[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23113] New: objcopy segmentation fault

From: donald.zgd at gmail dot com
Subject: [Bug binutils/23113] New: objcopy segmentation fault
Date: Tue, 24 Apr 2018 09:13:18 +0000


            Bug ID: 23113
           Summary: objcopy segmentation fault
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: donald.zgd at gmail dot com
  Target Milestone: ---

Created attachment 10977
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10977&action=edit
the malformed crash input

When processing a symtab entry with "SECTION" type and "0" value, objcopy fails
to check pointer sym->section->output_section before calling ignore_section_sym
in bfd/elf.c function "elf_map_symbols()". The value of output_section can be

# ------------
# Cmdline:
$ objcopy /tmp/objcopy_crash.input /dev/null

# ------------
# gdb output
Program received signal SIGSEGV, Segmentation fault.
0x000000000045f66c in ignore_section_sym (abfd=0x788290, sym=0x78faf0) at
4033                   || (sym->section->output_section->owner == abfd
(gdb) bt
#0  0x000000000045f66c in ignore_section_sym (abfd=0x788290, sym=0x78faf0) at
#1  0x000000000045f7fc in elf_map_symbols (abfd=0x788290,
pnum_locals=0x7fffffffdc98) at ../../bfd/elf.c:4082
#2  0x0000000000468d91 in swap_out_syms (abfd=0x788290, sttp=0x7fffffffdda8,
relocatable_p=1) at ../../bfd/elf.c:7760
#3  0x000000000045fdac in _bfd_elf_compute_section_file_positions
(abfd=0x788290, link_info=0x0) at ../../bfd/elf.c:4236
#4  0x0000000000465380 in _bfd_elf_write_object_contents (abfd=0x788290) at
#5  0x00000000004331ce in bfd_close (abfd=0x788290) at ../../bfd/opncls.c:731
#6  0x0000000000409021 in copy_file (
    input_filename=0x7fffffffe507 "/tmp/objcopy_crash.input",
    output_filename=0x7fffffffe548 "/dev/null", input_target=0x0,
output_target=0x532953 "elf32-i386", input_arch=0x0)
    at ../../binutils/objcopy.c:3539
#7  0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe218) at
#8  0x000000000040d384 in main (argc=3, argv=0x7fffffffe218) at
(gdb) info registers
rax            0x0      0
rbx            0x0      0
rcx            0x1      1
rdx            0x7860d0 7889104
rsi            0x78fb30 7928624
rdi            0x7882c0 7897792
rbp            0x7fffffffdbe0   0x7fffffffdbe0
rsp            0x7fffffffdbe0   0x7fffffffdbe0
r8             0x7ffff7bce188   140737349738888
r9             0x1      1
r10            0x1      1
r11            0x246    582
r12            0x4025c0 4203968
r13            0x7fffffffe220   140737488347680
r14            0x0      0
r15            0x0      0
rip            0x45f66c 0x45f66c <ignore_section_sym+181>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) info proc mapping
process 7026
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x400000           0x566000   0x166000        0x0 /tmp/objcopy
            0x765000           0x777000    0x12000   0x165000 /tmp/objcopy
            0x777000           0x77e000     0x7000   0x177000 /tmp/objcopy
            0x77e000           0x7a4000    0x26000        0x0 [heap]
      0x7ffff7809000     0x7ffff79c9000   0x1c0000        0x0
      0x7ffff79c9000     0x7ffff7bc9000   0x200000   0x1c0000
      0x7ffff7bc9000     0x7ffff7bcd000     0x4000   0x1c0000
      0x7ffff7bcd000     0x7ffff7bcf000     0x2000   0x1c4000
      0x7ffff7bcf000     0x7ffff7bd3000     0x4000        0x0
      0x7ffff7bd3000     0x7ffff7bd6000     0x3000        0x0
      0x7ffff7bd6000     0x7ffff7dd5000   0x1ff000     0x3000
      0x7ffff7dd5000     0x7ffff7dd6000     0x1000     0x2000
      0x7ffff7dd6000     0x7ffff7dd7000     0x1000     0x3000
      0x7ffff7dd7000     0x7ffff7dfd000    0x26000        0x0
      0x7ffff7e49000     0x7ffff7fe1000   0x198000        0x0
      0x7ffff7fe1000     0x7ffff7fe5000     0x4000        0x0
      0x7ffff7ff0000     0x7ffff7ff7000     0x7000        0x0
      0x7ffff7ff7000     0x7ffff7ffa000     0x3000        0x0 [vvar]
      0x7ffff7ffa000     0x7ffff7ffc000     0x2000        0x0 [vdso]
      0x7ffff7ffc000     0x7ffff7ffd000     0x1000    0x25000
      0x7ffff7ffd000     0x7ffff7ffe000     0x1000    0x26000
      0x7ffff7ffe000     0x7ffff7fff000     0x1000        0x0
      0x7ffffffde000     0x7ffffffff000    0x21000        0x0 [stack]
  0xffffffffff600000 0xffffffffff601000     0x1000        0x0 [vsyscall]

# ------------
# Environment
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial

# ------------------------------
# Tested on the following two objcopy versions
# 1.
$ git rev-parse HEAD
# 2.
$ /usr/bin/objcopy --version
GNU objcopy (GNU Binutils for Ubuntu) 2.26.1
Copyright (C) 2015 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

# ------------------------------
This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.

You are receiving this mail because:
You are on the CC list for the bug.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]