https://sourceware.org/bugzilla/show_bug.cgi?id=22746
Bug ID: 22746
Summary: crash when running 32-bit objdump on corrupted file
Product: binutils
Version: 2.31 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: lrk700 at gmail dot com
Target Milestone: ---
Created attachment 10760
--> https://sourceware.org/bugzilla/attachment.cgi?id=10760&action=edit
POC file
Hi,
We fuzzed 32-bit objdump and found a heap corruption when running `objdump -x`
with the attached file.
Here's the output of a clean build on HEAD code(commit
3e53a58e1f557f9b799506b62ac1cbf456b34647):
root@debian:~# src/binutils-32/binutils/objdump -x ~/fuzzing/objdump-c/c2
src/binutils-32/binutils/objdump: /root/fuzzing/objdump-c/c2: File truncated
*** Error in `src/binutils-32/binutils/objdump': free(): invalid pointer:
0x572ffaa0 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xf764737a]
/lib/i386-linux-gnu/libc.so.6(+0x6dfb7)[0xf764dfb7]
/lib/i386-linux-gnu/libc.so.6(+0x6e7f6)[0xf764e7f6]
src/binutils-32/binutils/objdump(+0x1805b0)[0x5677d5b0]
src/binutils-32/binutils/objdump(+0x8ac0a)[0x56687c0a]
src/binutils-32/binutils/objdump(+0x8d52f)[0x5668a52f]
src/binutils-32/binutils/objdump(+0x8df16)[0x5668af16]
src/binutils-32/binutils/objdump(+0x291d9)[0x566261d9]
src/binutils-32/binutils/objdump(main+0x9f6)[0x56626bd7]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xf75f8276]
src/binutils-32/binutils/objdump(+0x20cf1)[0x5661dcf1]
======= Memory map: ========
565fd000-567e0000 r-xp 00000000 08:01 669129
/root/src/binutils-32/binutils/objdump
567e1000-5684a000 r--p 001e3000 08:01 669129
/root/src/binutils-32/binutils/objdump
5684a000-5684f000 rw-p 0024c000 08:01 669129
/root/src/binutils-32/binutils/objdump
5684f000-56856000 rw-p 00000000 00:00 0
572fe000-5731f000 rw-p 00000000 00:00 0 [heap]
f7300000-f7321000 rw-p 00000000 00:00 0
f7321000-f7400000 ---p 00000000 00:00 0
f7411000-f742d000 r-xp 00000000 08:01 1047386
/lib/i386-linux-gnu/libgcc_s.so.1
f742d000-f742e000 r--p 0001b000 08:01 1047386
/lib/i386-linux-gnu/libgcc_s.so.1
f742e000-f742f000 rw-p 0001c000 08:01 1047386
/lib/i386-linux-gnu/libgcc_s.so.1
f7443000-f75de000 r--p 00000000 08:01 921179
/usr/lib/locale/locale-archive
f75de000-f75e0000 rw-p 00000000 00:00 0
f75e0000-f7791000 r-xp 00000000 08:01 1047406
/lib/i386-linux-gnu/libc-2.24.so
f7791000-f7792000 ---p 001b1000 08:01 1047406
/lib/i386-linux-gnu/libc-2.24.so
f7792000-f7794000 r--p 001b1000 08:01 1047406
/lib/i386-linux-gnu/libc-2.24.so
f7794000-f7795000 rw-p 001b3000 08:01 1047406
/lib/i386-linux-gnu/libc-2.24.so
f7795000-f7798000 rw-p 00000000 00:00 0
f7798000-f779b000 r-xp 00000000 08:01 1047460
/lib/i386-linux-gnu/libdl-2.24.so
f779b000-f779c000 r--p 00002000 08:01 1047460
/lib/i386-linux-gnu/libdl-2.24.so
f779c000-f779d000 rw-p 00003000 08:01 1047460
/lib/i386-linux-gnu/libdl-2.24.so
f77a7000-f77a8000 rw-p 00000000 00:00 0
f77a8000-f77af000 r--s 00000000 08:01 131640
/usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
f77af000-f77b1000 r--p 00199000 08:01 921179
/usr/lib/locale/locale-archive
f77b1000-f77b4000 rw-p 00000000 00:00 0
f77b4000-f77b6000 r--p 00000000 00:00 0 [vvar]
f77b6000-f77b8000 r-xp 00000000 00:00 0 [vdso]
f77b8000-f77db000 r-xp 00000000 08:01 1045240
/lib/i386-linux-gnu/ld-2.24.so
f77db000-f77dc000 r--p 00022000 08:01 1045240
/lib/i386-linux-gnu/ld-2.24.so
f77dc000-f77dd000 rw-p 00023000 08:01 1045240
/lib/i386-linux-gnu/ld-2.24.so
ffa24000-ffa45000 rw-p 00000000 00:00 0
[stack]
Aborted
And 64-bit objdump is not affected.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
