[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/25220] New: objcopy : free() invalid pointer
From: |
fdgkhdkgh at gmail dot com |
Subject: |
[Bug binutils/25220] New: objcopy : free() invalid pointer |
Date: |
Sat, 23 Nov 2019 06:13:48 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=25220
Bug ID: 25220
Summary: objcopy : free() invalid pointer
Product: binutils
Version: 2.34 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: fdgkhdkgh at gmail dot com
Target Milestone: ---
Created attachment 12088
--> https://sourceware.org/bugzilla/attachment.cgi?id=12088&action=edit
file that reproduces this problem
binutils Version : 2.34(HEAD)
git clone git://sourceware.org/git/binutils-gdb.git
OS : ubuntu 18.04.3
kernel : gnu/linux 5.0.0-32-generic
processor : Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz
compiler : gcc 7.4.0
Steps to Reproduce :
download the sample from attachment
objcopy --add-symbol 'abc'='.text:123,before=.data' ./a.out
./arbitrary_file_name
the function "need_sym_before" in objcopy.c will free the address on the .text
section, and then trigger "SIGABRT"
gdb backtrace :
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff7820801 in __GI_abort () at abort.c:79
#2 0x00007ffff7869897 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7996b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff787090a in malloc_printerr (str=str@entry=0x7ffff7994d88
"free(): invalid pointer") at malloc.c:5350
#4 0x00007ffff7877e1c in _int_free (have_lock=0x0, p=0x55555565b1dc,
av=0x7ffff7bcbc40 <main_arena>) at malloc.c:4157
#5 __GI___libc_free (mem=0x55555565b1ec) at malloc.c:3124
#6 0x000055555558b945 in need_sym_before (sym=<optimized out>, node=<optimized
out>) at objcopy.c:1469
#7 filter_symbols (symcount=<optimized out>, isyms=<optimized out>,
osyms=0x5555558b5cb0, obfd=0x5555558b34d0, abfd=0x5555558ab460) at
objcopy.c:1528
#8 copy_object (ibfd=0x5555558ab460, obfd=<optimized out>,
input_arch=<optimized out>) at objcopy.c:3197
#9 0x000055555558e029 in copy_file (input_filename=0x7fffffffe381 "./a.out",
output_filename=0x7fffffffe389 "./arbitrary_file_name", input_target=<optimized
out>, output_target=<optimized out>, input_arch=0x0)
at objcopy.c:3788
#10 0x0000555555588170 in copy_main (argv=<optimized out>, argc=<optimized
out>) at objcopy.c:5838
#11 main (argc=<optimized out>, argc@entry=0x5, argv=<optimized out>,
argv@entry=0x7fffffffdfc8) at objcopy.c:5964
#12 0x00007ffff7801b97 in __libc_start_main (main=0x555555586520 <main>,
argc=0x5, argv=0x7fffffffdfc8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffdfb8)
at ../csu/libc-start.c:310
#13 0x000055555558901a in _start ()
-------
gdb peda report:
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffda60 --> 0xffffffffffffffb0
RCX: 0x7ffff781ee97 (<__GI_raise+199>: mov rcx,QWORD PTR [rsp+0x108])
RDX: 0x0
RSI: 0x7fffffffd7f0 --> 0x0
RDI: 0x2
RBP: 0x7fffffffdb60 --> 0xffffffffffffffb0
RSP: 0x7fffffffd7f0 --> 0x0
RIP: 0x7ffff781ee97 (<__GI_raise+199>: mov rcx,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffffd7f0 --> 0x0
R10: 0x8
R11: 0x246
R12: 0x7fffffffda60 --> 0xffffffffffffffb0
R13: 0x1000
R14: 0x0
R15: 0x30 ('0')
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff781ee8b <__GI_raise+187>: mov edi,0x2
0x7ffff781ee90 <__GI_raise+192>: mov eax,0xe
0x7ffff781ee95 <__GI_raise+197>: syscall
=> 0x7ffff781ee97 <__GI_raise+199>: mov rcx,QWORD PTR [rsp+0x108]
0x7ffff781ee9f <__GI_raise+207>: xor rcx,QWORD PTR fs:0x28
0x7ffff781eea8 <__GI_raise+216>: mov eax,r8d
0x7ffff781eeab <__GI_raise+219>: jne 0x7ffff781eecc <__GI_raise+252>
0x7ffff781eead <__GI_raise+221>: add rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd7f0 --> 0x0
0008| 0x7fffffffd7f8 --> 0xfe0
0016| 0x7fffffffd800 --> 0x6200000000 ('')
0024| 0x7fffffffd808 --> 0x7
0032| 0x7fffffffd810 --> 0x0
0040| 0x7fffffffd818 --> 0x5555558a97f8 --> 0x7ffff77de398 -->
0xe500889ce6818de5
0048| 0x7fffffffd820 --> 0x1010
0056| 0x7fffffffd828 --> 0xfe0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
--
You are receiving this mail because:
You are on the CC list for the bug.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug binutils/25220] New: objcopy : free() invalid pointer,
fdgkhdkgh at gmail dot com <=