bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/19379] New: "Augmentation Data:" Overflow in obdjump

From: address@hidden
Subject: [Bug binutils/19379] New: "Augmentation Data:" Overflow in obdjump
Date: Sat, 19 Dec 2015 14:44:18 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=19379

            Bug ID: 19379
           Summary: "Augmentation Data:" Overflow in obdjump
           Product: binutils
           Version: 2.24
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: address@hidden
  Target Milestone: ---

Created attachment 8855
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8855&action=edit
proof of concept to trigger crash

The crash trigger upon using objdump to parse binary (by reading the
"Augmentation Data:". 

Code trigger crashed
====================
; parsed strings (input) for "Augmentation Data:"
.text:08064227                 mov     dword ptr [esp+4], offset
aAugmentationDa ; "  Augmentation data:    "
.text:0806422F                 xor     ebx, ebx                         
.text:08064231                 mov     dword ptr [esp], 1       
.text:08064238                 call    ___printf_chk            
.text:0806423D                 mov     eax, [ebp+var_20]                ;
var_20 = strings (input) from binary that being parsed, then copy to eax
.text:08064240                 test    eax, eax                                
; if input is zero, jump out from here 
.text:08064242                 jz      short loc_806426F                ; 
.text:08064244                 lea     esi, [esi+0]                            
; 

; overflow at "Augmentation Data:" 
.text:08064248                 mov     eax, [ebp+var_24]                ;       
.text:0806424B                 movzx   eax, byte ptr [eax+ebx]  ; overflow here
due to long strings here
.text:0806424F                 add     ebx, 1
.text:08064252                 mov     dword ptr [esp+4], offset unk_808A20E
.text:0806425A                 mov     dword ptr [esp], 1
.text:08064261                 mov     [esp+8], eax
.text:08064265                 call    ___printf_chk
.text:0806426A                 cmp     [ebp+var_20], ebx
.text:0806426D                 ja      short loc_8064248


Crashed Info (from GDB)
=======================
[----------------------------------registers-----------------------------------]
EAX: 0x80a459c --> 0x0 
EBX: 0x19a64 
ECX: 0xb7dde898 --> 0x0 
EDX: 0x3 
ESI: 0x809c708 ("0000009c")
EDI: 0x98 
EBP: 0xbfffed68 --> 0x809f82c --> 0x809e808 (".eh_frame")
ESP: 0xbfffecc0 --> 0x1 
EIP: 0x806424b (movzx  eax,BYTE PTR [eax+ebx*1])
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x8064242:   je     0x806426f
   0x8064244:   lea    esi,[esi+eiz*1+0x0]
   0x8064248:   mov    eax,DWORD PTR [ebp-0x24]
=> 0x806424b:   movzx  eax,BYTE PTR [eax+ebx*1]
   0x806424f:   add    ebx,0x1
   0x8064252:   mov    DWORD PTR [esp+0x4],0x808a20e
   0x806425a:   mov    DWORD PTR [esp],0x1
   0x8064261:   mov    DWORD PTR [esp+0x8],eax
[------------------------------------stack-------------------------------------]
0000| 0xbfffecc0 --> 0x1 
0004| 0xbfffecc4 --> 0x808a20e (" %02x")
0008| 0xbfffecc8 --> 0x0 
0012| 0xbfffeccc --> 0x809c388 ("feffffa6")
0016| 0xbfffecd0 --> 0x809c708 ("0000009c")
0020| 0xbfffecd4 --> 0x0 
0024| 0xbfffecd8 --> 0xbfffecf4 --> 0x0 
0028| 0xbfffecdc --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0806424b in ?? ()

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]