30284 – objdump SEGV in display_debug_ranges_list() at dwarf.c:7952 (SIGSEGV)

Bug 30284 - objdump SEGV in display_debug_ranges_list() at dwarf.c:7952 (SIGSEGV)

Summary: objdump SEGV in display_debug_ranges_list() at dwarf.c:7952 (SIGSEGV)

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.40

Importance:	P2 normal
Target Milestone:	---
Assignee:	Nick Clifton

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-03-29 12:09 UTC by 曾思維
Modified:	2023-03-30 10:07 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:	2023-03-30 00:00:00

Attachments
poc from fuzzer and afl-tmin (346 bytes, application/octet-stream) 2023-03-29 12:09 UTC, 曾思維	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 曾思維 2023-03-29 12:09:46 UTC

Created attachment 14786 [details]
poc from fuzzer and afl-tmin

found by my fuzzer, trimed with afl-tmin

# version

$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.40.50.20230329
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# git log

$ git log --oneline -1
a6e5abae4e9 (HEAD -> master, origin/master, origin/HEAD) gdb: move displaced_step_dump_bytes into gdbsupport (and rename)

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make

---------------------------------------------------------------------
# crash

$ ./binutils-gdb/binutils/objdump -W pocmin
BFD: warning: pocmin has a section extending past end of file

pocmin:     file format elf64-little

Contents of the .debug_info section:

  Compilation Unit @ offset 0:
   Length:        0x371 (32-bit)
   Version:       4
   Abbrev Offset: 0
   Pointer Size:  8
 <0><b>: Abbrev Number: 1 (DW_TAG_template_value_param)
    <c>   Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30

    <d>   Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30

    <e>   Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30

    <f>   Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30

    <10>   Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30

   (... too long ignore)

 <195><372>: Abbrev Number: 48 (DW_TAG_template_value_param)
    <373>   Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30

    <374>   Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning: Unrecognized form: 0x30

    <375>   Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning: Corrupt attribute


Contents of the .debug_abbrev section:

  Number TAG (0)
   1      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   9      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   14      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 1817 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   18      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 DW_FORM_ref4
    Unknown AT value: 30 DW_FORM_addr
    Unknown AT value: 1838 Unknown FORM value: 30
    DW_AT_ranges       DW_FORM_sec_offset
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   19      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 DW_FORM_ref4
    Unknown AT value: 30 DW_FORM_sec_offset
    Unknown AT value: 1837 DW_FORM_sec_offset
    DW_AT_rnglists_base DW_FORM_ref8
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      Unknown TAG value: 0x1811    [has children]
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30
   24      DW_TAG_template_value_param    [has children]
    DW_AT value: 0     Unknown FORM value: 30
   48      DW_TAG_template_value_param    [has children]
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    Unknown AT value: 30 Unknown FORM value: 30
    DW_AT value: 0     Unknown FORM value: 30

Contents of the .debug_ranges section:


    Offset   Begin    End
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV (Address boundary error)
---------------------------------------------------------------------
# ASAN report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1832831==ERROR: AddressSanitizer: SEGV on unknown address 0x5f9030373b80 (pc 0x560baea74819 bp 0x7ffe7ff3ac80 sp 0x7ffe7ff3ac70 T0)
==1832831==The signal is caused by a READ memory access.
    #0 0x560baea74818 in byte_get_little_endian /home/a13579/my_fuzz_eval/objdump_aflgcc_seed_eval/report/binutils_2023_03_29/binutils-gdb_asan/binutils/elfcomm.c:148
    #1 0x560baea1a7c3 in display_debug_ranges_list dwarf.c:7952
    #2 0x560baea1d739 in display_debug_ranges dwarf.c:8354
    #3 0x560bae9dce21 in dump_dwarf_section objdump.c:4425
    #4 0x560baeb2be11 in bfd_map_over_sections /home/a13579/my_fuzz_eval/objdump_aflgcc_seed_eval/report/binutils_2023_03_29/binutils-gdb_asan/bfd/section.c:1366
    #5 0x560bae9dd050 in dump_dwarf objdump.c:4463
    #6 0x560bae9e32c4 in dump_bfd objdump.c:5667
    #7 0x560bae9e3699 in display_object_bfd objdump.c:5746
    #8 0x560bae9e39d1 in display_any_bfd objdump.c:5833
    #9 0x560bae9e3a4b in display_file objdump.c:5854
    #10 0x560bae9e53ee in main objdump.c:6265
    #11 0x7f73b4865082 in __libc_start_main ../csu/libc-start.c:308
    #12 0x560bae9c939d in _start (/home/a13579/my_fuzz_eval/objdump_aflgcc_seed_eval/report/binutils_2023_03_29/binutils-gdb_asan/binutils/objdump+0x13639d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a13579/my_fuzz_eval/objdump_aflgcc_seed_eval/report/binutils_2023_03_29/binutils-gdb_asan/binutils/elfcomm.c:148 in byte_get_little_endian
==1832831==ABORTING

Comment 1 Nick Clifton 2023-03-30 09:33:30 UTC

Investigating

Comment 2 Sourceware Commits 2023-03-30 10:05:32 UTC

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d17c53b8dfc23b456e30c8f21d46dbcd55324ae

commit 8d17c53b8dfc23b456e30c8f21d46dbcd55324ae
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Mar 30 11:04:53 2023 +0100

    Fix an illegal memory access triggered by parsing corrupt DWARF info.
    
      PR 30284
      * dwarf.c (read_and_display_attr_value): Detect and ignore negative base values.

Comment 3 Nick Clifton 2023-03-30 10:07:22 UTC

Right - the problem was a DW_AT_rnglists_base attribute with a negative value which was not being caught.  I have checked in a small patch to fix the problem.