[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/23112] New: objcopy segmentation faul
|
From: |
donald.zgd at gmail dot com |
|
Subject: |
[Bug binutils/23112] New: objcopy segmentation faul |
|
Date: |
Tue, 24 Apr 2018 09:11:24 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=23112
Bug ID: 23112
Summary: objcopy segmentation faul
Product: binutils
Version: 2.31 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: donald.zgd at gmail dot com
Target Milestone: ---
Created attachment 10976
--> https://sourceware.org/bugzilla/attachment.cgi?id=10976&action=edit
the malformed crash input
When objcopy copying private info(in file bfd/pex64igen.c function:
"_bfd_pex64_bfd_copy_private_bfd_data_common()""), it has an unbounded loop
that increase the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the
address exceed its own memory region, results into an unwrittable memory space.
# ------------
# Cmdline:
$ objcopy /tmp/objcopy_crash.input /dev/null
# ------------
# gdb output
Program received signal SIGSEGV, Segmentation fault.
0x0000000000431daf in bfd_putl32 (data=1279622912, p=0x7ffff7808fff) at
../../bfd/libbfd.c:776
776 addr[1] = (data >> 8) & 0xff;
(gdb) bt
#0 0x0000000000431daf in bfd_putl32 (data=1279622912, p=0x7ffff7808fff) at
../../bfd/libbfd.c:776
#1 0x00000000004e292a in _bfd_pex64i_swap_debugdir_out (abfd=0x788290,
inp=0x7fffffffdcb0, extp=0x7ffff7808ff3) at pex64igen.c:1139
#2 0x00000000004e706d in _bfd_pex64_bfd_copy_private_bfd_data_common
(ibfd=0x784ec0, obfd=0x788290) at pex64igen.c:3016
#3 0x00000000004d8983 in pe_bfd_copy_private_bfd_data (ibfd=0x784ec0,
obfd=0x788290) at ../../bfd/peicode.h:361
#4 0x00000000004082b9 in copy_object (ibfd=0x784ec0, obfd=0x788290,
input_arch=0x0) at ../../binutils/objcopy.c:3170
#5 0x0000000000408fea in copy_file (
input_filename=0x7fffffffe537 "/tmp/objcopy_crash.input",
output_filename=0x7fffffffe578 "/dev/null", input_target=0x0,
output_target=0x535e86 "pei-x86-64", input_arch=0x0)
at ../../binutils/objcopy.c:3532
#6 0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe258) at
../../binutils/objcopy.c:5484
#7 0x000000000040d384 in main (argc=3, argv=0x7fffffffe258) at
../../binutils/objcopy.c:5588
(gdb) info registers
rax 0x7ffff7809000 140737345785856
rbx 0x0 0
rcx 0x7ffff7808fff 140737345785855
rdx 0x4c457f 4998527
rsi 0x7ffff7808fff 140737345785855
rdi 0x4c457f00 1279622912
rbp 0x7fffffffdc00 0x7fffffffdc00
rsp 0x7fffffffdc00 0x7fffffffdc00
r8 0x90000 589824
r9 0x0 0
r10 0x22 34
r11 0x246 582
r12 0x4025c0 4203968
r13 0x7fffffffe250 140737488347728
r14 0x0 0
r15 0x0 0
rip 0x431daf 0x431daf <bfd_putl32+48>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) info proc mappings
process 9875
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x566000 0x166000 0x0 /tmp/objcopy
0x765000 0x777000 0x12000 0x165000 /tmp/objcopy
0x777000 0x77e000 0x7000 0x177000 /tmp/objcopy
0x77e000 0x7a4000 0x26000 0x0 [heap]
0x7ffff7778000 0x7ffff7809000 0x91000 0x0
0x7ffff7809000 0x7ffff79c9000 0x1c0000 0x0
/lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff79c9000 0x7ffff7bc9000 0x200000 0x1c0000
/lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bc9000 0x7ffff7bcd000 0x4000 0x1c0000
/lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bcd000 0x7ffff7bcf000 0x2000 0x1c4000
/lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bcf000 0x7ffff7bd3000 0x4000 0x0
0x7ffff7bd3000 0x7ffff7bd6000 0x3000 0x0
/lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7bd6000 0x7ffff7dd5000 0x1ff000 0x3000
/lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7dd5000 0x7ffff7dd6000 0x1000 0x2000
/lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7dd6000 0x7ffff7dd7000 0x1000 0x3000
/lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7dd7000 0x7ffff7dfd000 0x26000 0x0
/lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7e49000 0x7ffff7fe1000 0x198000 0x0
/usr/lib/locale/locale-archive
0x7ffff7fe1000 0x7ffff7fe5000 0x4000 0x0
0x7ffff7ff0000 0x7ffff7ff7000 0x7000 0x0
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
0x7ffff7ff7000 0x7ffff7ffa000 0x3000 0x0 [vvar]
0x7ffff7ffa000 0x7ffff7ffc000 0x2000 0x0 [vdso]
0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x25000
/lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7ffd000 0x7ffff7ffe000 0x1000 0x26000
/lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7ffe000 0x7ffff7fff000 0x1000 0x0
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
# ------------
# Environment
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
# ------------------------------
# Tested on the following two objcopy versions
# 1.
$ git rev-parse HEAD
5373441d20b652d5b0332b6cada74524af3ae707
# 2.
$ /usr/bin/objcopy --version
GNU objcopy (GNU Binutils for Ubuntu) 2.26.1
Copyright (C) 2015 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
# ------------------------------
This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/23112] New: objcopy segmentation faul,
donald.zgd at gmail dot com <=