Bug 30285 - objdump heap-buffer-overflow in _bfd_elf_print_private_bfd_data() at /binutils-gdb/bfd/elf.c:1844 (SIGSEGV)
Summary: objdump heap-buffer-overflow in _bfd_elf_print_private_bfd_data() at /binutil...
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.40
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-29 12:25 UTC by 曾思維
Modified: 2023-08-25 16:52 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2023-03-30 00:00:00

Attachments
found by my fuzzer, trimed with afl-tmin (227 bytes, application/octet-stream)
2023-03-29 12:25 UTC, 曾思維 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 曾思維 2023-03-29 12:25:24 UTC 
Created attachment 14787 [details]
found by my fuzzer, trimed with afl-tmin

found by my fuzzer, trimed with afl-tmin

# version

$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.40.50.20230329
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

---------------------------------------------------------------------
# git log

$ git log --oneline -1
a6e5abae4e9 (HEAD -> master, origin/master, origin/HEAD) gdb: move displaced_step_dump_bytes into gdbsupport (and rename)

---------------------------------------------------------------------
# make

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make

---------------------------------------------------------------------
# crash

$ ./binutils-gdb/binutils/objdump -x pocmin
BFD: warning: pocmin has a section extending past end of file

pocmin:     file format elf64-little
pocmin
architecture: UNKNOWN!, flags 0x00000110:
HAS_SYMS, D_PAGED
start address 0x3030303030303030

Program Header:
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030
0x30303030 off    0x3030303030303030 vaddr 0x3030303030303030 paddr 0x3030303030303030 align 2**4
         filesz 0x3030303030303030 memsz 0x3030303030303030 flags --- 30303030

Version definitions:
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV (Address boundary error)
---------------------------------------------------------------------
# ASAN report

=================================================================
==335384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100000c500 at pc 0x55699bd767f8 bp 0x7fff4c0724e0 sp 0x7fff4c0724d0
READ of size 8 at 0x62100000c500 thread T0
    #0 0x55699bd767f7 in _bfd_elf_print_private_bfd_data /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:1844
    #1 0x55699bbad6e4 in dump_bfd_private_header objdump.c:4906
    #2 0x55699bbb0e77 in dump_bfd objdump.c:5595
    #3 0x55699bbb1699 in display_object_bfd objdump.c:5746
    #4 0x55699bbb19d1 in display_any_bfd objdump.c:5833
    #5 0x55699bbb1a4b in display_file objdump.c:5854
    #6 0x55699bbb33ee in main objdump.c:6265
    #7 0x7f8e1a078082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x55699bb9739d in _start (/home/fuzzer/szuwei/test/report/binutils-gdb_asan/binutils/objdump+0x13639d)

0x62100000c500 is located 32 bytes to the right of 4064-byte region [0x62100000b500,0x62100000c4e0)
allocated by thread T0 here:
    #0 0x7f8e1a359808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55699bf872c9 in _objalloc_alloc objalloc.c:159
    #2 0x55699bcf5d48 in bfd_alloc /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/opncls.c:1032
    #3 0x55699bcf5dd0 in bfd_zalloc /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/opncls.c:1057
    #4 0x55699bd7d120 in _bfd_elf_new_section_hook /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:2861
    #5 0x55699bcf8dba in bfd_section_init /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/section.c:825
    #6 0x55699bcf9a65 in bfd_make_section_anyway_with_flags /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/section.c:1185
    #7 0x55699bcf9a93 in bfd_make_section_anyway /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/section.c:1208
    #8 0x55699bd707d3 in _bfd_elf_make_section_from_shdr /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:1000
    #9 0x55699bd7c19b in bfd_section_from_shdr /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:2505
    #10 0x55699bd5f61a in bfd_elf64_object_p /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elfcode.h:841
    #11 0x55699bcec710 in bfd_check_format_matches /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/format.c:387
    #12 0x55699bbb1681 in display_object_bfd objdump.c:5744
    #13 0x55699bbb19d1 in display_any_bfd objdump.c:5833
    #14 0x55699bbb1a4b in display_file objdump.c:5854
    #15 0x55699bbb33ee in main objdump.c:6265
    #16 0x7f8e1a078082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzzer/szuwei/test/report/binutils-gdb_asan/bfd/elf.c:1844 in _bfd_elf_print_private_bfd_data
Shadow bytes around the buggy address:
  0x0c427fff9850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c427fff98a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==335384==ABORTING
Comment 1 Nick Clifton 2023-03-30 08:40:11 UTC 
Investigating
Comment 2 Sourceware Commits 2023-03-30 09:11:11 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57

commit c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Mar 30 10:10:09 2023 +0100

    Fix an illegal memory access when an accessing a zer0-lengthverdef table.
    
      PR 30285
      * elf.c (_bfd_elf_slurp_version_tables): Fail if no version definitions are allocated.
Comment 3 Nick Clifton 2023-03-30 09:11:52 UTC 
Right - problem found and fixed.
Comment 4 曾思維 2023-04-11 03:49:48 UTC 
use CVE-2023-1972
Comment 5 Andreas K. Huettel 2023-08-25 16:52:20 UTC 
Fixed in 2.41