bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/25687] New: objcopy : "double free or corruption" in _bfd_

From: fdgkhdkgh at gmail dot com
Subject: [Bug binutils/25687] New: objcopy : "double free or corruption" in _bfd_elf_slurp_secondary_reloc_section (elf.c:12475)
Date: Tue, 17 Mar 2020 14:15:51 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=25687

            Bug ID: 25687
           Summary: objcopy : "double free or corruption" in
                    _bfd_elf_slurp_secondary_reloc_section  (elf.c:12475)
           Product: binutils
           Version: 2.35 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: fdgkhdkgh at gmail dot com
  Target Milestone: ---

Created attachment 12381
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12381&action=edit
file that reproduces this problem

OS : ubuntu 18.04.3
kernel : gnu/linux 5.0.0-32-generic
processor : Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz
compiler : gcc 7.4.0


Steps to Reproduce :
download the sample from attachment

objcopy  ./sample


gdb backtrace :

gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7820801 in __GI_abort () at abort.c:79
#2  0x00007ffff7869897 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7996b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff787090a in malloc_printerr (str=str@entry=0x7ffff7998870 "double
free or corruption (out)") at malloc.c:5350
#4  0x00007ffff7877e75 in _int_free (have_lock=0x0, p=0x5555558b4dd0,
av=0x7ffff7bcbc40 <main_arena>) at malloc.c:4278
#5  __GI___libc_free (mem=0x5555558b4de0) at malloc.c:3124
#6  0x00005555555d61ed in _bfd_elf_slurp_secondary_reloc_section
(abfd=0x5555558ae3e0, sec=<optimized out>, symbols=0x5555558af8e0) at
elf.c:12475
#7  0x00005555555c1489 in bfd_elf64_slurp_reloc_table (abfd=0x5555558ae3e0,
asect=0x5555558b0918, symbols=0x5555558af8e0, dynamic=0x0)
    at elfcode.h:1600
#8  0x00005555555cff56 in _bfd_elf_canonicalize_reloc (abfd=<optimized out>,
section=0x5555558b0918, relptr=0x5555558b9480, symbols=<optimized out>)
    at elf.c:8486
#9  0x000055555558b23a in copy_relocations_in_section (ibfd=0x5555558ae3e0,
isection=0x5555558b0918, obfdarg=0x5555558af540) at objcopy.c:4290
#10 0x00005555555ace3c in bfd_map_over_sections (abfd=0x5555558ae3e0,
operation=0x55555558b050 <copy_relocations_in_section>, 
    user_storage=0x5555558af540) at section.c:1377
#11 0x000055555558c796 in copy_object (ibfd=<optimized out>, obfd=<optimized
out>, input_arch=<optimized out>) at objcopy.c:3262
#12 0x000055555558e929 in copy_file (input_filename=0x7fffffff26cf "./sample",
output_filename=0x5555558ae3c0 "./stVQDcO5", 
    input_target=<optimized out>, output_target=<optimized out>,
input_arch=0x0) at objcopy.c:3830
#13 0x00005555555870d8 in copy_main (argv=<optimized out>, argc=<optimized
out>) at objcopy.c:5889
#14 main (argc=<optimized out>, argc@entry=0x2, argv=<optimized out>,
argv@entry=0x7fffffff22e8) at objcopy.c:6015
#15 0x00007ffff7801b97 in __libc_start_main (main=0x555555586cb0 <main>,
argc=0x2, argv=0x7fffffff22e8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffff22d8) at
../csu/libc-start.c:310
#16 0x00005555555897aa in _start ()


------------------


gdb report :


double free or corruption (out)

Program received signal SIGABRT, Aborted.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffffff1bc0 --> 0x3558b0400 
RCX: 0x7ffff781ee97 (<__GI_raise+199>:  mov    rcx,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffff1950 --> 0x0 
RDI: 0x2 
RBP: 0x7fffffff1cc0 --> 0x1 
RSP: 0x7fffffff1950 --> 0x0 
RIP: 0x7ffff781ee97 (<__GI_raise+199>:  mov    rcx,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffffff1950 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7fffffff1bc0 --> 0x3558b0400 
R13: 0x1000 
R14: 0x0 
R15: 0x30 ('0')
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff781ee8b <__GI_raise+187>:     mov    edi,0x2
   0x7ffff781ee90 <__GI_raise+192>:     mov    eax,0xe
   0x7ffff781ee95 <__GI_raise+197>:     syscall 
=> 0x7ffff781ee97 <__GI_raise+199>:     mov    rcx,QWORD PTR [rsp+0x108]
   0x7ffff781ee9f <__GI_raise+207>:     xor    rcx,QWORD PTR fs:0x28
   0x7ffff781eea8 <__GI_raise+216>:     mov    eax,r8d
   0x7ffff781eeab <__GI_raise+219>:     jne    0x7ffff781eecc <__GI_raise+252>
   0x7ffff781eead <__GI_raise+221>:     add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff1950 --> 0x0 
0008| 0x7fffffff1958 --> 0x7 
0016| 0x7fffffff1960 --> 0x40 ('@')
0024| 0x7fffffff1968 --> 0x5555558ac020 --> 0x1000000 
0032| 0x7fffffff1970 --> 0x60 ('`')
0040| 0x7fffffff1978 --> 0xffffffffffffffb0 
0048| 0x7fffffff1980 --> 0x1 
0056| 0x7fffffff1988 --> 0x3100000004 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]