[Bug 277862] potential out-of-bounds in llvm-objdump in OffloadBinary::create()
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 277862] potential out-of-bounds in llvm-objdump in OffloadBinary::create()"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 277862] potential out-of-bounds in llvm-objdump in OffloadBinary::create()"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 21 Mar 2024 13:31:21 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277862
Bug ID: 277862
Summary: potential out-of-bounds in llvm-objdump in
OffloadBinary::create()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Created attachment 249370
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=249370&action=edit
broken ELF file that causes llvm-objdump to crash in OffloadBinary::create()
In this code in OffloadBinary::create() in
llvm-project/llvm/lib/Object/OffloadBinary.cpp:
if (... ||
TheHeader->EntryOffset > TheHeader->Size - sizeof(Entry) ||
if Size < sizeof(Entry), the subtraction will wrap, and a huge
EntryOffset won't be rejected. Then this array reference can generate
an out-of-bounds memory reference:
const Entry *TheEntry =
reinterpret_cast<const Entry *>(&Start[TheHeader->EntryOffset]);
I've attached a demonstration:
# freebsd-version
15.0-CURRENT
# objdump --version
LLVM (http://llvm.org/):
LLVM version 17.0.6
Optimized build with assertions.
...
# objdump -s objdump1c.exe
PLEASE submit a bug report to https://bugs.freebsd.org/submit/ and include the
crash backtrace.
Stack dump:
0. Program arguments: objdump -s objdump1c.exe
#0 0x0000000001230c41 PrintStackTrace
/usr/src/contrib/llvm-project/llvm/lib/Support/Unix/Signals.inc:602:13
#1 0x000000000122f0b5 RunSignalHandlers
/usr/src/contrib/llvm-project/llvm/lib/Support/Signals.cpp:105:18
#2 0x0000000001231365 SignalHandler
/usr/src/contrib/llvm-project/llvm/lib/Support/Unix/Signals.inc:0:3
#3 0x0000000824b055ff handle_signal /usr/src/lib/libthr/thread/thr_sig.c:0:3
#4 0x0000000824b04bbb thr_sighandler
/usr/src/lib/libthr/thread/thr_sig.c:244:1
#5 0x00000008225332d3 ([vdso]+0x2d3)
#6 0x0000000001174709 create
/usr/src/contrib/llvm-project/llvm/lib/Object/OffloadBinary.cpp:199:29
#7 0x0000000000f7e328 createBinary
/usr/src/contrib/llvm-project/llvm/lib/Object/Binary.cpp:0:12
#8 0x0000000000f7e42a operator bool
/usr/src/contrib/llvm-project/llvm/include/llvm/Support/Error.h:559:17
#9 0x0000000000f7e42a createBinary
/usr/src/contrib/llvm-project/llvm/lib/Object/Binary.cpp:113:8
#10 0x0000000000e65321 operator bool
/usr/src/contrib/llvm-project/llvm/include/llvm/Support/Error.h:559:17
#11 0x0000000000e65321
unwrapOrError<llvm::object::OwningBinary<llvm::object::Binary>, llvm::StringRef
&> /usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/llvm-objdump.h:126:7
#12 0x0000000000e65321 dumpInput
/usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/llvm-objdump.cpp:2913:34
#13 0x0000000000e65321
for_each<std::__1::__wrap_iter<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > *>, void
(*)(llvm::StringRef)>
/usr/obj/usr/src/amd64.amd64/tmp/usr/include/c++/v1/__algorithm/for_each.h:26:5
#14 0x0000000000e65321 for_each<std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>,
std::__1::allocator<char> > > > &, void (*)(llvm::StringRef)>
/usr/src/contrib/llvm-project/llvm/include/llvm/ADT/STLExtras.h:1731:10
#15 0x0000000000e65321 main
/usr/src/contrib/llvm-project/llvm/tools/llvm-objdump/llvm-objdump.cpp:3248:3
#16 0x00000008281480aa __libc_start1 /usr/src/lib/libc/csu/libc_start1.c:157:2
Segmentation fault (core dumped)
--
You are receiving this mail because:
You are the assignee for the bug.