Bug 33637 - objdump aborts with SIGABRT when processing malformed input (binutils 2.44)
Summary: objdump aborts with SIGABRT when processing malformed input (binutils 2.44)
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.44
: P2 normal
Target Milestone: 2.46
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-11-17 01:01 UTC by 970429025
Modified: 2026-03-06 01:46 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2025-11-29 00:00:00
Project(s) to access:
ssh public key:

Attachments
The PoC attachment contains the input file that triggers the crash(Assert_Fail). (2.29 KB, application/x-zip-compressed)
2025-11-17 01:01 UTC, 970429025 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 970429025 2025-11-17 01:01:54 UTC 
Created attachment 16468 [details]
The PoC attachment contains the input file that triggers the crash(Assert_Fail).

Overview:
Running objdump (binutils 2.44) with a specific input file causes the program to terminate with SIGABRT.
The program does not exit gracefully and instead terminates via abort().

Steps to Reproduce:
./objdump --source-comment Assert_Fail

Actual Results:
objdump prints multiple warnings and then aborts with SIGABRT.

GDB output excerpt:
warning: Error disabling address space randomization: Operation not permitted
objdump: warning: Assert_Fail has a section extending past end of file
objdump: Assert_Fail: invalid string offset 2359296 >= 83 for section `.strtab'

Can't get contents for section '.debug_addr'.
objdump: Assert_Fail(.debug_str_offsets): relocation 9 has invalid symbol index 132
objdump: Assert_Fail(.debug_str_offsets): relocation 10 has invalid symbol index 3736014657
objdump: Assert_Fail(.debug_str_offsets): relocation 11 has invalid symbol index 521076736
objdump: Assert_Fail(.debug_str_offsets): relocation 12 has invalid symbol index 147096392
objdump: Assert_Fail(.debug_str_offsets): relocation 18 has invalid symbol index 1852255751
objdump: Assert_Fail(.debug_str_offsets): relocation 20 has invalid symbol index 7499640

Can't get contents for section '.debug_str_offsets'.
objdump: Warning: Bogus end-of-siblings marker detected at offset 18 in .debug_info section
objdump: Warning: Bogus end-of-siblings marker detected at offset 22 in .debug_info section
objdump: Warning: Bogus end-of-siblings marker detected at offset 23 in .debug_info section
objdump: Warning: Further warnings about bogus end-of-sibling markers suppressed
objdump: Warning: Unrecognized form: 0x51
objdump: Error: Unhandled data length: 0

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007873237a37f1 in __GI_abort () at abort.c:79
#2  0x00000000004ca4a6 in byte_get_little_endian (field=field@entry=0x3786b980 "\234", size=size@entry=0) at ../../binutils-2.44/binutils/elfcomm.c:173
#3  0x0000000000479d66 in fetch_indexed_offset (idx=0, sec_enum=loclists, base_address=0, offset_size=0) at ../../binutils-2.44/binutils/dwarf.c:757
#4  read_and_display_attr_value (attribute=attribute@entry=2, form=form@entry=34, implicit_const=implicit_const@entry=-1, start=start@entry=0x3786e470 "\a\001",
    data=0x3786e4ea "\016\001\"\365", data@entry=0x3786e4e9 "", end=end@entry=0x3786e57b "", cu_offset=0, pointer_size=8, offset_size=4, dwarf_version=5,
    debug_info_p=0x3786ba30, do_loc=1, section=0xadefb0 <debug_displays+336>, this_set=0x0, delimiter=32 ' ', level=-4) at ../../binutils-2.44/binutils/dwarf.c:2961
#5  0x00000000004558df in read_and_display_attr (attribute=2, form=34, implicit_const=-1, start=0x7873237a1e87 <__GI_raise+199> "H\213\214$\b\001", data=0x0, cu_offset=0,
    pointer_size=8, dwarf_version=5, debug_info_p=0x3786ba30, do_loc=1, section=0xadefb0 <debug_displays+336>, this_set=0x0, level=-4, end=<optimized out>,
    offset_size=<optimized out>) at ../../binutils-2.44/binutils/dwarf.c:3492
#6  process_debug_info (section=0xadefb0 <debug_displays+336>, file=file@entry=0x3786a3f0, abbrev_sec=abbrev_sec@entry=abbrev, do_loc=true, do_types=true)
    at ../../binutils-2.44/binutils/dwarf.c:4295
#7  0x0000000000451b7e in load_separate_debug_files (file=file@entry=0x3786a3f0, filename=filename@entry=0x3786a570 "Assert_Fail") at ../../binutils-2.44/binutils/dwarf.c:12482
#8  0x0000000000439a81 in dump_bfd (abfd=abfd@entry=0x3786a3f0, is_mainfile=140) at ../../binutils-2.44/binutils/objdump.c:5659
#9  0x0000000000439724 in display_object_bfd (abfd=abfd@entry=0x3786a3f0) at ../../binutils-2.44/binutils/objdump.c:5855
#10 0x00000000004394f1 in display_any_bfd (file=file@entry=0x3786a3f0, level=level@entry=0) at ../../binutils-2.44/binutils/objdump.c:5934
#11 0x000000000043767c in display_file (filename=0x7ffcd09c5575 "Assert_Fail", target=0x0) at ../../binutils-2.44/binutils/objdump.c:5955
#12 main (argc=<optimized out>, argv=<optimized out>) at ../../binutils-2.44/binutils/objdump.c:6364
(gdb)

Expected Results:
objdump should handle such errors by exiting gracefully after reporting them, rather than terminating via SIGABRT.

Build & Platform:
binutils version: 2.44
component: objdump
OS: Ubuntu 18.04.6 LTS
arch: x86_64

Additional Information: 
The PoC attachment contains the input file that triggers the crash(Assert_Fail). 
Crash type: SIGABRT. 
Fully reproducible.
Comment 1 970429025 2025-11-23 21:17:01 UTC 
This issue still reproduces on latest master.
Comment 2 Sourceware Commits 2025-11-30 03:31:44 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cdb728d4da6184631989b192f1022c219dea7677

commit cdb728d4da6184631989b192f1022c219dea7677
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Nov 30 12:51:54 2025 +1030

    PR 33637, abort in byte_get
    
    When DWARF5 support was added to binutils in commit 77145576fadc,
    the loop over CUs in process_debug_info set do_types when finding a
    DW_UT_type unit, in order to process the signature and type offset
    entries.  Unfortunately that broke debug_information/debug_info_p
    handling, which previously was allocated and initialised for each unit
    in .debug_info.  debug_info_p was NULL when processing a DWARF4
    .debug_types section.  After the 77145576fadc change it was possible
    for debug_infp_p to be non-NULL but point to zeroed data, in
    particular a zeroed offset_size.  A zero for offset_size led to the
    byte_get_little_endian abort triggered by the fuzzer testcase.
    
    I haven't investigated whether there is any need for a valid
    offset_size when processing a non-fuzzed DWARF4 .debug_types section.
    Presumably we'd have found that out in the last 6 years if that was
    the case.  We don't want to change debug_information[] for
    .debug_types!
    
            PR 33637
            * dwarf.c (process_debug_info): Don't change DO_TYPES flag bit
            depending on cu_unit_type.  Instead test cu_unit_type along
            with DO_TYPES to handle signature and type_offset for a type
            unit.  Move find_cu_tu_set_v2 call a little later.
Comment 3 Alan Modra 2025-11-30 03:35:02 UTC 
Fixed for 2.46.
Comment 4 970429025 2026-03-06 01:46:05 UTC 
This issue has been assigned CVE-2025-69645