Bug 29908 - SEGV of objdump caused by heap-buffer-overflow at dwarf.c:7756 in display_debug_addr()
Summary: SEGV of objdump caused by heap-buffer-overflow at dwarf.c:7756 in display_deb...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.39
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-16 09:02 UTC by 曾思維
Modified: 2022-12-19 13:27 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2022-12-16 00:00:00

Attachments
Generated by my fuzzer and afl-tmin (6.59 KB, application/x-sharedlib)
2022-12-16 09:02 UTC, 曾思維 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 曾思維 2022-12-16 09:02:06 UTC 
Created attachment 14520 [details]
Generated by my fuzzer and afl-tmin

# version

$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.39.50.20221213
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# git log

$ git log --oneline -1
d0d41b77c0c (HEAD -> master, origin/master, origin/HEAD) Replace gdbpy_should_stop with gdbpy_breakpoint_cond_says_stop

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make

---------------------------------------------------------------------
# crash

$ ./binutils-gdb/binutils/objdump -W poc
./binutils-gdb/binutils/objdump: Warning: Corrupt attribute block length: 0x30303030

poc:     file format elf64-x86-64

Contents of the .eh_frame section:


00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 48

(... too long ignore)

	49894:	0000000000000000
	49895:	0000000000000000
	49896:	0000000000000000
	49897:	0000000000000000
	49898:	0000000000000000
	49899:	0000000000000000
	49900:	0000000000000000
	49901:	0000000000000000
	49902:	0000000000000000
	49903:	0000000000000000
	49904:	0000000000000000
	49905:	0000000000000000
	49906:	0000000000000000
	49907:	0000000000000000
	49908:	0000000000000000
	49909:	0000000000000000
	49910:	0000000000000000
	49911:	0000000000000000
	49912:	0000000000000000
	49913:	0000000000000000
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV (Address boundary error)

---------------------------------------------------------------------
# ASAN report

$ ./binutils-gdb_asan/binutils/objdump -W poc
./binutils-gdb_asan/binutils/objdump: Warning: Corrupt attribute block length: 0x30303030

poc:     file format elf64-x86-64

Contents of the .eh_frame section:


00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 48

(... too long ignore)

	300:	3030303030303030
	301:	3030303030303030
	302:	3030303030303030
	303:	3030303030303030
	304:	3030303030303030
	305:	3030303030303030
	306:	3030303030303030
	307:	3030303030303030
	308:	3030303030303030
	309:	3030303030303030
	310:	3030303030303030
	311:	3030303030303030
	312:	3030303030303030
	313:	3030303030303030
	314:	3030303030303030
	315:	3030303030303030
=================================================================
==2848799==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000ab1 at pc 0x55f9366f07ac bp 0x7ffc73f785f0 sp 0x7ffc73f785e0
READ of size 1 at 0x61e000000ab1 thread T0
    #0 0x55f9366f07ab in byte_get_little_endian /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149
    #1 0x55f936695768 in display_debug_addr dwarf.c:7756
    #2 0x55f9366588c4 in dump_dwarf_section objdump.c:4396
    #3 0x55f9367a72d9 in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366
    #4 0x55f936658af3 in dump_dwarf objdump.c:4434
    #5 0x55f93665f110 in dump_bfd objdump.c:5636
    #6 0x55f93665f4e5 in display_object_bfd objdump.c:5715
    #7 0x55f93665f816 in display_any_bfd objdump.c:5801
    #8 0x55f93665f890 in display_file objdump.c:5822
    #9 0x55f9366611b9 in main objdump.c:6230
    #10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x55f93664539d in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b39d)

0x61e000000ab1 is located 0 bytes to the right of 2609-byte region [0x61e000000080,0x61e000000ab1)
allocated by thread T0 here:
    #0 0x7fae0f435808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55f936a3bc7c in xmalloc xmalloc.c:149
    #2 0x55f9366579c8 in load_specific_debug_section objdump.c:4216
    #3 0x55f936658148 in load_debug_section objdump.c:4317
    #4 0x55f9366b49d2 in load_separate_debug_files dwarf.c:11945
    #5 0x55f93665e7bd in dump_bfd objdump.c:5520
    #6 0x55f93665f4e5 in display_object_bfd objdump.c:5715
    #7 0x55f93665f816 in display_any_bfd objdump.c:5801
    #8 0x55f93665f890 in display_file objdump.c:5822
    #9 0x55f9366611b9 in main objdump.c:6230
    #10 0x7fae0f154082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/elfcomm.c:149 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8150: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2848799==ABORTING
Comment 1 Sourceware Commits 2022-12-16 12:07:27 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fa501b69309ccb03ec957101f24109ed7f737733

commit fa501b69309ccb03ec957101f24109ed7f737733
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Dec 16 12:06:43 2022 +0000

    Fix a potential illegal memory access when parsing corrupt DWARF information.
    
            PR 29908
            * dwarf.c (display_debug_addr): Check for corrupt header lengths.
Comment 2 Nick Clifton 2022-12-16 12:08:38 UTC 
Hi,

  Thanks for reporting this bug.  I have applied a small patch to add a check
  for an undersized length field in the address range header.

Cheers
  Nick
Comment 3 Sourceware Commits 2022-12-19 13:27:52 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=956bc7a29fd952d709db29667b38f98cdd3db4c9

commit 956bc7a29fd952d709db29667b38f98cdd3db4c9
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Dec 18 13:07:51 2022 +1030

    Tidy PR29893 and PR29908 fix
    
            PR 29893
            PR 29908
            * dwarf.c (display_debug_addr): Combine dwarf5 unit_length checks.
            Delete dead code.