https://sourceware.org/bugzilla/show_bug.cgi?id=31873
Bug ID: 31873 Summary: Heap-buffer-overflow in objdump (`bfd_getl32`) Product: binutils Version: 2.42 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: g.priamo at diag dot uniroma1.it Target Milestone: --- Created attachment 15575 --> https://sourceware.org/bugzilla/attachment.cgi?id=15575&action=edit Testcase ### Describe the bug AddressSanitizer: heap-buffer-overflow in objdump (`bfd_getl32`). ### To Reproduce Cloned binutils from git://sourceware.org/git/binutils-gdb.git and built version 2.42.50.20240610 taking inspiration from the build script in [oss-fuzz](https://github.com/google/oss-fuzz/blob/master/projects/binutils/build.sh): ``` export CFLAGS="-O0 -g -fno-omit-frame-pointer -fno-function-sections -fno-unique-section-names -fsanitize=address" cd binutils sed -i 's/vfprintf (stderr/\/\//' elfcomm.c sed -i 's/fprintf (stderr/\/\//' elfcomm.c cd ../ ./configure --disable-gdb --disable-gdbserver --disable-gdbsupport \ --disable-libdecnumber --disable-readline --disable-sim \ --disable-libbacktrace --disable-gas --disable-ld --disable-werror \ --enable-targets=all make clean make MAKEINFO=true && true ``` The crash also reproduces with this simpler build configuration: ``` ./configure --enable-targets=all make ``` ### ASAN Output ``` ./objdump -x testcase testcase: file format vms-alpha testcase architecture: alpha, flags 0x0000004c: HAS_LINENO, HAS_DEBUG, DYNAMIC start address 0x0000000000000000 EIHD: (size: 0, nbr blocks: 1848401005) majorid: 3, minorid: 0 image type: 16843047 (unknown), subtype: 1032716545 (unknown) offsets: isd: 0, activ: 0, symdbg: 16, imgid: 2, patch: 6 fixup info rva: f900010100000000, symbol vector rva: 01019d0000000000 version array off: 0 img I/O count: 16777216, nbr channels: 16857857, req pri: 6f6d2d6f796d2d01 linker flags: 302c6f74: NOP0BUFS P0IMAGE DBGDMT INISHR BIND_CODE_SEC BIND_DATA_SEC MKTHREADS UPCALLS EXT_BIND_SECT ident: 0x33313831, sysver: 0x01010107, match ctrl: 60, symvect_size: 385941789 BPAGE: 17153, ext fixup offset: 17039360, no_opt psect off: 1685091941, alias: 257 Image identification: (major: 0, minor: 0) image name : link time : Thu Jan 1 01:00:00 1970 image ident : = linker ident : om\,nto,01813< image build ident: Image symbol & debug table: (major: 0, minor: 16) debug symbol table : vbn: 2, size: 6 (0x6) global symbol table: vbn: 0, records: 4177527041 debug module table : vbn: 0, size: 16882944 Debug symbol table: type: 171, len: 93 (at 0x00000000): recbeg: name: vflags: 0x00, value: 0xff050100 (reg: 0, disp: 0, indir: 0, kind: literal) ================================================================= ==796203==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6080000000f9 at pc 0x000000b722dd bp 0x7ffe506ed410 sp 0x7ffe506ed408 READ of size 1 at 0x6080000000f9 thread T0 #0 0xb722dc in bfd_getl32 bfd/libbfd.c:846:18 #1 0x1420527 in evax_bfd_print_dst bfd/vms-alpha.c:7734:18 #2 0x141d6eb in evax_bfd_print_image bfd/vms-alpha.c:8533:7 #3 0x13faef9 in vms_bfd_print_private_bfd_data bfd/vms-alpha.c:8751:5 #4 0x4d49ab in dump_bfd_private_header binutils/./objdump.c:5010:8 #5 0x4d368d in dump_bfd binutils/./objdump.c:5702:2 #6 0x4d2cdf in display_object_bfd binutils/./objdump.c:5852:7 #7 0x4d2be0 in display_any_bfd binutils/./objdump.c:5939:5 #8 0x4d19dc in display_file binutils/./objdump.c:5960:3 #9 0x4d0006 in main binutils/./objdump.c:6377:6 #10 0x7f188f38c082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #11 0x41d6ad in _start (target+0x41d6ad) 0x6080000000f9 is located 0 bytes to the right of 89-byte region [0x6080000000a0,0x6080000000f9) allocated by thread T0 here: #0 0x49834d in malloc /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0xb71032 in bfd_malloc bfd/libbfd.c:291:9 #2 0x13ffb4c in _bfd_malloc_and_read bfd/./libbfd.h:927:9 #3 0x141f0f9 in evax_bfd_print_dst bfd/vms-alpha.c:7526:10 #4 0x141d6eb in evax_bfd_print_image bfd/vms-alpha.c:8533:7 #5 0x13faef9 in vms_bfd_print_private_bfd_data bfd/vms-alpha.c:8751:5 #6 0x4d49ab in dump_bfd_private_header binutils/./objdump.c:5010:8 #7 0x4d368d in dump_bfd binutils/./objdump.c:5702:2 #8 0x4d2cdf in display_object_bfd binutils/./objdump.c:5852:7 #9 0x4d2be0 in display_any_bfd binutils/./objdump.c:5939:5 #10 0x4d19dc in display_file binutils/./objdump.c:5960:3 #11 0x4d0006 in main binutils/./objdump.c:6377:6 #12 0x7f188f38c082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) SUMMARY: AddressSanitizer: heap-buffer-overflow bfd/libbfd.c:846:18 in bfd_getl32 Shadow bytes around the buggy address: 0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa =>0x0c107fff8010: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00[01] 0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==796203==ABORTING ``` ### Environment info `uname -a` output: Linux ThinkPad 5.15.0-107-generic #117~20.04.1-Ubuntu SMP Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux ### Notes This crash might be related to bug #21618 (https://sourceware.org/bugzilla/show_bug.cgi?id=21618) whose status is RESOLVED FIXED, this might be a corner case not covered by the fix. ### Testcase See attached testcase file -- You are receiving this mail because: You are on the CC list for the bug.