[Bug binutils/24854] New: Abort in arc_insn_length

Thu, 25 Jul 2019 23:43:42 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=24854

            Bug ID: 24854
           Summary: Abort in arc_insn_length
           Product: binutils
           Version: 2.33 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: p.antoine at catenacyber dot fr
  Target Milestone: ---

Binutils version is from commit d8f68fcb9378b5ab1c945fa676e11da15be56dd6

I have been fuzzing binutils disassembler, you can find the fuzz target here
https://github.com/google/oss-fuzz/pull/2617

This crash comes quick :
Function `arc_insn_length` calls `abort`
It seems to me that this function should return failure instead of aborting

Patch could then be
```
diff --git a/opcodes/arc-dis.c b/opcodes/arc-dis.c
index ee598918..0b9024a6 100644
--- a/opcodes/arc-dis.c
+++ b/opcodes/arc-dis.c
@@ -668,9 +668,8 @@ arc_insn_length (bfd_byte msb, bfd_byte lsb, struct
disassemble_info *info)
       return (major_opcode > 0x7) ? 2 : 4;
       break;

-    default:
-      abort ();
     }
+  return 0;
 }

 /* Extract and return the value of OPERAND from the instruction whose value
@@ -1059,6 +1058,9 @@ print_insn_arc (bfd_vma memaddr,

   insn_len = arc_insn_length (buffer[highbyte], buffer[lowbyte], info);
   pr_debug ("instruction length = %d bytes\n", insn_len);
+  if (insn_len == 0) {
+    return 0;
+  }
   arc_infop = info->private_data;
   arc_infop->insn_len = insn_len;
```

To reproduce the bug, you can run the following commands after having Docker
installed :
git clone --branch binutils --depth 1 https://github.com/catenacyber/oss-fuzz
cd oss-fuzz
python infra/helper.py build_image binutils
python infra/helper.py build_fuzzers --sanitizer address binutils
echo -n -e "\xfc\x37\x34\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2b" >
reproducer
python infra/helper.py reproduce binutils fuzz_disassemble reproducer

Stack trace is then :
==8==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000008 (pc
0x7f9f36838428 bp 0x7ffe730737d0 sp 0x7ffe73073678 T0)
SCARINESS: 10 (signal)
    #0 0x7f9f36838427 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x35427)
    #1 0x7f9f3683a029 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37029)
    #2 0x5abd97 in arc_insn_length /src/binutils-gdb/opcodes/arc-dis.c:672:7
    #3 0x5a8b8c in print_insn_arc /src/binutils-gdb/opcodes/arc-dis.c:1060:14
    #4 0x4c8dde in LLVMFuzzerTestOneInput
/src/binutils-gdb/fuzz/fuzz_disassemble.c:68:13

The reproducer means for the fuzz target :
disasm_info.arch = 0x2b;
disasm_info.mach = 0;
disasm_info.flavour = 0;
disasm_info.buffer = {0xfc, 0x37, 0x34, 0x73};
disasm_info.buffer_length = 4;

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to