https://sourceware.org/bugzilla/show_bug.cgi?id=30546
Bug ID: 30546
Summary: Submitted 5 older versions crashed, but its been
resolved in the new version.
Product: binutils
Version: 2.28
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: fengzhengzhan at gmail dot com
Target Milestone: ---
Created attachment 14929
--> https://sourceware.org/bugzilla/attachment.cgi?id=14929&action=edit
Includes 5 crashes.
Hello, reporting to you 5 vulnerabilities that existed in older versions of the
software, but have been fixed in newer versions. However, I still feel that I
should report this to you, so I apologize for taking up your time.
---------------------------------------------
# Report a solved crash. In binutils-2_26_1 of the c++flit, heap buffer
overflow in remember_type() at cplus-dem.c:4263.
When I was in the process of comparing experiments on the program for fuzzing.
I find a heap buffer overflow in the version binutils-2_26_1 of c++flit at
function remember_type in cplus-dem.c:4263. But this crash has been fixed in
the binutils-2_40 version.
## Environment
Ubuntu 18.04, 64 bit
binutils-2_26_1
## Steps to reproduce
1. download file
```
wget
https://github.com/bminor/binutils-gdb/archive/refs/tags/binutils-2_26_1.tar.gz
tar -zxvf binutils-2_26_1.tar.gz
```
2. compile libming with ASAN
```
cd binutils-gdb-binutils-2_26_1/
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -O0
-Wno-error" LDFLAGS="-ldl -lutil" ./configure --prefix=`pwd`/obj-bc
--enable-static --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim --disable-ld
make
make install
cd obj-bc/bin/
extract-bc c++filt
clang -fsanitize=address c++filt.bc -o c++filt_asan
```
3. command for reproducing the error
```
./c++filt_asan @poc
```
Download poc:
[binutils-gdb_c++flit226_heap-buffer-overflow_cplus-dem4263.zip]()
## ASAN report
1. binutils-2_26_1 version.
```
=================================================================
==15635==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000002b at pc 0x00000043812d bp 0x7fffffffe720 sp 0x7fffffffded0
READ of size 1 at 0x60200000002b thread T0
#0 0x43812c in __interceptor_memcpy.part.0
/home/fzz/Desktop/STFGFuzz/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:810:5
#1 0x6c7371 in remember_type
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:4263:3
#2 0x6c84fe in do_arg
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:4236:3
#3 0x6c7f66 in demangle_args
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:4514:9
#4 0x6c6a45 in demangle_signature
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1642:18
#5 0x6c33ef in internal_cplus_demangle
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1203:14
#6 0x6c1af9 in cplus_demangle
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:886:9
#7 0x4fb7a0 in demangle_it
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binutils/cxxfilt.c:62:12
#8 0x4fb12e in main
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binutils/cxxfilt.c:227:4
#9 0x7ffff7bf3082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#10 0x41d53d in _start
(/home/fzz/Desktop/STFGFuzz/Programs/cxxflit-CVE-2016-6131/code_Bin/cxxflit-CVE-2016-6131+0x41d53d)
0x60200000002b is located 5 bytes to the left of 8-byte region
[0x602000000030comma0x602000000038)
allocated by thread T0 here:
#0 0x4c30af in malloc
/home/fzz/Desktop/STFGFuzz/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x6ebed9 in xmalloc
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./xmalloc.c:147:12
#2 0x6bcdcc in demangle_template
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:2157:27
#3 0x6c692a in demangle_signature
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1625:18
#4 0x6c33ef in internal_cplus_demangle
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1203:14
#5 0x6c1af9 in cplus_demangle
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:886:9
#6 0x4fb7a0 in demangle_it
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binutils/cxxfilt.c:62:12
#7 0x4fb12e in main
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binutils/cxxfilt.c:227:4
#8 0x7ffff7bf3082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/fzz/Desktop/STFGFuzz/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:810:5
in __interceptor_memcpy.part.0
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 05 fa[fa]00 fa fa fa 03 fa fa fa fd fd
0x0c047fff8010: fa fa 02 fa fa fa 02 fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==15635==ABORTING
```
2. binutils-2_40 version no crash occurred.
```
root@a71b82b5d288:~/dataset/binutils-gdb-binutils-2_40/obj-bc/bin#
./c++filt_asan @binutils-gdb_c++flit226_heap-buffer-overflow_cplus-dem4263
__H1CP2
0014
=================================================================
==30268==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x4aea08 in realloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
#1 0x626600 in xrealloc
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xmalloc.c:181:14
#2 0x619d25 in expandargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:474:3
#3 0x4f41f6 in main
/root/dataset/binutils-gdb-binutils-2_40/binutils/cxxfilt.c:151:3
#4 0x7f65eb590c86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
Indirect leak of 15 byte(s) in 1 object(s) allocated from:
#0 0x4ae670 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x62651b in xmalloc
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xmalloc.c:149:12
#2 0x62665d in xstrdup
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xstrdup.c:34:24
#3 0x6194c5 in dupargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:86:18
#4 0x619cbc in expandargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:464:11
#5 0x4f41f6 in main
/root/dataset/binutils-gdb-binutils-2_40/binutils/cxxfilt.c:151:3
#6 0x7f65eb590c86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
Indirect leak of 13 byte(s) in 1 object(s) allocated from:
#0 0x4ae670 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x62651b in xmalloc
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xmalloc.c:149:12
#2 0x62665d in xstrdup
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xstrdup.c:34:24
#3 0x619803 in buildargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:274:17
#4 0x619c9b in expandargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:461:14
#5 0x4f41f6 in main
/root/dataset/binutils-gdb-binutils-2_40/binutils/cxxfilt.c:151:3
#6 0x7f65eb590c86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: 60 byte(s) leaked in 3 allocation(s).
```
---------------------------------------------
# Report a solved crash. In binutils-2_26_1 of the c++flit, invalid memory read
in demangle_signature() at cplus-dem.c:1423.
When I was in the process of comparing experiments on the program for fuzzing.
I find a invalid memory read in the version binutils-2_26_1 of c++flit at
function demangle_signature in cplus-dem.c:1423. But this crash has been fixed
in the binutils-2_40 version.
## Environment
Ubuntu 18.04, 64 bit
binutils-2_26_1
## Steps to reproduce
1. download file
```
wget
https://github.com/bminor/binutils-gdb/archive/refs/tags/binutils-2_26_1.tar.gz
tar -zxvf binutils-2_26_1.tar.gz
```
2. compile libming with ASAN
```
cd binutils-gdb-binutils-2_26_1/
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -O0
-Wno-error" LDFLAGS="-ldl -lutil" ./configure --prefix=`pwd`/obj-bc
--enable-static --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim --disable-ld
make
make install
cd obj-bc/bin/
extract-bc c++filt
clang -fsanitize=address c++filt.bc -o c++filt_asan
```
3. command for reproducing the error
```
./c++filt_asan @poc
```
Download poc: [binutils-gdb_c++flit226_invalid-memory-read_cplus-dem1423.zip]()
## ASAN report
1. binutils-2_26_1 version.
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11551==ERROR: AddressSanitizer: SEGV on unknown address 0x60300001fc54 (pc
0x0000006c5a29 bp 0x7fffffffe900 sp 0x7fffffffe850 T0)
==11551==The signal is caused by a READ memory access.
#0 0x6c5a29 in demangle_signature
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1423:22
#1 0x6c33ef in internal_cplus_demangle
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1203:14
#2 0x6c1af9 in cplus_demangle
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:886:9
#3 0x4fb7a0 in demangle_it
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binutils/cxxfilt.c:62:12
#4 0x4fb12e in main
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/binutils/cxxfilt.c:227:4
#5 0x7ffff7bf3082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#6 0x41d53d in _start
(/home/fzz/Desktop/STFGFuzz/Programs/cxxflit-CVE-2016-6131/code_Bin/cxxflit-CVE-2016-6131+0x41d53d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/fzz/Desktop/STFGFuzz/dataset/CVE/CVE-2016-4488/binutils-gdb/libiberty/./cplus-dem.c:1423:22
in demangle_signature
==11551==ABORTING
```
2. binutils-2_40 version no crash occurred.
```
__H1CP2
0130004
=================================================================
==30260==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x4aea08 in realloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
#1 0x626600 in xrealloc
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xmalloc.c:181:14
#2 0x619d25 in expandargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:474:3
#3 0x4f41f6 in main
/root/dataset/binutils-gdb-binutils-2_40/binutils/cxxfilt.c:151:3
#4 0x7f3397f7ec86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
Indirect leak of 17 byte(s) in 1 object(s) allocated from:
#0 0x4ae670 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x62651b in xmalloc
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xmalloc.c:149:12
#2 0x62665d in xstrdup
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xstrdup.c:34:24
#3 0x619803 in buildargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:274:17
#4 0x619c9b in expandargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:461:14
#5 0x4f41f6 in main
/root/dataset/binutils-gdb-binutils-2_40/binutils/cxxfilt.c:151:3
#6 0x7f3397f7ec86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
Indirect leak of 15 byte(s) in 1 object(s) allocated from:
#0 0x4ae670 in malloc
/root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x62651b in xmalloc
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xmalloc.c:149:12
#2 0x62665d in xstrdup
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./xstrdup.c:34:24
#3 0x6194c5 in dupargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:86:18
#4 0x619cbc in expandargv
/root/dataset/binutils-gdb-binutils-2_40/libiberty/./argv.c:464:11
#5 0x4f41f6 in main
/root/dataset/binutils-gdb-binutils-2_40/binutils/cxxfilt.c:151:3
#6 0x7f3397f7ec86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: 64 byte(s) leaked in 3 allocation(s).
```
---------------------------------------------
# Report a solved crash. In binutils-2_28 of the objcopy, allocation size
overflow in copy_relocations_in_section() at objcopy.c:3762.
When I was in the process of comparing experiments on the program for fuzzing.
I find a allocation size overflow in the version binutils-2_28 of objcopy at
function copy_relocations_in_section in objcopy.c:3762. But this crash has been
fixed in the binutils-2_40 version.
## Environment
Ubuntu 18.04, 64 bit
binutils-2_28
## Steps to reproduce
1. download file
```
wget
https://github.com/bminor/binutils-gdb/archive/refs/tags/binutils-2_28.tar.gz
tar -zxvf binutils-2_28.tar.gz
```
2. compile libming with ASAN
```
cd binutils-gdb-binutils-2_28/
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -O0
-Wno-error" LDFLAGS="-ldl -lutil" ./configure --prefix=`pwd`/obj-bc
--enable-static --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim --disable-ld
make
make install
cd obj-bc/bin/
extract-bc objcopy
clang -fsanitize=address objcopy.bc -o objcopy_asan
```
3. command for reproducing the error
```
./objcopy_asan --compress-debug-section poc
```
Download poc:
[binutils-gdb_objcopy228_allocation-size-overflow_objcopy3762.zip]()
## ASAN report
1. binutils-2_28 version.
```
=================================================================
==493737==ERROR: AddressSanitizer: allocator is out of memory trying to
allocate 0x7555555a8 bytes
#0 0x4c314f in malloc
/home/fzz/Desktop/STFGFuzz/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x77abf6 in xmalloc
/root/compiler1804/binutils-gdb/libiberty/./xmalloc.c:147:12
#2 0x50da68 in copy_relocations_in_section
/root/compiler1804/binutils-gdb/binutils/objcopy.c:3762:28
#3 0x5840e2 in bfd_map_over_sections
/root/compiler1804/binutils-gdb/bfd/section.c:1395:5
#4 0x508567 in copy_object
/root/compiler1804/binutils-gdb/binutils/objcopy.c:2855:3
#5 0x503f9d in copy_file
/root/compiler1804/binutils-gdb/binutils/objcopy.c:3333:13
#6 0x4ff38e in copy_main
/root/compiler1804/binutils-gdb/binutils/objcopy.c:5266:3
#7 0x4fb090 in main
/root/compiler1804/binutils-gdb/binutils/objcopy.c:5367:5
#8 0x7ffff7beb082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
==493737==HINT: if you don\'t care about these errors you may set
allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory
/home/fzz/Desktop/STFGFuzz/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
in malloc
==493737==ABORTING
```
2. binutils-2_40 version no crash occurred.
```
./objcopy_asan: warning:
binutils-gdb_objcopy228_allocation-size-overflow_objcopy3762 has a section
extending past end of file
./objcopy_asan: unable to modify
'binutils-gdb_objcopy228_allocation-size-overflow_objcopy3762' due to errors
```
---------------------------------------------
# Report a solved crash. In binutils-2_28 of the objdump, allocation size
overflow in disassemble_section() at objdump.c:2112.
When I was in the process of comparing experiments on the program for fuzzing.
I find a allocation size overflow in the version binutils-2_28 of objdump at
function disassemble_section in objdump.c:2112. But this crash has been fixed
in the binutils-2_40 version.
## Environment
Ubuntu 18.04, 64 bit
binutils-2_28
## Steps to reproduce
1. download file
```
wget
https://github.com/bminor/binutils-gdb/archive/refs/tags/binutils-2_28.tar.gz
tar -zxvf binutils-2_28.tar.gz
```
2. compile libming with ASAN
```
cd binutils-gdb-binutils-2_28/
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -O0
-Wno-error" LDFLAGS="-ldl -lutil" ./configure --prefix=`pwd`/obj-bc
--enable-static --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim --disable-ld
make
make install
cd obj-bc/bin/
extract-bc objdump
clang -fsanitize=address objdump.bc -o objdump_asan
```
3. command for reproducing the error
```
./objdump_asan -S poc
```
Download poc:
[binutils-gdb_objdump228_allocation-size-overflow_objdump2112.zip]()
## ASAN report
1. binutils-2_28 version.
```
=================================================================
==3862==ERROR: AddressSanitizer: allocator is out of memory trying to allocate
0x3800000000 bytes
#0 0x4c30ff in malloc
/home/fzz/Desktop/STFGFuzz/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x7ab739 in xmalloc
/root/dataset/windranger/binutils-2.28/libiberty/./xmalloc.c:148:12
#2 0x501bc9 in disassemble_section
/root/dataset/windranger/binutils-2.28/binutils/./objdump.c:2112:23
#3 0x5c88b5 in bfd_map_over_sections
/root/dataset/windranger/binutils-2.28/bfd/section.c:1395:5
#4 0x5003ba in disassemble_data
/root/dataset/windranger/binutils-2.28/binutils/./objdump.c:2375:3
#5 0x4fde6d in dump_bfd
/root/dataset/windranger/binutils-2.28/binutils/./objdump.c:3469:5
#6 0x4fd4cc in display_object_bfd
/root/dataset/windranger/binutils-2.28/binutils/./objdump.c:3526:7
#7 0x4fd450 in display_any_bfd
/root/dataset/windranger/binutils-2.28/binutils/./objdump.c:3615:5
#8 0x4fcead in display_file
/root/dataset/windranger/binutils-2.28/binutils/./objdump.c:3636:3
#9 0x4fc875 in main
/root/dataset/windranger/binutils-2.28/binutils/./objdump.c:3919:4
#10 0x7ffff7843082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
==3862==HINT: if you don\'t care about these errors you may set
allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory
/home/fzz/Desktop/STFGFuzz/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
in malloc
==3862==ABORTING
```
2. binutils-2_40 version no crash occurred.
```
./objdump_asan: warning:
binutils-gdb_objdump228_allocation-size-overflow_objdump2112 has a section
extending past end of file
binutils-gdb_objdump228_allocation-size-overflow_objdump2112: file format
elf64-x86-64
./objdump_asan: error:
binutils-gdb_objdump228_allocation-size-overflow_objdump2112(.text) is too
large (0x3800000000 bytes)
./objdump_asan: Reading section .text failed because: file truncated
```
---------------------------------------------
# Report a solved crash. In binutils-2_28 of the objdump, memory allocation
failure in scan_unit_for_symbols() at dwarf2.c:2860.
When I was in the process of comparing experiments on the program for fuzzing.
I find a memory allocation failure in the version binutils-2_28 of objdump at
function scan_unit_for_symbols in dwarf2.c:2860. But this crash has been fixed
in the binutils-2_40 version.
## Environment
Ubuntu 18.04, 64 bit
binutils-2_28
## Steps to reproduce
1. download file
```
wget
https://github.com/bminor/binutils-gdb/archive/refs/tags/binutils-2_28.tar.gz
tar -zxvf binutils-2_28.tar.gz
```
2. compile libming with ASAN
```
cd binutils-gdb-binutils-2_28/
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -g -O0
-Wno-error" LDFLAGS="-ldl -lutil" ./configure --prefix=`pwd`/obj-bc
--enable-static --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim --disable-ld
make
make install
cd obj-bc/bin/
extract-bc objdump
clang -fsanitize=address objdump.bc -o objdump_asan
```
3. command for reproducing the error
```
./objdump_asan -S poc
```
Download poc:
[binutils-gdb_objdump228_memory-allocation-failure_dwarf22860.zip]()
## ASAN report
1. binutils-2_28 version.
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==82002==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000068f4b5 bp 0x7fffffffe200 sp 0x7fffffffe150 T0)
==82002==The signal is caused by a READ memory access.
==82002==Hint: address points to the zero page.
#0 0x68f4b5 in scan_unit_for_symbols
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/bfd/./dwarf2.c:2860:13
#1 0x696214 in comp_unit_find_nearest_line
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/bfd/./dwarf2.c:3191:9
#2 0x6954be in _bfd_dwarf2_find_nearest_line
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/bfd/./dwarf2.c:4333:11
#3 0x63035a in _bfd_elf_find_nearest_line
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/bfd/elf.c:8565:7
#4 0x506336 in show_line
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/binutils/./objdump.c:1434:9
#5 0x5045e1 in disassemble_bytes
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/binutils/./objdump.c:1728:6
#6 0x5027cc in disassemble_section
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/binutils/./objdump.c:2241:7
#7 0x5c88b5 in bfd_map_over_sections
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/bfd/section.c:1395:5
#8 0x5003ba in disassemble_data
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/binutils/./objdump.c:2375:3
#9 0x4fde6d in dump_bfd
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/binutils/./objdump.c:3469:5
#10 0x4fd4cc in display_object_bfd
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/binutils/./objdump.c:3526:7
#11 0x4fd450 in display_any_bfd
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/binutils/./objdump.c:3615:5
#12 0x4fcead in display_file
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/binutils/./objdump.c:3636:3
#13 0x4fc875 in main
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/binutils/./objdump.c:3919:4
#14 0x7ffff7661082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#15 0x41d58d in _start
(/home/fzz/Desktop/STFGFuzz/Programs/objdump228/code_Bin/objdump228+0x41d58d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/fzz/Desktop/STFGFuzz/dataset/windranger/binutils-2.28/bfd/./dwarf2.c:2860:13
in scan_unit_for_symbols
==82002==ABORTING
```
2. binutils-2_40 version no crash occurred.
```
./objdump_asan: Warning: Corrupt attribute block length: 0xdd623
binutils-gdb_objdump228_memory-allocation-failure_dwarf22860: file format
elf64-x86-64
Disassembly of section .text:
0000000000000000 <_ZN11ExifApp0SegD1Ev>:
0: 48 8d a4 24 68 ff ff lea -0x98(%rsp),%rsp
7: ff
8: 48 89 14 24 mov %rdx,(%rsp)
c: 48 89 4c 24 08 mov %rcx,0x8(%rsp)
11: 48 89 44 24 10 mov %rax,0x10(%rsp)
16: 48 c7 c1 ee 80 00 00 mov $0x80ee,%rcx
1d: e8 e6 19 00 00 call 1a08 <__afl_maybe_log>
22: 48 8b 44 24 10 mov 0x10(%rsp),%rax
27: 48 8b 4c 24 08 mov 0x8(%rsp),%rcx
2c: 48 8b 14 24 mov (%rsp),%rdx
30: 48 8d a4 24 98 00 00 lea 0x98(%rsp),%rsp
37: 00
38: f3 c3 repz ret
3a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
...
```
--
You are receiving this mail because:
You are on the CC list for the bug.
