Created attachment 15882 [details] poc Hello, We are currently working on fuzz testing feature, and we found a **stack-buffer-overflow** on `objudmp`. The stack traces are as follow: ``` ==491939==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff1cad0452 at pc 0x562af39c9768 bp 0x7fff1cad0370 sp 0x7fff1cad0368 WRITE of size 1 at 0x7fff1cad0452 thread T0 #0 0x562af39c9767 in disassemble_bytes /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:3543:34 #1 0x562af39c1843 in disassemble_section /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:4116:4 #2 0x562af3b8125a in bfd_map_over_sections /data/swj/optfuzz/benchmark/binutils-2.43/bfd/section.c:1387:5 #3 0x562af39b827a in disassemble_data /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:4264:3 #4 0x562af39b3858 in dump_bfd /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:5795:2 #5 0x562af39b2989 in display_object_bfd /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:5856:7 #6 0x562af39b2894 in display_any_bfd /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:5943:5 #7 0x562af39b16bb in display_file /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:5964:3 #8 0x562af39afe10 in main /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:6381:6 #9 0x7f33a2e65082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 #10 0x562af38ef61d in _start (/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/objdump+0x1dd61d) (BuildId: d2dc746ba5756ca34e6ed66603247470b04d42fe) Address 0x7fff1cad0452 is located in stack of thread T0 at offset 210 in frame #0 0x562af39c785f in disassemble_bytes /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:3274 This frame has 3 object(s): [32, 56) 'sfile' (line 3284) [96, 126) 'buf' (line 3307) [160, 210) 'buf127' (line 3394) <== Memory access at offset 210 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:3543:34 in disassemble_bytes ``` **Step to reproduce** We configured `objudmp` using `CFLAGS="-g -fsanitize=address" ./configure --prefix=$(pwd)/ ` and build it using `make -j `, and run it with: ``` ./objdump --insn-width 64 -d ``` The input file is attached. **Environment** - OS: Ubuntu 20.04.6 LTS - Clang version: Ubuntu clang version 14.0.6 - binutils version: 2.43 https://ftp.gnu.org/gnu/binutils/binutils-2.43.tar.xz Thank you.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893 commit baac6c221e9d69335bf41366a1c7d87d8ab2f893 Author: Alan Modra <amodra@gmail.com> Date: Wed Jan 15 19:13:43 2025 +1030 PR32560 stack-buffer-overflow at objdump disassemble_bytes There's always someone pushing the boundaries. PR 32560 * objdump.c (MAX_INSN_WIDTH): Define. (insn_width): Make it an unsigned long. (disassemble_bytes): Use MAX_INSN_WIDTH to size buffer. (main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
Fixed for 2.44