[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/30284] New: objdump SEGV in display_debug_ranges_list() at
From: |
13579and24680 at gmail dot com |
Subject: |
[Bug binutils/30284] New: objdump SEGV in display_debug_ranges_list() at dwarf.c:7952 (SIGSEGV) |
Date: |
Wed, 29 Mar 2023 12:09:46 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=30284
Bug ID: 30284
Summary: objdump SEGV in display_debug_ranges_list() at
dwarf.c:7952 (SIGSEGV)
Product: binutils
Version: 2.40
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: 13579and24680 at gmail dot com
Target Milestone: ---
Created attachment 14786
--> https://sourceware.org/bugzilla/attachment.cgi?id=14786&action=edit
poc from fuzzer and afl-tmin
found by my fuzzer, trimed with afl-tmin
# version
$ ./binutils-gdb/binutils/objdump --version
GNU objdump (GNU Binutils) 2.40.50.20230329
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
---------------------------------------------------------------------
# git log
$ git log --oneline -1
a6e5abae4e9 (HEAD -> master, origin/master, origin/HEAD) gdb: move
displaced_step_dump_bytes into gdbsupport (and rename)
---------------------------------------------------------------------
# make
$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure
$ make
---------------------------------------------------------------------
# crash
$ ./binutils-gdb/binutils/objdump -W pocmin
BFD: warning: pocmin has a section extending past end of file
pocmin: file format elf64-little
Contents of the .debug_info section:
Compilation Unit @ offset 0:
Length: 0x371 (32-bit)
Version: 4
Abbrev Offset: 0
Pointer Size: 8
<0><b>: Abbrev Number: 1 (DW_TAG_template_value_param)
<c> Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning:
Unrecognized form: 0x30
<d> Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning:
Unrecognized form: 0x30
<e> Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning:
Unrecognized form: 0x30
<f> Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning:
Unrecognized form: 0x30
<10> Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning:
Unrecognized form: 0x30
(... too long ignore)
<195><372>: Abbrev Number: 48 (DW_TAG_template_value_param)
<373> Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning:
Unrecognized form: 0x30
<374> Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning:
Unrecognized form: 0x30
<375> Unknown AT value: 30:./binutils-gdb/binutils/objdump: Warning:
Corrupt attribute
Contents of the .debug_abbrev section:
Number TAG (0)
1 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
9 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
14 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 1817 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
18 DW_TAG_template_value_param [has children]
Unknown AT value: 30 DW_FORM_ref4
Unknown AT value: 30 DW_FORM_addr
Unknown AT value: 1838 Unknown FORM value: 30
DW_AT_ranges DW_FORM_sec_offset
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
19 DW_TAG_template_value_param [has children]
Unknown AT value: 30 DW_FORM_ref4
Unknown AT value: 30 DW_FORM_sec_offset
Unknown AT value: 1837 DW_FORM_sec_offset
DW_AT_rnglists_base DW_FORM_ref8
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 Unknown TAG value: 0x1811 [has children]
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
24 DW_TAG_template_value_param [has children]
DW_AT value: 0 Unknown FORM value: 30
48 DW_TAG_template_value_param [has children]
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
Unknown AT value: 30 Unknown FORM value: 30
DW_AT value: 0 Unknown FORM value: 30
Contents of the .debug_ranges section:
Offset Begin End
fish: Job 1, './binutils-gdb/binutils/objdump…' terminated by signal SIGSEGV
(Address boundary error)
---------------------------------------------------------------------
# ASAN report
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1832831==ERROR: AddressSanitizer: SEGV on unknown address 0x5f9030373b80 (pc
0x560baea74819 bp 0x7ffe7ff3ac80 sp 0x7ffe7ff3ac70 T0)
==1832831==The signal is caused by a READ memory access.
#0 0x560baea74818 in byte_get_little_endian
/home/a13579/my_fuzz_eval/objdump_aflgcc_seed_eval/report/binutils_2023_03_29/binutils-gdb_asan/binutils/elfcomm.c:148
#1 0x560baea1a7c3 in display_debug_ranges_list dwarf.c:7952
#2 0x560baea1d739 in display_debug_ranges dwarf.c:8354
#3 0x560bae9dce21 in dump_dwarf_section objdump.c:4425
#4 0x560baeb2be11 in bfd_map_over_sections
/home/a13579/my_fuzz_eval/objdump_aflgcc_seed_eval/report/binutils_2023_03_29/binutils-gdb_asan/bfd/section.c:1366
#5 0x560bae9dd050 in dump_dwarf objdump.c:4463
#6 0x560bae9e32c4 in dump_bfd objdump.c:5667
#7 0x560bae9e3699 in display_object_bfd objdump.c:5746
#8 0x560bae9e39d1 in display_any_bfd objdump.c:5833
#9 0x560bae9e3a4b in display_file objdump.c:5854
#10 0x560bae9e53ee in main objdump.c:6265
#11 0x7f73b4865082 in __libc_start_main ../csu/libc-start.c:308
#12 0x560bae9c939d in _start
(/home/a13579/my_fuzz_eval/objdump_aflgcc_seed_eval/report/binutils_2023_03_29/binutils-gdb_asan/binutils/objdump+0x13639d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/a13579/my_fuzz_eval/objdump_aflgcc_seed_eval/report/binutils_2023_03_29/binutils-gdb_asan/binutils/elfcomm.c:148
in byte_get_little_endian
==1832831==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/30284] New: objdump SEGV in display_debug_ranges_list() at dwarf.c:7952 (SIGSEGV),
13579and24680 at gmail dot com <=