[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24854] New: Abort in arc_insn_length
From: |
p.antoine at catenacyber dot fr |
Subject: |
[Bug binutils/24854] New: Abort in arc_insn_length |
Date: |
Fri, 26 Jul 2019 06:42:59 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24854
Bug ID: 24854
Summary: Abort in arc_insn_length
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: p.antoine at catenacyber dot fr
Target Milestone: ---
Binutils version is from commit d8f68fcb9378b5ab1c945fa676e11da15be56dd6
I have been fuzzing binutils disassembler, you can find the fuzz target here
https://github.com/google/oss-fuzz/pull/2617
This crash comes quick :
Function `arc_insn_length` calls `abort`
It seems to me that this function should return failure instead of aborting
Patch could then be
```
diff --git a/opcodes/arc-dis.c b/opcodes/arc-dis.c
index ee598918..0b9024a6 100644
--- a/opcodes/arc-dis.c
+++ b/opcodes/arc-dis.c
@@ -668,9 +668,8 @@ arc_insn_length (bfd_byte msb, bfd_byte lsb, struct
disassemble_info *info)
return (major_opcode > 0x7) ? 2 : 4;
break;
- default:
- abort ();
}
+ return 0;
}
/* Extract and return the value of OPERAND from the instruction whose value
@@ -1059,6 +1058,9 @@ print_insn_arc (bfd_vma memaddr,
insn_len = arc_insn_length (buffer[highbyte], buffer[lowbyte], info);
pr_debug ("instruction length = %d bytes\n", insn_len);
+ if (insn_len == 0) {
+ return 0;
+ }
arc_infop = info->private_data;
arc_infop->insn_len = insn_len;
```
To reproduce the bug, you can run the following commands after having Docker
installed :
git clone --branch binutils --depth 1 https://github.com/catenacyber/oss-fuzz
cd oss-fuzz
python infra/helper.py build_image binutils
python infra/helper.py build_fuzzers --sanitizer address binutils
echo -n -e "\xfc\x37\x34\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2b" >
reproducer
python infra/helper.py reproduce binutils fuzz_disassemble reproducer
Stack trace is then :
==8==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000008 (pc
0x7f9f36838428 bp 0x7ffe730737d0 sp 0x7ffe73073678 T0)
SCARINESS: 10 (signal)
#0 0x7f9f36838427 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x35427)
#1 0x7f9f3683a029 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37029)
#2 0x5abd97 in arc_insn_length /src/binutils-gdb/opcodes/arc-dis.c:672:7
#3 0x5a8b8c in print_insn_arc /src/binutils-gdb/opcodes/arc-dis.c:1060:14
#4 0x4c8dde in LLVMFuzzerTestOneInput
/src/binutils-gdb/fuzz/fuzz_disassemble.c:68:13
The reproducer means for the fuzz target :
disasm_info.arch = 0x2b;
disasm_info.mach = 0;
disasm_info.flavour = 0;
disasm_info.buffer = {0xfc, 0x37, 0x34, 0x73};
disasm_info.buffer_length = 4;
--
You are receiving this mail because:
You are on the CC list for the bug.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug binutils/24854] New: Abort in arc_insn_length,
p.antoine at catenacyber dot fr <=