[Bug binutils/31455] New: objcopy: invalid-free in bfd_init_section_compress_status

[chkunq at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31455

            Bug ID: 31455
           Summary: objcopy: invalid-free in
                    bfd_init_section_compress_status
           Product: binutils
           Version: 2.43 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: chkunq at gmail dot com
  Target Milestone: ---

Created attachment 15387
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15387&action=edit
A zip archive containing the input files to trigger the bug

Dear All,

This bug was found on Ubuntu 20.04 64-bit & binutils was checked out from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
5b95198e2e40b0301d37d989edc344a334c26b12 (Thu, 7 Mar 2024 00:00:53).

binutils was built with ASAN using clang-14. The configure command was:

CC=clang CFLAGS="-DFORTIFY_SOURCE -fstack-protector-all -fsanitize=address
-fno-omit-frame-pointer -g -Wno-error" ../configure --disable-shared
--disable-gdb --disable-libdecnumber --disable-readline --disable-sim

To reproduce:
Download and unzip the attached zip archive, and get POCs
objcopy --compress-debug-sections [poc_file] /dev/null

ASAN says:
==953211==ERROR: AddressSanitizer: attempting free on address which was not
malloc()-ed: 0x6210000066f0 in thread T0
    #0 0x3a19a2 in free
/data/symccgo/bug/llvm-14-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x4a4c2c in bfd_init_section_compress_status
/data/symccgo/bug/binutils/obj-asan/bfd/../../binutils-gdb/bfd/compress.c:1092:7
    #2 0x5cb9eb in _bfd_elf_make_section_from_shdr
/data/symccgo/bug/binutils/obj-asan/bfd/../../binutils-gdb/bfd/elf.c:1222:9
    #3 0x5cefb1 in bfd_section_from_shdr
/data/symccgo/bug/binutils/obj-asan/bfd/../../binutils-gdb/bfd/elf.c:3060:11
    #4 0x764c93 in bfd_elf32_object_p
/data/symccgo/bug/binutils/obj-asan/bfd/../../binutils-gdb/bfd/elfcode.h:880:7
    #5 0x4afd2d in bfd_check_format_matches
/data/symccgo/bug/binutils/obj-asan/bfd/../../binutils-gdb/bfd/format.c:437:17
    #6 0x3e3f9d in copy_file
/data/symccgo/bug/binutils/obj-asan/binutils/../../binutils-gdb/binutils/objcopy.c:3958:12
    #7 0x3ed53c in copy_main
/data/symccgo/bug/binutils/obj-asan/binutils/../../binutils-gdb/binutils/objcopy.c:6074:3
    #8 0x3e12d9 in main
/data/symccgo/bug/binutils/obj-asan/binutils/../../binutils-gdb/binutils/objcopy.c:6175:5
    #9 0x7fb550494082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x31eeed in _start
(/data/symccgo/bug/binutils/obj-asan/binutils/objcopy+0x31eeed)

0x6210000066f0 is located 496 bytes inside of 4064-byte region
[0x621000006500,0x6210000074e0)
allocated by thread T0 here:
    #0 0x3a1c4e in malloc
/data/symccgo/bug/llvm-14-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0xa05b4b in _objalloc_alloc
/data/symccgo/bug/binutils/obj-asan/libiberty/../../binutils-gdb/libiberty/objalloc.c:159:41
    #2 0x4afd2d in bfd_check_format_matches
/data/symccgo/bug/binutils/obj-asan/bfd/../../binutils-gdb/bfd/format.c:437:17
    #3 0x3e3f9d in copy_file
/data/symccgo/bug/binutils/obj-asan/binutils/../../binutils-gdb/binutils/objcopy.c:3958:12
    #4 0x3ed53c in copy_main
/data/symccgo/bug/binutils/obj-asan/binutils/../../binutils-gdb/binutils/objcopy.c:6074:3
    #5 0x3e12d9 in main
/data/symccgo/bug/binutils/obj-asan/binutils/../../binutils-gdb/binutils/objcopy.c:6175:5
    #6 0x7fb550494082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: bad-free
/data/symccgo/bug/llvm-14-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
in free
==2639543==ABORTING


Moreover, objcopy (compiled by clang-14 -O0) crashes even without ASAN, as
follows:
    free(): invalid pointer
    Aborted (core dumped)

-- 
You are receiving this mail because:
You are on the CC list for the bug.