Bug 30361 - [Objdump] heap-buffer-overflow at byte_get_little_endian (display_debug_macro)
Summary: [Objdump] heap-buffer-overflow at byte_get_little_endian (display_debug_macro)
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: 2.41
Assignee: Alan Modra
URL:
Keywords:
: 30364 (view as bug list)
Depends on:
Blocks:
 
Reported: 2023-04-17 09:32 UTC by Ziqiao Kong
Modified: 2023-04-18 01:50 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2023-04-18 00:00:00

Attachments
Full logs and object file (7.56 KB, application/x-xz)
2023-04-17 09:32 UTC, Ziqiao Kong 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ziqiao Kong 2023-04-17 09:32:54 UTC 
Created attachment 14831 [details]
Full logs and object file

Git commit hash: 93c6e8c3c14bf81020ca7571fe752250a34f5bc9

Steps to reproduce:

```
export CC=afl-clang-fast
export CXX=afl-clang-fast++
export AFL_USE_ASAN=1
export CFLAGS="-latomic --ld-path=/usr/bin/ld.lld-14"
export CFLAGS_FOR_TARGETS="-latomic --ld-path=/usr/bin/ld.lld-14"
export CXXFLAGS="-latomic --ld-path=/usr/bin/ld.lld-14"
./configure
make -j
./binutils/objdump -g /path/to/obj
```

Note this doesn't have to be reproduced with AFL++ but gdbserver fails to build with just specifying `CFLAGS=-fsanitize=address` due to `-Wl,--no-undefined`, which `afl-clang-fast++` will handle automatically and make things easy.

ASAN logs:

```
<some objdump logs...>
/out/asan_noins/objdump: Error: read LEB value is too large to store in destination variable
=================================================================
==5088==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000007c at pc 0x5567712adfb1 bp 0x7ffd1eaff740 sp 0x7ffd1eaff738
READ of size 1 at 0x61a00000007c thread T0
    #0 0x5567712adfb0 in byte_get_little_endian /binutils/binutils/elfcomm.c:118:26
    #1 0x55677126db03 in fetch_indexed_string /binutils/binutils/./dwarf.c:683:16
    #2 0x5567712553ef in display_debug_macro /binutils/binutils/./dwarf.c:6317:3
    #3 0x556771228c90 in dump_dwarf_section /binutils/binutils/./objdump.c:4425:6
    #4 0x556771349c5b in bfd_map_over_sections /binutils/bfd/section.c:1366:5
    #5 0x556771227b4c in dump_dwarf /binutils/binutils/./objdump.c:4463:3
    #6 0x556771226708 in dump_bfd /binutils/binutils/./objdump.c:5707:4
    #7 0x5567712238dd in display_object_bfd /binutils/binutils/./objdump.c
    #8 0x5567712238dd in display_any_bfd /binutils/binutils/./objdump.c:5831:5
    #9 0x556771221f03 in display_file /binutils/binutils/./objdump.c:5852:3
    #10 0x556771221f03 in main /binutils/binutils/./objdump.c:6263:6
    #11 0x7fbd3fc44d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7fbd3fc44e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x556771162654 in _start (/out/asan_noins/objdump+0x1d1654) (BuildId: 813539ae82b68bf436716e5400b37ebb3ab40c5e)

0x61a00000007c is located 4 bytes to the left of 1385-byte region [0x61a000000080,0x61a0000005e9)
allocated by thread T0 here:
    #0 0x5567711e549e in __interceptor_malloc (/out/asan_noins/objdump+0x25449e) (BuildId: 813539ae82b68bf436716e5400b37ebb3ab40c5e)
    #1 0x55677156de88 in xmalloc /binutils/libiberty/./xmalloc.c:149:12
    #2 0x55677123b92f in load_separate_debug_files /binutils/binutils/./dwarf.c:12037:7
    #3 0x5567712238dd in display_object_bfd /binutils/binutils/./objdump.c
    #4 0x5567712238dd in display_any_bfd /binutils/binutils/./objdump.c:5831:5
    #5 0x556771221f03 in display_file /binutils/binutils/./objdump.c:5852:3
    #6 0x556771221f03 in main /binutils/binutils/./objdump.c:6263:6
    #7 0x7fbd3fc44d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /binutils/binutils/elfcomm.c:118:26 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c347fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c347fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5088==ABORTING
```

See attached for the full logs.


System environment:

```
[afl++ c338ba581e56] / # clang --version
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
[afl++ c338ba581e56] / # clang++ --version
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
[afl++ c338ba581e56] / # ld.lld-14 --version
Ubuntu LLD 14.0.6 (compatible with GNU linkers)
[afl++ c338ba581e56] / # uname -a
Linux c338ba581e56 5.4.0-146-generic #163-Ubuntu SMP Fri Mar 17 18:26:02 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
[afl++ c338ba581e56] / #
```
Comment 1 Alan Modra 2023-04-18 00:10:48 UTC 
*** Bug 30364 has been marked as a duplicate of this bug. ***
Comment 2 Sourceware Commits 2023-04-18 01:50:14 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=34d63622f677b577b927debb1d6fd2bfef4422bd

commit 34d63622f677b577b927debb1d6fd2bfef4422bd
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Apr 18 10:20:08 2023 +0930

    objdump buffer overflow in fetch_indexed_string
    
            PR 30361
            * dwarf.c (fetch_indexed_string): Sanity check string index.
Comment 3 Alan Modra 2023-04-18 01:50:47 UTC 
Fixed