Created attachment 12025 [details] poc file I'm using latest binutils-gdb to fuzz, and find some crashes. git version: 816228ed09dc867fa16dc5458277d649885d98fe ``` # ./nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line /d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size /d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (2aaaabac4ec1) larger than the file size /d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (ffffd5555453b140) larger than the file size /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: unknown type [0xff000001] section `.debug_aranges' /d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size /d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (2aaaabac4ec1) larger than the file size /d/p/aflasan/binutils-latest/nm-new: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (ffffd5555453b140) larger than the file size /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: warning: sh_link not set for section `.debug_aranges' /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: version count (11) does not match symbol count (16) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) /d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line: attempt to load strings from a non-string section (number 0) ASAN:SIGSEGV ================================================================= ==45359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000007200 (pc 0x0000006aa438 bp 0x0ffffffffb7e sp 0x7fffffffdb50 T0) #0 0x6aa437 in _bfd_dwarf2_find_nearest_line dwarf2.c:4724 #1 0x5862a1 in _bfd_elf_find_nearest_line /d/prog/binutils-gdb/bfd/elf.c:9005 #2 0x40da6e in print_symbol /d/prog/binutils-gdb/binutils/nm.c:1008 #3 0x40ed78 in print_symbols /d/prog/binutils-gdb/binutils/nm.c:1088 #4 0x40ed78 in display_rel_file /d/prog/binutils-gdb/binutils/nm.c:1210 #5 0x4119f5 in display_file /d/prog/binutils-gdb/binutils/nm.c:1377 #6 0x407bc7 in main /d/prog/binutils-gdb/binutils/nm.c:1858 #7 0x7ffff6679b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #8 0x409958 in _start (/d/p/aflasan/binutils-latest/nm-new+0x409958) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV dwarf2.c:4724 _bfd_dwarf2_find_nearest_line ==45359==ABORTING ``` Reproducible docker image has been pushed to `zjuchenyuan/dockerized_poc:binutils-pocs` Dockerfile: ``` FROM zjuchenyuan/afl ENV AFL_USE_ASAN=1 RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\ cd binutils-gdb &&\ git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\ ./configure --disable-shared &&\ for i in bfd libiberty opcodes libctf; do cd $i; ./configure --disable-shared && make -j; cd ..; done &&\ cd binutils &&\ ./configure --disable-shared &&\ make objdump nm-new size readelf cxxfilt RUN apt install -y gdb &&\ echo -e "set pagination off\nset confirm off" > /root/.gdbinit ADD . / RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line || exit 0 ```
*** Bug 25072 has been marked as a duplicate of this bug. ***
*** Bug 25073 has been marked as a duplicate of this bug. ***
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 commit 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Author: Alan Modra <amodra@gmail.com> Date: Wed Oct 9 10:47:13 2019 +1030 PR25070, SEGV in function _bfd_dwarf2_find_nearest_line Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 and ffffd5555453b140 result in a total size of 1. Reading the first section of course overflows the buffer and tramples on other memory. PR 25070 * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of total_size calculation.
Fixed.
Hello, May I know if Binutils-2.31 is also affected and requires this fix? Any heads up will be appreciated. Thank you in advance. Best Regards,
(In reply to Trupti Pardeshi from comment #5) Hi Trupti, > May I know if Binutils-2.31 is also affected and requires this fix? Any > heads up will be appreciated. Yes. The 2.32 and 2.33 releases (and branches) are also vulnerable to this problem. Only the mainline development sources are currently fixed. Cheers Nick
(In reply to Nick Clifton from comment #6) > (In reply to Trupti Pardeshi from comment #5) > Hi Trupti, > > > May I know if Binutils-2.31 is also affected and requires this fix? Any > > heads up will be appreciated. > > Yes. The 2.32 and 2.33 releases (and branches) are also vulnerable to > this problem. Only the mainline development sources are currently fixed. > > Cheers > Nick Thank you so much Nick for the clarification. Appreciate your reply for mentioning 2.33 version as well. Thanks.