Created attachment 16344 [details] POC ## Description - Version: Binutils 2.45 - Environment: Ubuntu 20.04.6 LTS, GCC 9.4.0 ## Steps to reproduce export CFLAGS="-g3" ./configure make -j ./binutils/objdump -S -D -x -s -Z -g -e -G -T -t -L -R --disassemble-zeroes --insn-width=32 --disassembler-color=extended $POC ## Output root@7328863e3119:/benchmark/bin/binutils-2.45/binutils# ./objdump -S -D -x -s -Z -g -e -G -T -t -L -R --disassemble-zeroes --insn-width=32 --disassembler-color=extended objdump_crash_2.in objdump_crash_2.in architecture: i386:x86-64, flags 0x0000013e: EXEC_P, HAS_LINENO, HAS_DEBUG, HAS_SYMS, HAS_LOCALS, D_PAGED start address 0x7f06160493280000 Characteristics 0x3 relocations stripped executable Time/Date Wed Jul 2 17:50:28 2104 Magic 0000 MajorLinkerVersion 0 MinorLinkerVersion 0 SizeOfCode 0000000000000000 SizeOfInitializedData 0000000000000000 SizeOfUninitializedData 0000000000000000 AddressOfEntryPoint 0000000000000000 BaseOfCode 0000000000000000 ImageBase 0000000000000000 SectionAlignment 00000000 FileAlignment 00000000 MajorOSystemVersion 0 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 0 MinorSubsystemVersion 0 Win32Version 00000000 SizeOfImage 00000000 SizeOfHeaders 00000000 CheckSum 00000000 Subsystem 00000000 (unspecified) DllCharacteristics 00000000 SizeOfStackReserve 0000000000000000 SizeOfStackCommit 0000000000000000 SizeOfHeapReserve 0000000000000000 SizeOfHeapCommit 0000000000000000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000000 The Data Directory Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)] Entry 1 0000000000000000 00000000 Import Directory [parts of .idata] Entry 2 0000000000000000 00000000 Resource Directory [.rsrc] Entry 3 0000000000000000 00000000 Exception Directory [.pdata] Entry 4 0000000000000000 00000000 Security Directory Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc] Entry 6 0000000000000000 00000000 Debug Directory Entry 7 0000000000000000 00000000 Description Directory Entry 8 0000000000000000 00000000 Special Directory Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls] Entry a 0000000000000000 00000000 Load Configuration Directory Entry b 0000000000000000 00000000 Bound Import Directory Entry c 0000000000000000 00000000 Import Address Table Directory Entry d 0000000000000000 00000000 Delay Import Directory Entry e 0000000000000000 00000000 CLR Runtime Header Entry f 0000000000000000 00000000 Reserved Sections: Idx Name Size VMA LMA File off Algn ./objdump: objdump_crash_2.in: not a dynamic object SYMBOL TABLE: [ 0](sec -1)(fl 0x00)(ty 5ff)(scl 3) (nx 2) 0x0000000000000000 ��� AUX lnno 2056 size 0x808 tagndx 16 AUX lnno 0 size 0xc00 tagndx 201654285 [ 3](sec 2056)(fl 0x00)(ty 25)(scl 6) (nx 0) 0x0000000008080820 [ 4](sec 250)(fl 0x00)(ty fa00)(scl 255) (nx 0) 0x000000000dbb0000 [ 5](sec 35)(fl 0x00)(ty e567)(scl 4) (nx 8) 0x0000000000000000 AUX lnno 65535 size 0x16 tagndx 4293722240 AUX lnno 1024 size 0x0 tagndx 1677721344 AUX lnno 2279 size 0xff7f tagndx 4279238689 AUX lnno 221 size 0x11 tagndx 4278190208 AUX lnno 64768 size 0x0 tagndx 1048576 AUX lnno 257 size 0x101 tagndx 16843009 AUX lnno 258 size 0x101 tagndx 16843009 AUX lnno 5381 size 0x0 tagndx 184549631 [ 14](sec 8)(fl 0x00)(ty 20)(scl 6) (nx 1) 0x0000000008080820 AUX lnno 42423 size 0xc00 tagndx 4292804635 [ 16](sec 2056)(fl 0x00)(ty 17)(scl 12) (nx 1) 0x0000000080080820 w�� AUX lnno 42424 size 0x1 tagndx 0 [ 18](sec 35)(fl 0x00)(ty 168)(scl 18) (nx 8) 0x0000000000000000 AUX lnno 65535 size 0x96 tagndx 4293722112 AUX lnno 1024 size 0x0 tagndx 1677721344 AUX lnno 2279 size 0xff7f tagndx 4279238689 AUX lnno 0 size 0x11 tagndx 113 AUX lnno 64768 size 0x0 tagndx 1048576 AUX lnno 65284 size 0x7f7f tagndx 32512 AUX lnno 257 size 0x101 tagndx 16842981 AUX lnno 5 size 0x0 tagndx 184549631 [ 27](sec -1528)(fl 0x00)(ty 26)(scl 6) (nx 0) 0x0000000008080820 DYNAMIC SYMBOL TABLE: no symbols !_TAG_FILE_FORMAT 2 /extended format/ !_TAG_FILE_SORTED 0 /0=unsorted, 1=sorted/ !_TAG_PROGRAM_AUTHOR Ian Lance Taylor, Salvador E. Tropea and others // !_TAG_PROGRAM_NAME objdump /From GNU binutils/ int objdump_crash_2.in 0;" kind:t type:int32 int objdump_crash_2.in 0;" kind:t type:int32 Aborted (core dumped) ## GDB Output (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f7575e02859 in __GI_abort () at abort.c:79 #2 0x0000560b8745b786 in tg_tag_type (p=0x7ffcc3d2ed80, name=0x560b88ba4dd8 "w\005\377\377\005\b\b\b", id=0, kind=DEBUG_KIND_POINTER) at prdbg.c:2452 #3 0x0000560b87460055 in debug_write_type (info=0x560b88ba4e60, fns=0x560b8765f1a0 <tg_fns>, fhandle=0x7ffcc3d2ed80, type=0x560b88ba8218, name=0x0) at debug.c:2466 #4 0x0000560b87460181 in debug_write_type (info=0x560b88ba4e60, fns=0x560b8765f1a0 <tg_fns>, fhandle=0x7ffcc3d2ed80, type=0x560b88ba4f88, name=0x0) at debug.c:2496 #5 0x0000560b874604da in debug_write_type (info=0x560b88ba4e60, fns=0x560b8765f1a0 <tg_fns>, fhandle=0x7ffcc3d2ed80, type=0x560b88ba4fb8, name=0x0) at debug.c:2560 #6 0x0000560b874604da in debug_write_type (info=0x560b88ba4e60, fns=0x560b8765f1a0 <tg_fns>, fhandle=0x7ffcc3d2ed80, type=0x560b88ba4fd8, name=0x0) at debug.c:2560 #7 0x0000560b874606c7 in debug_write_type (info=0x560b88ba4e60, fns=0x560b8765f1a0 <tg_fns>, fhandle=0x7ffcc3d2ed80, type=0x560b88ba5110, name=0x0) at debug.c:2593 #8 0x0000560b874606c7 in debug_write_type (info=0x560b88ba4e60, fns=0x560b8765f1a0 <tg_fns>, fhandle=0x7ffcc3d2ed80, type=0x560b88ba51d0, name=0x0) at debug.c:2593 #9 0x0000560b8745fd35 in debug_write_name (info=0x560b88ba4e60, fns=0x560b8765f1a0 <tg_fns>, fhandle=0x7ffcc3d2ed80, n=0x560b88ba5218) at debug.c:2384 #10 0x0000560b8745fb88 in debug_write (handle=0x560b88ba4e60, fns=0x560b8765f1a0 <tg_fns>, fhandle=0x7ffcc3d2ed80) at debug.c:2352 #11 0x0000560b87456a68 in print_debugging_info (f=0x7f7575fcd6a0 <_IO_2_1_stdout_>, dhandle=0x560b88ba4e60, abfd=0x560b88ba4310, syms=0x560b88ba5d90, demangler=0x560b874b278c <bfd_demangle>, as_tags=true) at prdbg.c:296 #12 0x0000560b87424cde in dump_bfd (abfd=0x560b88ba4310, is_mainfile=true) at ./objdump.c:5860 #13 0x0000560b87424e42 in display_object_bfd (abfd=0x560b88ba4310) at ./objdump.c:5911 #14 0x0000560b874250a7 in display_any_bfd (file=0x560b88ba4310, level=0) at ./objdump.c:5990 #15 0x0000560b8742511c in display_file (filename=0x7ffcc3d2f81d "objdump_crash_2.in", target=0x0) at ./objdump.c:6011 #16 0x0000560b8742604d in main (argc=17, argv=0x7ffcc3d2f048) at ./objdump.c:6438 ## Credit Reported by Yifan Zhang, [PLL](https://pl.cs.pku.edu.cn/en/)
Note - this bug has been assigned a CVE number: CVE-2025-11839. Strictly speaking however this should not have happened because the bug does not affect a binary generation tool (ie the assembler and linker).
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe commit 12ef7d5b7b02d0023db645d86eb9d0797bc747fe Author: Nick Clifton <nickc@redhat.com> Date: Mon Nov 3 11:49:02 2025 +0000 Remove call to abort in the DGB debug format printing code, thus allowing the display of a fuzzed input file to complete without triggering an abort. PR 33448
I have removed the call to abort() so the dump now ends without crashing. Instead it prints: objdump: objdump_crash_2.in: printing debugging information failed