[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/23111] New: objcopy segmentation fault
From: |
donald.zgd at gmail dot com |
Subject: |
[Bug binutils/23111] New: objcopy segmentation fault |
Date: |
Tue, 24 Apr 2018 09:08:39 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=23111
Bug ID: 23111
Summary: objcopy segmentation fault
Product: binutils
Version: 2.31 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: donald.zgd at gmail dot com
Target Milestone: ---
Created attachment 10975
--> https://sourceware.org/bugzilla/attachment.cgi?id=10975&action=edit
the malformed crash input
When objcopy copying private info(in file bfd/pex64igen.c function:
"_bfd_pex64_bfd_copy_private_bfd_data_common()""), it has an unbounded loop
that increase the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the
address exceed its own memory region, results into an unwrittable memory space.
# ------------
# Cmdline:
$ objcopy /tmp/objcopy_crash.input /dev/null
# ------------
# gdb output
Program received signal SIGSEGV, Segmentation fault.
0x00000000004318aa in bfd_getl32 (p=0x7a4000) at ../../bfd/libbfd.c:635
635 v = (unsigned long) addr[0];
(gdb) bt
#0 0x00000000004318aa in bfd_getl32 (p=0x7a4000) at ../../bfd/libbfd.c:635
#1 0x00000000004bf023 in _bfd_pei_swap_debugdir_in (abfd=0x788290,
ext1=0x7a3ff4, in1=0x7fffffffdcb0) at peigen.c:1123
#2 0x00000000004c37fc in _bfd_pe_bfd_copy_private_bfd_data_common
(ibfd=0x784ec0, obfd=0x788290) at peigen.c:3004
#3 0x00000000004b50fb in pe_bfd_copy_private_bfd_data (ibfd=0x784ec0,
obfd=0x788290) at ../../bfd/peicode.h:361
#4 0x00000000004082b9 in copy_object (ibfd=0x784ec0, obfd=0x788290,
input_arch=0x0) at ../../binutils/objcopy.c:3170
#5 0x0000000000408fea in copy_file (
input_filename=0x7fffffffe537 "/tmp/objcopy_crash.input",
output_filename=0x7fffffffe578 "/dev/null", input_target=0x0,
output_target=0x533778 "pei-i386", input_arch=0x0)
at ../../binutils/objcopy.c:3532
#6 0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe258) at
../../binutils/objcopy.c:5484
#7 0x000000000040d384 in main (argc=3, argv=0x7fffffffe258) at
../../binutils/objcopy.c:5588
(gdb) info registers
rax 0x7a4000 8011776
rbx 0x0 0
rcx 0x7a3ff4 8011764
rdx 0x7a4000 8011776
rsi 0x7a3ff4 8011764
rdi 0x7a4000 8011776
rbp 0x7fffffffdc00 0x7fffffffdc00
rsp 0x7fffffffdc00 0x7fffffffdc00
r8 0xedff 60927
r9 0x11 17
r10 0xe 14
r11 0x246 582
r12 0x4025c0 4203968
r13 0x7fffffffe250 140737488347728
r14 0x0 0
r15 0x0 0
rip 0x4318aa 0x4318aa <bfd_getl32+20>
eflags 0x10216 [ PF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) info proc mappings
process 10041
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x566000 0x166000 0x0 /tmp/objcopy
0x765000 0x777000 0x12000 0x165000 /tmp/objcopy
0x777000 0x77e000 0x7000 0x177000 /tmp/objcopy
0x77e000 0x7a4000 0x26000 0x0 [heap]
0x7ffff771b000 0x7ffff7809000 0xee000 0x0
0x7ffff7809000 0x7ffff79c9000 0x1c0000 0x0
/lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff79c9000 0x7ffff7bc9000 0x200000 0x1c0000
/lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bc9000 0x7ffff7bcd000 0x4000 0x1c0000
/lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bcd000 0x7ffff7bcf000 0x2000 0x1c4000
/lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bcf000 0x7ffff7bd3000 0x4000 0x0
0x7ffff7bd3000 0x7ffff7bd6000 0x3000 0x0
/lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7bd6000 0x7ffff7dd5000 0x1ff000 0x3000
/lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7dd5000 0x7ffff7dd6000 0x1000 0x2000
/lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7dd6000 0x7ffff7dd7000 0x1000 0x3000
/lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7dd7000 0x7ffff7dfd000 0x26000 0x0
/lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7e1b000 0x7ffff7e49000 0x2e000 0x0
0x7ffff7e49000 0x7ffff7fe1000 0x198000 0x0
/usr/lib/locale/locale-archive
0x7ffff7fe1000 0x7ffff7fe5000 0x4000 0x0
0x7ffff7ff0000 0x7ffff7ff7000 0x7000 0x0
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
0x7ffff7ff7000 0x7ffff7ffa000 0x3000 0x0 [vvar]
0x7ffff7ffa000 0x7ffff7ffc000 0x2000 0x0 [vdso]
0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x25000
/lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7ffd000 0x7ffff7ffe000 0x1000 0x26000
/lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7ffe000 0x7ffff7fff000 0x1000 0x0
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
# ------------
# Environment
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
# ------------------------------
# Tested on the following two objcopy versions
# 1.
$ git rev-parse HEAD
5373441d20b652d5b0332b6cada74524af3ae707
# 2.
$ /usr/bin/objcopy --version
GNU objcopy (GNU Binutils for Ubuntu) 2.26.1
Copyright (C) 2015 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
# ------------------------------
This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/23111] New: objcopy segmentation fault,
donald.zgd at gmail dot com <=