Created attachment 14542 [details] Generated by my fuzzer and afl-tmin # version $ ./binutils-gdb_asan/binutils/objdump --version GNU objdump (GNU Binutils) 2.39.50.20221229 Copyright (C) 2022 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. --------------------------------------------------------------------- # git log $ git log --oneline -1 c509db05e4f (HEAD -> master, origin/master, origin/HEAD) RISC-V: Simplify riscv_csr_address logic on state enable extension --------------------------------------------------------------------- # make $ git clone git://sourceware.org/git/binutils-gdb.git $ cd binutils-gdb $ ./configure CFLAGS='-fsanitize=address -g3' CXXFALGS='-fsanitize=address -g3' $ make --------------------------------------------------------------------- # ASAN report $ ./binutils-gdb_asan/binutils/objdump -WL poc ./binutils-gdb_asan/binutils/objdump: Warning: Corrupt attribute block length: 0x30303030 poc: file format elf64-x86-64 ./binutils-gdb_asan/binutils/objdump: poc: invalid string offset 808464432 >= 3321 for section `ld-id' ./binutils-gdb_asan/binutils/objdump: poc: invalid string offset 808464432 >= 3321 for section `ld-id' ./binutils-gdb_asan/binutils/objdump: poc: invalid string offset 808464432 >= 3321 for section `ld-id' (... too long ignore) <offset is too big>/00000000000000000000000000000000000: 00000000000000000000000000000000000 321124 0x1a610 x Unknown opcode 17 with operands: 00000000000000000000000000000000000 321177 0x1a640 x Unknown opcode 17 with operands: ================================================================= ==3200753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000043e0 at pc 0x559f0ca791f7 bp 0x7ffdc57fac00 sp 0x7ffdc57fabf0 READ of size 8 at 0x6060000043e0 thread T0 #0 0x559f0ca791f6 in display_debug_lines_decoded dwarf.c:5429 #1 0x559f0ca7a4a2 in display_debug_lines dwarf.c:5673 #2 0x559f0ca4fbe6 in dump_dwarf_section objdump.c:4420 #3 0x559f0cb9ec1c in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366 #4 0x559f0ca4fe15 in dump_dwarf objdump.c:4458 #5 0x559f0ca56432 in dump_bfd objdump.c:5660 #6 0x559f0ca56807 in display_object_bfd objdump.c:5739 #7 0x559f0ca56b38 in display_any_bfd objdump.c:5825 #8 0x559f0ca56bb2 in display_file objdump.c:5846 #9 0x559f0ca584db in main objdump.c:6254 #10 0x7f3823abf082 in __libc_start_main ../csu/libc-start.c:308 #11 0x559f0ca3c3bd in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b3bd) 0x6060000043e0 is located 0 bytes to the right of 64-byte region [0x6060000043a0,0x6060000043e0) allocated by thread T0 here: #0 0x7f3823da0a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 #1 0x559f0ce32e3b in xcalloc xmalloc.c:164 #2 0x559f0ca7520f in display_debug_lines_decoded dwarf.c:4980 #3 0x559f0ca7a4a2 in display_debug_lines dwarf.c:5673 #4 0x559f0ca4fbe6 in dump_dwarf_section objdump.c:4420 #5 0x559f0cb9ec1c in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366 #6 0x559f0ca4fe15 in dump_dwarf objdump.c:4458 #7 0x559f0ca56432 in dump_bfd objdump.c:5660 #8 0x559f0ca56807 in display_object_bfd objdump.c:5739 #9 0x559f0ca56b38 in display_any_bfd objdump.c:5825 #10 0x559f0ca56bb2 in display_file objdump.c:5846 #11 0x559f0ca584db in main objdump.c:6254 #12 0x7f3823abf082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow dwarf.c:5429 in display_debug_lines_decoded Shadow bytes around the buggy address: 0x0c0c7fff8820: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7fff8830: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff8840: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff8850: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7fff8860: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa =>0x0c0c7fff8870: fa fa fa fa 00 00 00 00 00 00 00 00[fa]fa fa fa 0x0c0c7fff8880: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7fff8890: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff88a0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fff88b0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7fff88c0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3200753==ABORTING
The logic for DW_LNS_set_file needs fixing similar to what we have in bfd/dwarf2.c, in particular, dir == 0 for dwarf<5 should pick up DW_AT_comp_dir if possible rather than just displaying "./".
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a984f112b015b7d33c3c91230eb4c35695926539 commit a984f112b015b7d33c3c91230eb4c35695926539 Author: Alan Modra <amodra@gmail.com> Date: Fri Dec 30 11:41:16 2022 +1030 PR29948, heap-buffer-overflow in display_debug_lines_decoded This fixes a couple of places in display_debug_lines_decoded that were off by one in checking DWARF5 .debug_line directory indices. It also displays the DWARF5 entry 0 for the program current directory rather than "." as is done for pre-DWARF5. I decided against displaying DW_AT_comp_dir for pre-DWARF5 since I figure it is better for readelf to minimally interpret debug info. binutils/ PR 29948 * dwarf.c (display_debug_lines_decoded): Display the given directory entry 0 for DWARF5. Properly check directory index against number of entries in the table. Revert to using unsigned int for n_directories and associated variables. Correct warning messages. gas/ * testsuite/gas/elf/dwarf-5-loc0.d: Update.
Fixed