bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/32560] New: stack-buffer-overflow at objdump disassemble


From: swj22 at mails dot tsinghua.edu.cn
Subject: [Bug binutils/32560] New: stack-buffer-overflow at objdump disassemble_bytes (objdump.c:3543:34)
Date: Wed, 15 Jan 2025 03:43:45 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=32560

            Bug ID: 32560
           Summary: stack-buffer-overflow at  objdump  disassemble_bytes
                    (objdump.c:3543:34)
           Product: binutils
           Version: 2.43
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: swj22 at mails dot tsinghua.edu.cn
  Target Milestone: ---

Created attachment 15882
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15882&action=edit
poc

Hello,

We are currently working on fuzz testing feature, and we found a
**stack-buffer-overflow** on `objudmp`.

The stack traces are as follow:
```
==491939==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff1cad0452 at pc 0x562af39c9768 bp 0x7fff1cad0370 sp 0x7fff1cad0368
WRITE of size 1 at 0x7fff1cad0452 thread T0
    #0 0x562af39c9767 in disassemble_bytes
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:3543:34
    #1 0x562af39c1843 in disassemble_section
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:4116:4
    #2 0x562af3b8125a in bfd_map_over_sections
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/section.c:1387:5
    #3 0x562af39b827a in disassemble_data
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:4264:3
    #4 0x562af39b3858 in dump_bfd
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:5795:2
    #5 0x562af39b2989 in display_object_bfd
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:5856:7
    #6 0x562af39b2894 in display_any_bfd
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:5943:5
    #7 0x562af39b16bb in display_file
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:5964:3
    #8 0x562af39afe10 in main
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:6381:6
    #9 0x7f33a2e65082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x562af38ef61d in _start
(/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/objdump+0x1dd61d) (BuildId:
d2dc746ba5756ca34e6ed66603247470b04d42fe)

Address 0x7fff1cad0452 is located in stack of thread T0 at offset 210 in frame
    #0 0x562af39c785f in disassemble_bytes
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:3274

  This frame has 3 object(s):
    [32, 56) 'sfile' (line 3284)
    [96, 126) 'buf' (line 3307)
    [160, 210) 'buf127' (line 3394) <== Memory access at offset 210 overflows
this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/data/swj/optfuzz/benchmark/binutils-2.43/binutils/./objdump.c:3543:34 in
disassemble_bytes

```

**Step to reproduce**

We configured `objudmp` using 

`CFLAGS="-g -fsanitize=address" ./configure --prefix=$(pwd)/ ` 

and build it using `make -j `, and run it with:

```
./objdump --insn-width 64 -d 
```

The input file is attached.

**Environment**
- OS: Ubuntu 20.04.6 LTS
- Clang version: Ubuntu clang version 14.0.6
- binutils version: 2.43 https://ftp.gnu.org/gnu/binutils/binutils-2.43.tar.xz

Thank you.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]