[Touch-packages] [Bug 1967082] Re: SIGSEGV and out-of-bounds write during processing file via objdump
[Expired for binutils (Ubuntu) because there has been no activity for 60 days.] ** Changed in: binutils (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu. https://bugs.launchpad.net/bugs/1967082 Title: SIGSEGV and out-of-bounds write during processing file via objdump Status in binutils package in Ubuntu: Expired Bug description: SIGSEGV and out-of-bounds write during processing file via objdump # Description During processing of the attached elf file via ``` objdump -S testcase ``` an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV) This allows an attacker to perform a denial of service and possibly opens up other attack vectors if files from untrusted sources are processed. For reproduction of the crash, I attached the following script(s): - reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04 Since I was unable to reproduce the bug upstream, I report it here. If you need further assistance, please do not hesitate to ask. # Ubuntu version # apt show binutils Package: binutils Version: 2.34-6ubuntu1.3 Priority: optional Build-Essential: yes Section: devel Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Matthias Klose Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 110 kB Provides: binutils-gold, elf-binutils Depends: binutils-common (= 2.34-6ubuntu1.3), libbinutils (= 2.34-6ubuntu1.3), binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3) Suggests: binutils-doc (>= 2.34-6ubuntu1.3) Conflicts: binutils-mingw-w64-i686 (<< 2.23.52.20130612-1+3), binutils-mingw-w64-x86-64 (<< 2.23.52.20130612-1+3), binutils-multiarch (<< 2.27-8), modutils (<< 2.4.19-1) Homepage: https://www.gnu.org/software/binutils/ Task: ubuntustudio-video, ubuntu-mate-core, ubuntu-mate-desktop Download-Size: 3380 B APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages Description: GNU assembler, linker and binary utilities # Ubuntu valgrind ==1== Memcheck, a memory error detector ==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: objdump -S /testcase ==1== objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size objdump: /testcase: warning: loop in section dependencies detected objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size ==1== Invalid write of size 4 ==1==at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469f4 is 1,940 bytes inside a block of size 4,064 free'd ==1==at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1==at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
[Touch-packages] [Bug 1967082] Re: SIGSEGV and out-of-bounds write during processing file via objdump
Hello, this is still working on the latest release of binutils for Ubuntu. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu. https://bugs.launchpad.net/bugs/1967082 Title: SIGSEGV and out-of-bounds write during processing file via objdump Status in binutils package in Ubuntu: Incomplete Bug description: SIGSEGV and out-of-bounds write during processing file via objdump # Description During processing of the attached elf file via ``` objdump -S testcase ``` an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV) This allows an attacker to perform a denial of service and possibly opens up other attack vectors if files from untrusted sources are processed. For reproduction of the crash, I attached the following script(s): - reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04 Since I was unable to reproduce the bug upstream, I report it here. If you need further assistance, please do not hesitate to ask. # Ubuntu version # apt show binutils Package: binutils Version: 2.34-6ubuntu1.3 Priority: optional Build-Essential: yes Section: devel Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Matthias Klose Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 110 kB Provides: binutils-gold, elf-binutils Depends: binutils-common (= 2.34-6ubuntu1.3), libbinutils (= 2.34-6ubuntu1.3), binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3) Suggests: binutils-doc (>= 2.34-6ubuntu1.3) Conflicts: binutils-mingw-w64-i686 (<< 2.23.52.20130612-1+3), binutils-mingw-w64-x86-64 (<< 2.23.52.20130612-1+3), binutils-multiarch (<< 2.27-8), modutils (<< 2.4.19-1) Homepage: https://www.gnu.org/software/binutils/ Task: ubuntustudio-video, ubuntu-mate-core, ubuntu-mate-desktop Download-Size: 3380 B APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages Description: GNU assembler, linker and binary utilities # Ubuntu valgrind ==1== Memcheck, a memory error detector ==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: objdump -S /testcase ==1== objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size objdump: /testcase: warning: loop in section dependencies detected objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size ==1== Invalid write of size 4 ==1==at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469f4 is 1,940 bytes inside a block of size 4,064 free'd ==1==at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1==at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
[Touch-packages] [Bug 1967082] Re: SIGSEGV and out-of-bounds write during processing file via objdump
** Attachment added: "Crashing input and script for reproduction." https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1967082/+attachment/5575093/+files/objdump_01.zip -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu. https://bugs.launchpad.net/bugs/1967082 Title: SIGSEGV and out-of-bounds write during processing file via objdump Status in binutils package in Ubuntu: Incomplete Bug description: SIGSEGV and out-of-bounds write during processing file via objdump # Description During processing of the attached elf file via ``` objdump -S testcase ``` an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV) This allows an attacker to perform a denial of service and possibly opens up other attack vectors if files from untrusted sources are processed. For reproduction of the crash, I attached the following script(s): - reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04 Since I was unable to reproduce the bug upstream, I report it here. If you need further assistance, please do not hesitate to ask. # Ubuntu version # apt show binutils Package: binutils Version: 2.34-6ubuntu1.3 Priority: optional Build-Essential: yes Section: devel Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Matthias Klose Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 110 kB Provides: binutils-gold, elf-binutils Depends: binutils-common (= 2.34-6ubuntu1.3), libbinutils (= 2.34-6ubuntu1.3), binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3) Suggests: binutils-doc (>= 2.34-6ubuntu1.3) Conflicts: binutils-mingw-w64-i686 (<< 2.23.52.20130612-1+3), binutils-mingw-w64-x86-64 (<< 2.23.52.20130612-1+3), binutils-multiarch (<< 2.27-8), modutils (<< 2.4.19-1) Homepage: https://www.gnu.org/software/binutils/ Task: ubuntustudio-video, ubuntu-mate-core, ubuntu-mate-desktop Download-Size: 3380 B APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages Description: GNU assembler, linker and binary utilities # Ubuntu valgrind ==1== Memcheck, a memory error detector ==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: objdump -S /testcase ==1== objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size objdump: /testcase: warning: loop in section dependencies detected objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size ==1== Invalid write of size 4 ==1==at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469f4 is 1,940 bytes inside a block of size 4,064 free'd ==1==at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1==at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in
[Touch-packages] [Bug 1967082] Re: SIGSEGV and out-of-bounds write during processing file via objdump
Thanks for reporting this. I don't see that attached reproducer. Could you please attach it again? ** Changed in: binutils (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu. https://bugs.launchpad.net/bugs/1967082 Title: SIGSEGV and out-of-bounds write during processing file via objdump Status in binutils package in Ubuntu: Incomplete Bug description: SIGSEGV and out-of-bounds write during processing file via objdump # Description During processing of the attached elf file via ``` objdump -S testcase ``` an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV) This allows an attacker to perform a denial of service and possibly opens up other attack vectors if files from untrusted sources are processed. For reproduction of the crash, I attached the following script(s): - reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04 Since I was unable to reproduce the bug upstream, I report it here. If you need further assistance, please do not hesitate to ask. # Ubuntu version # apt show binutils Package: binutils Version: 2.34-6ubuntu1.3 Priority: optional Build-Essential: yes Section: devel Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Matthias Klose Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 110 kB Provides: binutils-gold, elf-binutils Depends: binutils-common (= 2.34-6ubuntu1.3), libbinutils (= 2.34-6ubuntu1.3), binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3) Suggests: binutils-doc (>= 2.34-6ubuntu1.3) Conflicts: binutils-mingw-w64-i686 (<< 2.23.52.20130612-1+3), binutils-mingw-w64-x86-64 (<< 2.23.52.20130612-1+3), binutils-multiarch (<< 2.27-8), modutils (<< 2.4.19-1) Homepage: https://www.gnu.org/software/binutils/ Task: ubuntustudio-video, ubuntu-mate-core, ubuntu-mate-desktop Download-Size: 3380 B APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages Description: GNU assembler, linker and binary utilities # Ubuntu valgrind ==1== Memcheck, a memory error detector ==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: objdump -S /testcase ==1== objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size objdump: /testcase: warning: loop in section dependencies detected objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size ==1== Invalid write of size 4 ==1==at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469f4 is 1,940 bytes inside a block of size 4,064 free'd ==1==at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1==at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in
[Touch-packages] [Bug 1967082] Re: SIGSEGV and out-of-bounds write during processing file via objdump
** Description changed: SIGSEGV and out-of-bounds write during processing file via objdump # Description During processing of the attached elf file via ``` objdump -S testcase ``` - an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV) - This allows an attacker to perform a denial of service and possibly opens up - other attack vectors if files from untrusted sources are processed. + an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV) This allows an attacker to perform a denial of service and possibly opens up other attack vectors if files from untrusted sources are processed. For reproduction of the crash, I attached the following script(s): - reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04 Since I was unable to reproduce the bug upstream, I report it here. If you need further assistance, please do not hesitate to ask. # Ubuntu version # apt show binutils Package: binutils Version: 2.34-6ubuntu1.3 Priority: optional Build-Essential: yes Section: devel Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Matthias Klose Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 110 kB Provides: binutils-gold, elf-binutils Depends: binutils-common (= 2.34-6ubuntu1.3), libbinutils (= 2.34-6ubuntu1.3), binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3) Suggests: binutils-doc (>= 2.34-6ubuntu1.3) Conflicts: binutils-mingw-w64-i686 (<< 2.23.52.20130612-1+3), binutils-mingw-w64-x86-64 (<< 2.23.52.20130612-1+3), binutils-multiarch (<< 2.27-8), modutils (<< 2.4.19-1) Homepage: https://www.gnu.org/software/binutils/ Task: ubuntustudio-video, ubuntu-mate-core, ubuntu-mate-desktop Download-Size: 3380 B APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages Description: GNU assembler, linker and binary utilities # Ubuntu valgrind ==1== Memcheck, a memory error detector ==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: objdump -S /testcase ==1== objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size objdump: /testcase: warning: loop in section dependencies detected objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size ==1== Invalid write of size 4 ==1==at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Address 0x4d469f4 is 1,940 bytes inside a block of size 4,064 free'd ==1==at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x4B360B2: (below main) (libc-start.c:308) ==1== Block was alloc'd at ==1==at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1==by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so) ==1==by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1==by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump) ==1== ==1== Invalid write of size 4 ==1==at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
