[Bug binutils/21431] New: objcopy segfault - null pointer dereferencing

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/21431] New: objcopy segfault - null pointer dereferencing

From:	dungnguy at comp dot nus.edu.sg
Subject:	[Bug binutils/21431] New: objcopy segfault - null pointer dereferencing
Date:	Wed, 26 Apr 2017 10:45:58 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=21431

            Bug ID: 21431
           Summary: objcopy segfault - null pointer dereferencing
           Product: binutils
           Version: 2.28
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dungnguy at comp dot nus.edu.sg
  Target Milestone: ---

Created attachment 10016
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10016&action=edit
Crashing input

Dear All,

This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Marcel Böhme and Van-Thuan Pham.

This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
a49abe0bb18e04d3a4b692995fcfae70cd470775 (Tue Apr 25 00:00:36 2017).

binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command
was:

CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
-fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error"
../configure --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim

To reproduce:
Download the attached file - bug_2
objcopy --compress-debug-section bug_2

ASAN says:
==51590==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f7ff19be7db bp 0x000000000bba sp 0x7ffec363a3d8 T0)
    #0 0x7f7ff19be7da 
/build/eglibc-MjiXCM/eglibc-2.19/string/../sysdeps/x86_64/multiarch/../memcpy.S:270
    #1 0x7f7ff19a6322 in __GI__IO_file_xsgetn
/build/eglibc-MjiXCM/eglibc-2.19/libio/fileops.c:1387
    #2 0x7f7ff199b86e in fread
/build/eglibc-MjiXCM/eglibc-2.19/libio/iofread.c:42
    #3 0x100e98d in cache_bread_1
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/cache.c:337:11
    #4 0x100d2ed in cache_bread
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/cache.c:371:21
    #5 0x6b92df in bfd_bread
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/bfdio.c:196:13
    #6 0x6e0c2b in _bfd_generic_get_section_contents
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/libbfd.c:813:10
    #7 0x6f998a in bfd_get_section_contents
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/section.c:1619:10
    #8 0x6c7a3c in bfd_init_section_compress_status
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/compress.c:561:8
    #9 0x868dba in _bfd_elf_make_section_from_shdr
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:1164:9
    #10 0x88f6cb in bfd_section_from_shdr
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:2013:13
    #11 0x827b18 in bfd_elf64_object_p
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elfcode.h:805:7
    #12 0x6ca22f in bfd_check_format_matches
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:253:20
    #13 0x6c9148 in bfd_check_format
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:94:10
    #14 0x6799c4 in bfd_generic_archive_p
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/archive.c:887:8
    #15 0x6caccc in bfd_check_format_matches
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:311:14
    #16 0x6c9148 in bfd_check_format
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:94:10
    #17 0x4fdba1 in copy_file
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:3286:7
    #18 0x4fb9e9 in copy_main
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5266:3
    #19 0x4f4064 in main
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5367:5
    #20 0x7f7ff194ef44 in __libc_start_main
/build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
    #21 0x41b635 in _start
(/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objcopy+0x41b635)

SUMMARY: AddressSanitizer: SEGV
/build/eglibc-MjiXCM/eglibc-2.19/string/../sysdeps/x86_64/multiarch/../memcpy.S:270

VALGRIND says:
==151260== Invalid write of size 8
==151260==    at 0x4C2FD73: __GI_memcpy (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==151260==    by 0x50B4322: _IO_file_xsgetn (fileops.c:1387)
==151260==    by 0x50A986E: fread (iofread.c:42)
==151260==    by 0x4AF987: fread (stdio2.h:295)
==151260==    by 0x4AF987: cache_bread_1 (cache.c:337)
==151260==    by 0x4AF987: cache_bread (cache.c:371)
==151260==    by 0x42C001: bfd_bread (bfdio.c:196)
==151260==    by 0x42EC8B: _bfd_generic_get_section_contents (libbfd.c:813)
==151260==    by 0x42CF1B: bfd_init_section_compress_status (compress.c:561)
==151260==    by 0x448E2D: _bfd_elf_make_section_from_shdr (elf.c:1164)
==151260==    by 0x4475B7: bfd_section_from_shdr (elf.c:2509)
==151260==    by 0x443443: bfd_elf64_object_p (elfcode.h:805)
==151260==    by 0x42D77C: bfd_check_format_matches (format.c:253)
==151260==    by 0x4274FA: bfd_generic_archive_p (archive.c:887)
==151260==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==151260== 
==151260== 
==151260== Process terminating with default action of signal 11 (SIGSEGV)
==151260==  Access not within mapped region at address 0x0
==151260==    at 0x4C2FD73: __GI_memcpy (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==151260==    by 0x50B4322: _IO_file_xsgetn (fileops.c:1387)
==151260==    by 0x50A986E: fread (iofread.c:42)
==151260==    by 0x4AF987: fread (stdio2.h:295)
==151260==    by 0x4AF987: cache_bread_1 (cache.c:337)
==151260==    by 0x4AF987: cache_bread (cache.c:371)
==151260==    by 0x42C001: bfd_bread (bfdio.c:196)
==151260==    by 0x42EC8B: _bfd_generic_get_section_contents (libbfd.c:813)
==151260==    by 0x42CF1B: bfd_init_section_compress_status (compress.c:561)
==151260==    by 0x448E2D: _bfd_elf_make_section_from_shdr (elf.c:1164)
==151260==    by 0x4475B7: bfd_section_from_shdr (elf.c:2509)
==151260==    by 0x443443: bfd_elf64_object_p (elfcode.h:805)
==151260==    by 0x42D77C: bfd_check_format_matches (format.c:253)
==151260==    by 0x4274FA: bfd_generic_archive_p (archive.c:887)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/21431] New: objcopy segfault - null pointer dereferencing, dungnguy at comp dot nus.edu.sg <=
- [Bug binutils/21431] objcopy segfault - null pointer dereferencing, dungnguy at comp dot nus.edu.sg, 2017/04/26
- [Bug binutils/21431] objcopy segfault - null pointer dereferencing, boehme.marcel at gmail dot com, 2017/04/26
- [Bug binutils/21431] objcopy segfault - null pointer dereferencing, cvs-commit at gcc dot gnu.org, 2017/04/26
- [Bug binutils/21431] objcopy segfault - null pointer dereferencing, nickc at redhat dot com, 2017/04/26

Prev by Date: [Bug gold/21430] New: gold misplaces a relaxed section on AArch64
Next by Date: [Bug binutils/21431] objcopy segfault - null pointer dereferencing
Previous by thread: [Bug gold/21430] New: gold misplaces a relaxed section on AArch64
Next by thread: [Bug binutils/21431] objcopy segfault - null pointer dereferencing
Index(es):
- Date
- Thread