[Bug binutils/31873] New: Heap-buffer-overflow in objdump (`bfd_getl32`)

g.priamo at diag dot uniroma1.it Mon, 10 Jun 2024 05:36:29 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=31873


            Bug ID: 31873
           Summary: Heap-buffer-overflow in objdump (`bfd_getl32`)
           Product: binutils
           Version: 2.42
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: g.priamo at diag dot uniroma1.it
  Target Milestone: ---

Created attachment 15575
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15575&action=edit
Testcase

### Describe the bug 

AddressSanitizer: heap-buffer-overflow in objdump (`bfd_getl32`).

### To Reproduce

Cloned binutils from git://sourceware.org/git/binutils-gdb.git and built
version 2.42.50.20240610 taking inspiration from the build script in
[oss-fuzz](https://github.com/google/oss-fuzz/blob/master/projects/binutils/build.sh):

```
export CFLAGS="-O0 -g -fno-omit-frame-pointer -fno-function-sections
-fno-unique-section-names -fsanitize=address"

cd binutils
sed -i 's/vfprintf (stderr/\/\//' elfcomm.c
sed -i 's/fprintf (stderr/\/\//' elfcomm.c
cd ../

./configure --disable-gdb --disable-gdbserver --disable-gdbsupport \
            --disable-libdecnumber --disable-readline --disable-sim \
            --disable-libbacktrace --disable-gas --disable-ld --disable-werror
\
      --enable-targets=all
make clean
make MAKEINFO=true && true
```

The crash also reproduces with this simpler build configuration:
```
./configure --enable-targets=all
make
```

### ASAN Output

```
./objdump -x testcase


testcase:     file format vms-alpha
testcase
architecture: alpha, flags 0x0000004c:
HAS_LINENO, HAS_DEBUG, DYNAMIC
start address 0x0000000000000000
EIHD: (size: 0, nbr blocks: 1848401005)
 majorid: 3, minorid: 0
 image type: 16843047 (unknown), subtype: 1032716545 (unknown)
 offsets: isd: 0, activ: 0, symdbg: 16, imgid: 2, patch: 6
 fixup info rva: f900010100000000, symbol vector rva: 01019d0000000000
 version array off: 0
 img I/O count: 16777216, nbr channels: 16857857, req pri: 6f6d2d6f796d2d01
 linker flags: 302c6f74: NOP0BUFS P0IMAGE DBGDMT INISHR BIND_CODE_SEC
BIND_DATA_SEC MKTHREADS UPCALLS EXT_BIND_SECT
 ident: 0x33313831, sysver: 0x01010107, match ctrl: 60, symvect_size: 385941789
 BPAGE: 17153, ext fixup offset: 17039360, no_opt psect off: 1685091941, alias:
257
Image identification: (major: 0, minor: 0)
 image name       : 
 link time        : Thu Jan  1 01:00:00 1970
 image ident      : =
 linker ident     : om\,nto,01813<
 image build ident: 
Image symbol & debug table: (major: 0, minor: 16)
 debug symbol table : vbn: 2, size: 6 (0x6)
 global symbol table: vbn: 0, records: 4177527041
 debug module table : vbn: 0, size: 16882944
Debug symbol table:
 type: 171, len:  93 (at 0x00000000): recbeg: name: 
    vflags: 0x00, value: 0xff050100 (reg: 0, disp: 0, indir: 0, kind: literal)
=================================================================
==796203==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6080000000f9 at pc 0x000000b722dd bp 0x7ffe506ed410 sp 0x7ffe506ed408
READ of size 1 at 0x6080000000f9 thread T0
    #0 0xb722dc in bfd_getl32 bfd/libbfd.c:846:18
    #1 0x1420527 in evax_bfd_print_dst bfd/vms-alpha.c:7734:18
    #2 0x141d6eb in evax_bfd_print_image bfd/vms-alpha.c:8533:7
    #3 0x13faef9 in vms_bfd_print_private_bfd_data bfd/vms-alpha.c:8751:5
    #4 0x4d49ab in dump_bfd_private_header binutils/./objdump.c:5010:8
    #5 0x4d368d in dump_bfd binutils/./objdump.c:5702:2
    #6 0x4d2cdf in display_object_bfd binutils/./objdump.c:5852:7
    #7 0x4d2be0 in display_any_bfd binutils/./objdump.c:5939:5
    #8 0x4d19dc in display_file binutils/./objdump.c:5960:3
    #9 0x4d0006 in main binutils/./objdump.c:6377:6
    #10 0x7f188f38c082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #11 0x41d6ad in _start (target+0x41d6ad)

0x6080000000f9 is located 0 bytes to the right of 89-byte region
[0x6080000000a0,0x6080000000f9)
allocated by thread T0 here:
    #0 0x49834d in malloc
/tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb71032 in bfd_malloc bfd/libbfd.c:291:9
    #2 0x13ffb4c in _bfd_malloc_and_read bfd/./libbfd.h:927:9
    #3 0x141f0f9 in evax_bfd_print_dst bfd/vms-alpha.c:7526:10
    #4 0x141d6eb in evax_bfd_print_image bfd/vms-alpha.c:8533:7
    #5 0x13faef9 in vms_bfd_print_private_bfd_data bfd/vms-alpha.c:8751:5
    #6 0x4d49ab in dump_bfd_private_header binutils/./objdump.c:5010:8
    #7 0x4d368d in dump_bfd binutils/./objdump.c:5702:2
    #8 0x4d2cdf in display_object_bfd binutils/./objdump.c:5852:7
    #9 0x4d2be0 in display_any_bfd binutils/./objdump.c:5939:5
    #10 0x4d19dc in display_file binutils/./objdump.c:5960:3
    #11 0x4d0006 in main binutils/./objdump.c:6377:6
    #12 0x7f188f38c082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)

SUMMARY: AddressSanitizer: heap-buffer-overflow bfd/libbfd.c:846:18 in
bfd_getl32
Shadow bytes around the buggy address:
  0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c107fff8010: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00[01]
  0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==796203==ABORTING
```

### Environment info

`uname -a` output: Linux ThinkPad 5.15.0-107-generic #117~20.04.1-Ubuntu SMP
Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux


### Notes
This crash might be related to bug #21618
(https://sourceware.org/bugzilla/show_bug.cgi?id=21618) whose status is
RESOLVED FIXED, this might be a corner case not covered by the fix.

### Testcase
See attached testcase file

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/31873] New: Heap-buffer-overflow in objdump (`bfd_getl32`)

Reply via email to