Created attachment 14574 [details] Generated by my fuzzer and afl-tmin # version $ ./binutils-gdb_asan/binutils/objdump --version GNU objdump (GNU Binutils) 2.40.50.20230110 Copyright (C) 2023 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. --------------------------------------------------------------------- # git log $ git log --oneline -1 aefebe82dc8 (HEAD -> master, origin/master, origin/HEAD) IBM zSystems: Fix offset relative to static TLS --------------------------------------------------------------------- # make $ git clone git://sourceware.org/git/binutils-gdb.git $ mv binutils-gdb binutils-gdb_asan $ cd binutils-gdb_asan $ ./configure CFLAGS='-fsanitize=address -g3' CXXFALGS='-fsanitize=address -g3' $ make --------------------------------------------------------------------- # ASAN report $ ./binutils-gdb_asan/binutils/objdump -S poc BFD: warning: poc has a section extending past end of file poc: file format elf64-x86-64 Disassembly of section abbrev: 3030303030303030 <abbrev>: BFD: DWARF error: can't find .debug_str section. BFD: DWARF error: can't find .debug_str section. BFD: DWARF error: can't find .debug_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: can't find .debug_line_str section. BFD: DWARF error: mangled line number section (bad file number) BFD: DWARF error: mangled line number section (bad file number) ================================================================= ==3970096==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000017f at pc 0x5573ee01c8cc bp 0x7fff9bcf2f50 sp 0x7fff9bcf2f40 READ of size 1 at 0x60300000017f thread T0 #0 0x5573ee01c8cb in bfd_getl64 /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:784 #1 0x5573ee16bef2 in read_indexed_address dwarf2.c:1431 #2 0x5573ee16dc6a in read_attribute_value dwarf2.c:1669 #3 0x5573ee16e004 in read_attribute dwarf2.c:1711 #4 0x5573ee1783c7 in scan_unit_for_symbols dwarf2.c:3973 #5 0x5573ee17c2c4 in comp_unit_maybe_decode_line_info dwarf2.c:4721 #6 0x5573ee17bf03 in comp_unit_find_nearest_line dwarf2.c:4679 #7 0x5573ee182273 in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5991 #8 0x5573ee0d4de3 in _bfd_elf_find_nearest_line_with_alt /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338 #9 0x5573ee0d4c72 in _bfd_elf_find_nearest_line /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315 #10 0x5573edec9d8b in show_line objdump.c:2180 #11 0x5573edecf759 in disassemble_bytes objdump.c:3339 #12 0x5573eded37f3 in disassemble_section objdump.c:4050 #13 0x5573ee024bbc in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366 #14 0x5573eded4767 in disassemble_data objdump.c:4194 #15 0x5573ededc530 in dump_bfd objdump.c:5676 #16 0x5573ededc807 in display_object_bfd objdump.c:5739 #17 0x5573ededcb38 in display_any_bfd objdump.c:5825 #18 0x5573ededcbb2 in display_file objdump.c:5846 #19 0x5573edede4db in main objdump.c:6254 #20 0x7f755d389082 in __libc_start_main ../csu/libc-start.c:308 #21 0x5573edec23bd in _start (/home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/binutils/objdump+0x13b3bd) 0x60300000017f is located 2 bytes to the right of 29-byte region [0x603000000160,0x60300000017d) allocated by thread T0 here: #0 0x7f755d66a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x5573ee01b6aa in bfd_malloc /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:289 #2 0x5573ee168ad5 in read_section dwarf2.c:734 #3 0x5573ee16bae7 in read_indexed_address dwarf2.c:1412 #4 0x5573ee16dc6a in read_attribute_value dwarf2.c:1669 #5 0x5573ee16e004 in read_attribute dwarf2.c:1711 #6 0x5573ee1783c7 in scan_unit_for_symbols dwarf2.c:3973 #7 0x5573ee17c2c4 in comp_unit_maybe_decode_line_info dwarf2.c:4721 #8 0x5573ee17bf03 in comp_unit_find_nearest_line dwarf2.c:4679 #9 0x5573ee182273 in _bfd_dwarf2_find_nearest_line_with_alt dwarf2.c:5991 #10 0x5573ee0d4de3 in _bfd_elf_find_nearest_line_with_alt /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9338 #11 0x5573ee0d4c72 in _bfd_elf_find_nearest_line /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/elf.c:9315 #12 0x5573edec9d8b in show_line objdump.c:2180 #13 0x5573edecf759 in disassemble_bytes objdump.c:3339 #14 0x5573eded37f3 in disassemble_section objdump.c:4050 #15 0x5573ee024bbc in bfd_map_over_sections /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/section.c:1366 #16 0x5573eded4767 in disassemble_data objdump.c:4194 #17 0x5573ededc530 in dump_bfd objdump.c:5676 #18 0x5573ededc807 in display_object_bfd objdump.c:5739 #19 0x5573ededcb38 in display_any_bfd objdump.c:5825 #20 0x5573ededcbb2 in display_file objdump.c:5846 #21 0x5573edede4db in main objdump.c:6254 #22 0x7f755d389082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_binutils-gdb/binutils-gdbnew/binutils-gdb_asan/bfd/libbfd.c:784 in bfd_getl64 Shadow bytes around the buggy address: 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 0x0c067fff8010: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa =>0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00[05] 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3970096==ABORTING
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11d171f1910b508a81d21faa087ad1af573407d8 commit 11d171f1910b508a81d21faa087ad1af573407d8 Author: Nick Clifton <nickc@redhat.com> Date: Wed Jan 11 12:12:25 2023 +0000 Fix a potential illegal memory access in the BFD library when parsing a corrupt DWARF file. PR 29988 * dwarf2.c (read_indexed_address): Fix check for an out of range offset.
The binutils-2_40-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3e307d538c351aa9327cbad672c884059ecc20dd commit 3e307d538c351aa9327cbad672c884059ecc20dd Author: Nick Clifton <nickc@redhat.com> Date: Wed Jan 11 12:13:46 2023 +0000 Fix a potential illegal memory access in the BFD library when parsing a corrupt DWARF file. PR 29988 * dwarf2.c (read_indexed_address): Fix check for an out of range offset.
Hi, Thanks for reporting this bug. There was a check in the read_indexed_address() function for a buffer overflow, but it was testing against the wrong size field. I have checked in a small patch to fix this. Cheers Nick
use CVE-2023-1579