← All libraries
Binary · C
How to fuzz binutils
GNU binary utilities — BFD library, objdump, readelf — historical CVE goldmine
BFD (Binary File Descriptor) is loaded by objdump, readelf, ld, and gdb to parse untrusted object files. It has the longest fuzzing CVE history of any project in this list — running fuzzers on each new release continues to yield findings.
Common bug classes
- •Heap overflows in section header parsing (ELF, COFF, PE)
- •Integer overflow in stab / DWARF debug-info decoding
- •Out-of-bounds reads on truncated symbol tables
- •Stack exhaustion on recursive type-info parsing
Recommended setup
Fuzzers
- → AFL++
- → Honggfuzz
- → libFuzzer
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <bfd.h>
#include <stdio.h>
#include <stddef.h>
#include <stdint.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
FILE *fp = fopen("/tmp/bfd_fuzz.bin", "wb");
if (!fp) return 0;
fwrite(data, 1, size, fp);
fclose(fp);
bfd_init();
bfd *abfd = bfd_openr("/tmp/bfd_fuzz.bin", nullptr);
if (!abfd) return 0;
if (bfd_check_format(abfd, bfd_object)) {
long sz = bfd_get_symtab_upper_bound(abfd);
if (sz > 0) {
asymbol **syms = (asymbol **)malloc(sz);
bfd_canonicalize_symtab(abfd, syms);
free(syms);
}
}
bfd_close(abfd);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Notable CVEs found by fuzzing
- → CVE-2023-1972
- → CVE-2024-53589
Push the harness above + a Dockerfile. First month 50% off.