Ubuntu
binutils package

SIGSEGV and out-of-bounds write during processing file via objdump

Bug #1967082 reported by Nils
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
binutils (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

SIGSEGV and out-of-bounds write during processing file via objdump

# Description
During processing of the attached elf file via
```
objdump -S testcase
```
an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV) This allows an attacker to perform a denial of service and possibly opens up other attack vectors if files from untrusted sources are processed.

For reproduction of the crash, I attached the following script(s):
  - reproduce-ubuntu.sh : Reproduction on Ubuntu 20.04

Since I was unable to reproduce the bug upstream, I report it here.

If you need further assistance, please do not hesitate to ask.

# Ubuntu version
# apt show binutils
Package: binutils
Version: 2.34-6ubuntu1.3
Priority: optional
Build-Essential: yes
Section: devel
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Matthias Klose <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 110 kB
Provides: binutils-gold, elf-binutils
Depends: binutils-common (= 2.34-6ubuntu1.3), libbinutils (= 2.34-6ubuntu1.3), binutils-x86-64-linux-gnu (= 2.34-6ubuntu1.3)
Suggests: binutils-doc (>= 2.34-6ubuntu1.3)
Conflicts: binutils-mingw-w64-i686 (<< 2.23.52.20130612-1+3), binutils-mingw-w64-x86-64 (<< 2.23.52.20130612-1+3), binutils-multiarch (<< 2.27-8), modutils (<< 2.4.19-1)
Homepage: https://www.gnu.org/software/binutils/
Task: ubuntustudio-video, ubuntu-mate-core, ubuntu-mate-desktop
Download-Size: 3380 B
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
Description: GNU assembler, linker and binary utilities

# Ubuntu valgrind
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: objdump -S /testcase
==1==
objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size
objdump: /testcase: warning: loop in section dependencies detected
objdump: warning: /testcase has a corrupt section with a size (3c3b031b01) larger than the file size
==1== Invalid write of size 4
==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Address 0x4d469f4 is 1,940 bytes inside a block of size 4,064 free'd
==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Block was alloc'd at
==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==
==1== Invalid write of size 4
==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd
==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Block was alloc'd at
==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==
==1== Invalid read of size 4
==1== at 0x4A3FFA4: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Address 0x4d46a04 is 1,956 bytes inside a block of size 4,064 free'd
==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Block was alloc'd at
==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==
==1== Invalid write of size 4
==1== at 0x4A3FFAE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Address 0x4d46a04 is 1,956 bytes inside a block of size 4,064 free'd
==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Block was alloc'd at
==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==
==1== Invalid read of size 4
==1== at 0x4A3FFA4: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd
==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Block was alloc'd at
==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==
==1== Invalid write of size 4
==1== at 0x4A3FFAE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd
==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Block was alloc'd at
==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==
==1== Invalid write of size 4
==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Address 0x4d469fc is 1,948 bytes inside a block of size 4,064 free'd
==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Block was alloc'd at
==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==
objdump: /testcase: warning: loop in section dependencies detected
==1== Invalid write of size 4
==1== at 0x4A40248: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A4036B: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Address 0x4d46a04 is 1,956 bytes inside a block of size 4,064 free'd
==1== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC85B: objalloc_free_block (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AABF: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x111B3C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x4B360B2: (below main) (libc-start.c:308)
==1== Block was alloc'd at
==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1== by 0x4ABC65B: _objalloc_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A227D4: bfd_alloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A22CED: bfd_zalloc (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A41DE9: _bfd_elf_new_section_hook (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A2485E: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A40CEB: _bfd_elf_make_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A401DE: bfd_section_from_shdr (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A3BD4F: bfd_elf64_object_p (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x4A1AB01: bfd_check_format_matches (in /usr/lib/x86_64-linux-gnu/libbfd-2.34-system.so)
==1== by 0x116402: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1== by 0x116532: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==1==
objdump: /testcase: file format not recognized
==1==
==1== HEAP SUMMARY:
==1== in use at exit: 0 bytes in 0 blocks
==1== total heap usage: 29 allocs, 29 frees, 178,276 bytes allocated
==1==
==1== All heap blocks were freed -- no leaks are possible
==1==
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 29 errors from 8 contexts (suppressed: 0 from 0)

See original description
Nils (nils-bars)
information type: Private Security → Public Security
affects: poppler (Ubuntu) → binutils (Ubuntu)
description: updated
Nils (nils-bars)
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this. I don't see that attached reproducer. Could you please attach it again?

Changed in binutils (Ubuntu):
status: New → Incomplete
Revision history for this message
Nils (nils-bars) wrote :
Revision history for this message
Nils (nils-bars) wrote :

Hello, this is still working on the latest release of binutils for Ubuntu.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for binutils (Ubuntu) because there has been no activity for 60 days.]

Changed in binutils (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.