[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23112] New: objcopy segmentation faul

From: donald.zgd at gmail dot com
Subject: [Bug binutils/23112] New: objcopy segmentation faul
Date: Tue, 24 Apr 2018 09:11:24 +0000


            Bug ID: 23112
           Summary: objcopy segmentation faul
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: donald.zgd at gmail dot com
  Target Milestone: ---

Created attachment 10976
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10976&action=edit
the malformed crash input

When objcopy copying private info(in file bfd/pex64igen.c function:
"_bfd_pex64_bfd_copy_private_bfd_data_common()""), it has an unbounded loop
that increase the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the
address exceed its own memory region, results into an unwrittable memory space.

# ------------
# Cmdline:
$ objcopy /tmp/objcopy_crash.input /dev/null

# ------------
# gdb output
Program received signal SIGSEGV, Segmentation fault.
0x0000000000431daf in bfd_putl32 (data=1279622912, p=0x7ffff7808fff) at
776       addr[1] = (data >>  8) & 0xff;
(gdb) bt
#0  0x0000000000431daf in bfd_putl32 (data=1279622912, p=0x7ffff7808fff) at
#1  0x00000000004e292a in _bfd_pex64i_swap_debugdir_out (abfd=0x788290,
inp=0x7fffffffdcb0, extp=0x7ffff7808ff3) at pex64igen.c:1139
#2  0x00000000004e706d in _bfd_pex64_bfd_copy_private_bfd_data_common
(ibfd=0x784ec0, obfd=0x788290) at pex64igen.c:3016
#3  0x00000000004d8983 in pe_bfd_copy_private_bfd_data (ibfd=0x784ec0,
obfd=0x788290) at ../../bfd/peicode.h:361
#4  0x00000000004082b9 in copy_object (ibfd=0x784ec0, obfd=0x788290,
input_arch=0x0) at ../../binutils/objcopy.c:3170
#5  0x0000000000408fea in copy_file (
    input_filename=0x7fffffffe537 "/tmp/objcopy_crash.input",
    output_filename=0x7fffffffe578 "/dev/null", input_target=0x0,
output_target=0x535e86 "pei-x86-64", input_arch=0x0)
    at ../../binutils/objcopy.c:3532
#6  0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe258) at
#7  0x000000000040d384 in main (argc=3, argv=0x7fffffffe258) at
(gdb) info registers
rax            0x7ffff7809000   140737345785856
rbx            0x0      0
rcx            0x7ffff7808fff   140737345785855
rdx            0x4c457f 4998527
rsi            0x7ffff7808fff   140737345785855
rdi            0x4c457f00       1279622912
rbp            0x7fffffffdc00   0x7fffffffdc00
rsp            0x7fffffffdc00   0x7fffffffdc00
r8             0x90000  589824
r9             0x0      0
r10            0x22     34
r11            0x246    582
r12            0x4025c0 4203968
r13            0x7fffffffe250   140737488347728
r14            0x0      0
r15            0x0      0
rip            0x431daf 0x431daf <bfd_putl32+48>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) info proc mappings
process 9875
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x400000           0x566000   0x166000        0x0 /tmp/objcopy
            0x765000           0x777000    0x12000   0x165000 /tmp/objcopy
            0x777000           0x77e000     0x7000   0x177000 /tmp/objcopy
            0x77e000           0x7a4000    0x26000        0x0 [heap]
      0x7ffff7778000     0x7ffff7809000    0x91000        0x0
      0x7ffff7809000     0x7ffff79c9000   0x1c0000        0x0
      0x7ffff79c9000     0x7ffff7bc9000   0x200000   0x1c0000
      0x7ffff7bc9000     0x7ffff7bcd000     0x4000   0x1c0000
      0x7ffff7bcd000     0x7ffff7bcf000     0x2000   0x1c4000
      0x7ffff7bcf000     0x7ffff7bd3000     0x4000        0x0
      0x7ffff7bd3000     0x7ffff7bd6000     0x3000        0x0
      0x7ffff7bd6000     0x7ffff7dd5000   0x1ff000     0x3000
      0x7ffff7dd5000     0x7ffff7dd6000     0x1000     0x2000
      0x7ffff7dd6000     0x7ffff7dd7000     0x1000     0x3000
      0x7ffff7dd7000     0x7ffff7dfd000    0x26000        0x0
      0x7ffff7e49000     0x7ffff7fe1000   0x198000        0x0
      0x7ffff7fe1000     0x7ffff7fe5000     0x4000        0x0
      0x7ffff7ff0000     0x7ffff7ff7000     0x7000        0x0
      0x7ffff7ff7000     0x7ffff7ffa000     0x3000        0x0 [vvar]
      0x7ffff7ffa000     0x7ffff7ffc000     0x2000        0x0 [vdso]
      0x7ffff7ffc000     0x7ffff7ffd000     0x1000    0x25000
      0x7ffff7ffd000     0x7ffff7ffe000     0x1000    0x26000
      0x7ffff7ffe000     0x7ffff7fff000     0x1000        0x0
      0x7ffffffde000     0x7ffffffff000    0x21000        0x0 [stack]
  0xffffffffff600000 0xffffffffff601000     0x1000        0x0 [vsyscall]

# ------------
# Environment
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial

# ------------------------------
# Tested on the following two objcopy versions
# 1.
$ git rev-parse HEAD
# 2.
$ /usr/bin/objcopy --version
GNU objcopy (GNU Binutils for Ubuntu) 2.26.1
Copyright (C) 2015 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

# ------------------------------
This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.

You are receiving this mail because:
You are on the CC list for the bug.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]