[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/21431] New: objcopy segfault - null pointer dereferencing
From: |
dungnguy at comp dot nus.edu.sg |
Subject: |
[Bug binutils/21431] New: objcopy segfault - null pointer dereferencing |
Date: |
Wed, 26 Apr 2017 10:45:58 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=21431
Bug ID: 21431
Summary: objcopy segfault - null pointer dereferencing
Product: binutils
Version: 2.28
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: dungnguy at comp dot nus.edu.sg
Target Milestone: ---
Created attachment 10016
--> https://sourceware.org/bugzilla/attachment.cgi?id=10016&action=edit
Crashing input
Dear All,
This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Marcel Böhme and Van-Thuan Pham.
This bug was found on Ubuntu 14.04 64-bit & binutils was checked out from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
a49abe0bb18e04d3a4b692995fcfae70cd470775 (Tue Apr 25 00:00:36 2017).
binutils was built with ASAN using gcc-6.2 and clang-3.4. The configure command
was:
CC=clang CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
-fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error"
../configure --disable-shared --disable-gdb --disable-libdecnumber
--disable-readline --disable-sim
To reproduce:
Download the attached file - bug_2
objcopy --compress-debug-section bug_2
ASAN says:
==51590==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f7ff19be7db bp 0x000000000bba sp 0x7ffec363a3d8 T0)
#0 0x7f7ff19be7da
/build/eglibc-MjiXCM/eglibc-2.19/string/../sysdeps/x86_64/multiarch/../memcpy.S:270
#1 0x7f7ff19a6322 in __GI__IO_file_xsgetn
/build/eglibc-MjiXCM/eglibc-2.19/libio/fileops.c:1387
#2 0x7f7ff199b86e in fread
/build/eglibc-MjiXCM/eglibc-2.19/libio/iofread.c:42
#3 0x100e98d in cache_bread_1
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/cache.c:337:11
#4 0x100d2ed in cache_bread
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/cache.c:371:21
#5 0x6b92df in bfd_bread
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/bfdio.c:196:13
#6 0x6e0c2b in _bfd_generic_get_section_contents
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/libbfd.c:813:10
#7 0x6f998a in bfd_get_section_contents
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/section.c:1619:10
#8 0x6c7a3c in bfd_init_section_compress_status
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/compress.c:561:8
#9 0x868dba in _bfd_elf_make_section_from_shdr
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:1164:9
#10 0x88f6cb in bfd_section_from_shdr
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elf.c:2013:13
#11 0x827b18 in bfd_elf64_object_p
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/elfcode.h:805:7
#12 0x6ca22f in bfd_check_format_matches
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:253:20
#13 0x6c9148 in bfd_check_format
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:94:10
#14 0x6799c4 in bfd_generic_archive_p
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/archive.c:887:8
#15 0x6caccc in bfd_check_format_matches
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:311:14
#16 0x6c9148 in bfd_check_format
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/bfd/../../bfd/format.c:94:10
#17 0x4fdba1 in copy_file
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:3286:7
#18 0x4fb9e9 in copy_main
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5266:3
#19 0x4f4064 in main
/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/../../binutils/objcopy.c:5367:5
#20 0x7f7ff194ef44 in __libc_start_main
/build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
#21 0x41b635 in _start
(/home/ubuntu/binutils-analysis/binutils-gdb/obj-asan/binutils/objcopy+0x41b635)
SUMMARY: AddressSanitizer: SEGV
/build/eglibc-MjiXCM/eglibc-2.19/string/../sysdeps/x86_64/multiarch/../memcpy.S:270
VALGRIND says:
==151260== Invalid write of size 8
==151260== at 0x4C2FD73: __GI_memcpy (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==151260== by 0x50B4322: _IO_file_xsgetn (fileops.c:1387)
==151260== by 0x50A986E: fread (iofread.c:42)
==151260== by 0x4AF987: fread (stdio2.h:295)
==151260== by 0x4AF987: cache_bread_1 (cache.c:337)
==151260== by 0x4AF987: cache_bread (cache.c:371)
==151260== by 0x42C001: bfd_bread (bfdio.c:196)
==151260== by 0x42EC8B: _bfd_generic_get_section_contents (libbfd.c:813)
==151260== by 0x42CF1B: bfd_init_section_compress_status (compress.c:561)
==151260== by 0x448E2D: _bfd_elf_make_section_from_shdr (elf.c:1164)
==151260== by 0x4475B7: bfd_section_from_shdr (elf.c:2509)
==151260== by 0x443443: bfd_elf64_object_p (elfcode.h:805)
==151260== by 0x42D77C: bfd_check_format_matches (format.c:253)
==151260== by 0x4274FA: bfd_generic_archive_p (archive.c:887)
==151260== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==151260==
==151260==
==151260== Process terminating with default action of signal 11 (SIGSEGV)
==151260== Access not within mapped region at address 0x0
==151260== at 0x4C2FD73: __GI_memcpy (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==151260== by 0x50B4322: _IO_file_xsgetn (fileops.c:1387)
==151260== by 0x50A986E: fread (iofread.c:42)
==151260== by 0x4AF987: fread (stdio2.h:295)
==151260== by 0x4AF987: cache_bread_1 (cache.c:337)
==151260== by 0x4AF987: cache_bread (cache.c:371)
==151260== by 0x42C001: bfd_bread (bfdio.c:196)
==151260== by 0x42EC8B: _bfd_generic_get_section_contents (libbfd.c:813)
==151260== by 0x42CF1B: bfd_init_section_compress_status (compress.c:561)
==151260== by 0x448E2D: _bfd_elf_make_section_from_shdr (elf.c:1164)
==151260== by 0x4475B7: bfd_section_from_shdr (elf.c:2509)
==151260== by 0x443443: bfd_elf64_object_p (elfcode.h:805)
==151260== by 0x42D77C: bfd_check_format_matches (format.c:253)
==151260== by 0x4274FA: bfd_generic_archive_p (archive.c:887)
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/21431] New: objcopy segfault - null pointer dereferencing,
dungnguy at comp dot nus.edu.sg <=