61200000bec0) at dwarf.c:11022 #3 0x0000000000452654 in check_for_and_load_links (file=file@entry=0x61200000bec0, filename=filename@entry=0x62100001cd10 "crash_2.37") at dwarf.c:11346 #4 0x00000000004c84d3 in load_separate_debug_files (file=file@entry=0x61200000bec0, filename=0x62100001cd10 "crash_2.37") at dwarf.c:11462 #5 0x0000000000430a0d in dump_bfd (abfd=abfd@entry=0x61200000bec0, is_mainfile=is_mainfile@entry=0x1) at ./objdump.c:4874 #6 0x000000000043361d in display_object_bfd (abfd=0x61200000bec0) at ./objdump.c:5060 #7 display_any_bfd (file=file@entry=0x61200000bec0, level=level@entry=0x0) at ./objdump.c:5150 #8 0x0000000000411c24 in display_file (last_file=0x1, target=<optimized out>, filename=0x7fffffffe727 "crash_2.37") at ./objdump.c:5171 #9 main (argc=0x5, argv=0x7fffffffe488) at ./objdump.c:5521
Not a buffer overflow. byte_get is being called to read a possible separate debug info file crc, but byte_get is NULL for tekhex files.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2f105f518413ea3e4c212f89585f9a8a5dddcdd commit f2f105f518413ea3e4c212f89585f9a8a5dddcdd Author: Alan Modra <amodra@gmail.com> Date: Thu Nov 4 14:11:02 2021 +1030 PR28540, segmentation fault on NULL byte_get PR 28540 * objdump.c (dump_bfd): Don't attempt load_separate_debug_files when byte_get is NULL.
Fixed.
The binutils-2_37-branch branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=96eb21265ebffbc28f767bed9a2b7650ecb9818d commit 96eb21265ebffbc28f767bed9a2b7650ecb9818d Author: Alan Modra <amodra@gmail.com> Date: Thu Nov 4 14:11:02 2021 +1030 PR28540, segmentation fault on NULL byte_get PR 28540 * objdump.c (dump_bfd): Don't attempt load_separate_debug_files when byte_get is NULL. (cherry picked from commit f2f105f518413ea3e4c212f89585f9a8a5dddcdd)