Found a bug in objdump-2.34

Natalie Tue, 03 Mar 2020 06:27:55 -0800

Hi, I found a bug in objdump-2.34 by my fuzzing research tool (not published 
yet), which I ran with ASAN and shows the information below.


Information and also the 11 similar crashes in an archive file are in the 
attachment.

I hope this will help.



natalie@mars:~/Research/Bug$ ./objdump --dwarf-check -C -g -f -dwarf -x 
'/home/natalie/Research/Bug/objdump-2.34/crash/id:000000,sig:06,src:010091,op:havoc,rep:16'

/home/natalie/Research/Bug/objdump-2.34/crash/id:000000,sig:06,src:010091,op:havoc,rep:16:
     file format pei-i386
/home/natalie/Research/Bug/objdump-2.34/crash/id:000000,sig:06,src:010091,op:havoc,rep:16
architecture: i386, flags 0x00000018:
HAS_DEBUG, HAS_SYMS
start address 0x00000000

Characteristics 0x104
    line numbers stripped
    32 bit words

Time/Date        Thu Jan  1 08:00:00 1970
Magic            0000
MajorLinkerVersion    0
MinorLinkerVersion    0
SizeOfCode        00000000
SizeOfInitializedData    00000000
SizeOfUninitializedData    00000000
AddressOfEntryPoint    00000000
BaseOfCode        00000000
BaseOfData        00000000
ImageBase        00000000
SectionAlignment    00000000
FileAlignment        00000000
MajorOSystemVersion    0
MinorOSystemVersion    0
MajorImageVersion    0
MinorImageVersion    0
MajorSubsystemVersion    0
MinorSubsystemVersion    0
Win32Version        00000000
SizeOfImage        00000000
SizeOfHeaders        00000000
CheckSum        00000000
Subsystem        00000000    (unspecified)
DllCharacteristics    00000000
SizeOfStackReserve    00000000
SizeOfStackCommit    00000000
SizeOfHeapReserve    00000000
SizeOfHeapCommit    00000000
LoaderFlags        00000000
NumberOfRvaAndSizes    00000000

The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00000000 00000000 Import Directory [parts of .idata]
Entry 2 00000000 00000000 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00000000 00000000 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved

Sections:
Idx Name          Size      VMA       LMA       File off  Algn  Flags
  0 .idata$4      00000004  00000000  00000000  00000000  2**2  CONTENTS, 
ALLOC, LOAD, RELOC
  1 .idata$5      00000004  00000000  00000000  00000000  2**2  CONTENTS, 
ALLOC, LOAD, RELOC
  2 .idata$6      00000004  00000000  00000000  00000000  2**2  CONTENTS, 
ALLOC, LOAD
  3 .text         00000008  00000000  00000000  00000000  2**2  CONTENTS, 
ALLOC, LOAD, RELOC, CODE
SYMBOL TABLE:
[  0](sec  0)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00000000 .idata$4
[  1](sec  1)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00000000 .idata$5
[  2](sec  2)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00000000 .idata$6
[  3](sec  1)(fl 0x00)(ty   0)(scl   2) (nx 0) 0x00000000 _imp_
[  4](sec  3)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00000000 .text
[  5](sec  3)(fl 0x00)(ty   0)(scl   2) (nx 0) 0x00000000
[  6](sec  0)(fl 0x00)(ty   0)(scl   2) (nx 0) 0x00000000 _IMPORT_DESCRIPTOR_



Disassembly of section .text:

00000000 <.text>:
   0:    ff 25 00 00 00 00        jmp    *0x0    2: dir32    _imp_
   6:    90                       nop
   7:    90                       nop
debug_name_type: no current file
=================================================================
==28956==ERROR: AddressSanitizer: attempting free on address which was not 
malloc()-ed: 0x61e0000004e0 in thread T0
    #0 0x4f2b58 in __interceptor_free 
/home/natalie/Research/LLVM/src/llvm-8.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x930929 in _bfd_coff_free_symbols 
(/home/natalie/Research/Bug/objdump+0x930929)
    #2 0x94784c in _bfd_coff_close_and_cleanup 
(/home/natalie/Research/Bug/objdump+0x94784c)
    #3 0x6b3960 in bfd_close_all_done 
(/home/natalie/Research/Bug/objdump+0x6b3960)
    #4 0x53450c in display_file (/home/natalie/Research/Bug/objdump+0x53450c)
    #5 0x533811 in main (/home/natalie/Research/Bug/objdump+0x533811)
    #6 0x7fe6d16ba1e2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
    #7 0x41f60d in _start (/home/natalie/Research/Bug/objdump+0x41f60d)

0x61e0000004e0 is located 1120 bytes inside of 2505-byte region 
[0x61e000000080,0x61e000000a49)
allocated by thread T0 here:
    #0 0x4f2f37 in malloc 
/home/natalie/Research/LLVM/src/llvm-8.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x6adebc in bfd_malloc (/home/natalie/Research/Bug/objdump+0x6adebc)
    #2 0x6ae174 in bfd_zmalloc (/home/natalie/Research/Bug/objdump+0x6ae174)
    #3 0x8cb5e8 in pe_ILF_build_a_bfd 
(/home/natalie/Research/Bug/objdump+0x8cb5e8)
    #4 0x8ca374 in pe_ILF_object_p (/home/natalie/Research/Bug/objdump+0x8ca374)
    #5 0x8c23ea in pe_bfd_object_p (/home/natalie/Research/Bug/objdump+0x8c23ea)
    #6 0x6a7d7d in bfd_check_format_matches 
(/home/natalie/Research/Bug/objdump+0x6a7d7d)
    #7 0x534aa9 in display_object_bfd 
(/home/natalie/Research/Bug/objdump+0x534aa9)
    #8 0x5349b9 in display_any_bfd (/home/natalie/Research/Bug/objdump+0x5349b9)
    #9 0x5344e8 in display_file (/home/natalie/Research/Bug/objdump+0x5344e8)
    #10 0x533811 in main (/home/natalie/Research/Bug/objdump+0x533811)
    #11 0x7fe6d16ba1e2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x271e2)

SUMMARY: AddressSanitizer: bad-free 
/home/natalie/Research/LLVM/src/llvm-8.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
 in __interceptor_free
==28956==ABORTING

<<attachment: crashes-objdump-2.34.zip>>

Found a bug in objdump-2.34

Reply via email to