[Bug ld/20908] New: LD crashes when writing linked file

[boehme.marcel at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=20908

            Bug ID: 20908
           Summary: LD crashes when writing linked file
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: boehme.marcel at gmail dot com
  Target Milestone: ---

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.

The linker crashes with an invalid read of size 8 for the following execution
on Ubuntu 16.04 x86_64 in Binutils trunk and for preinstalled version v2.26.1
and on Ubuntu 14.04 x86_64 for Binutils in trunk. It works fine for Binutils
v2.24.

$ printf
"\x00\x00\xff\xff\x00\x00L\x010000\x18\x00\x00\x0000\x0400000000000000000000\x00000\x00"
> test
$ ./ld -qN test
/home/ubuntu/subjects/binutils-gdb/ld/ld-new: i386 architecture of input file
`test2' is incompatible with i386:x86-64 output
/home/ubuntu/subjects/binutils-gdb/ld/ld-new: warning: cannot find entry symbol
_start; defaulting to 0000000000400078
Segmentation fault

VALGRIND says:
==8561== Invalid read of size 8
==8561==    at 0x6DE6D0: bfd_elf_final_link (elflink.c:11427)
==8561==    by 0x484B7C: ldwrite (ldwrite.c:577)
==8561==    by 0x408334: main (ldmain.c:444)
==8561==  Address 0x3030303030303068 is not stack'd, malloc'd or (recently)
free'd

UBSAN complains:
../../bfd/peicode.h:658:42: runtime error: member access within misaligned
address 0x61e00000f8c7 for type 'struct coff_section_tdata', which requires 8
byte alignment
0x61e00000f8c7: note: pointer points here
 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
00 00 00 00  00 00 00
             ^ 

Best regards,
- Marcel

-- 
You are receiving this mail because:
You are on the CC list for the bug.