[Bug ld/32642] New: ld SEGV (illegal read access) in _bfd_elf_write

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug ld/32642] New: ld SEGV (illegal read access) in _bfd_elf_write_sect

From:	swj22 at mails dot tsinghua.edu.cn
Subject:	[Bug ld/32642] New: ld SEGV (illegal read access) in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with --gc-sections --gc-keep-exported option
Date:	Wed, 05 Feb 2025 12:55:42 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=32642

            Bug ID: 32642
           Summary: ld SEGV (illegal read access) in
                    _bfd_elf_write_section_eh_frame
                    (bfd/elf-eh-frame.c:2234:29) with   --gc-sections
                    --gc-keep-exported option
           Product: binutils
           Version: 2.43
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: swj22 at mails dot tsinghua.edu.cn
  Target Milestone: ---

Created attachment 15917
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15917&action=edit
poc

**Description**
A segv can occur in ld (part of binutils 2.43) when using the  --gc-sections
and --gc-keep-exported options with a specially crafted input file. This issue
leads to memory corruption (illegal memory read access) and crashes.

**Affected Version**
GNU ld (GNU Binutils) 2.43

**Steps to Reproduce**

Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address"
./configure && make -j).
Run the following command:
./binutils-2.43/bins/bin/ld  --gc-sections --gc-keep-exported  $poc
Observe the AddressSanitizer error indicating a segv.

./binutils-2.43/bins/bin/ld --gc-sections --gc-keep-exported /tmp/poc           
./binutils-2.43/bins/bin/ld: warning: cannot find entry symbol _start;
defaulting to 0000000000401000
./binutils-2.43/bins/bin/ld: /tmp/poc: in function `reallocarray':
openbsd-reallocarray.c:(.text+0x16d): undefined reference to `__errno_location'
./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_setup_first':
openbsd-reallocarray.c:(.text+0x2a7): undefined reference to `getenv'
./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x2b8): undefined
reference to `atoi'
./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_forkserver':
openbsd-reallocarray.c:(.text+0x303): undefined reference to `write'
./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_fork_wait_loop':
openbsd-reallocarray.c:(.text+0x327): undefined reference to `read'
./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x336): undefined
reference to `fork'
./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x362): undefined
reference to `write'
./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x37c): undefined
reference to `waitpid'
./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x3a0): undefined
reference to `write'
./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_fork_resume':
openbsd-reallocarray.c:(.text+0x3b1): undefined reference to `close'
./binutils-2.43/bins/bin/ld: openbsd-reallocarray.c:(.text+0x3bd): undefined
reference to `close'
./binutils-2.43/bins/bin/ld: /tmp/poc: in function `__afl_die':
openbsd-reallocarray.c:(.text+0x492): undefined reference to `_exit'
./binutils-2.43/bins/bin/ld: /tmp/poc: in function `reallocarray':
openbsd-reallocarray.c:(.text+0x161): undefined reference to `realloc'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==485892==ERROR: AddressSanitizer: SEGV on unknown address 0x00087fff8000 (pc
0x564fe3b3de6e bp 0x7ffc56de3df0 sp 0x7ffc56de3180 T0)
==485892==The signal is caused by a READ memory access.
    #0 0x564fe3b3de6e in _bfd_elf_write_section_eh_frame
./binutils-2.43/bfd/elf-eh-frame.c:2234:29
    #1 0x564fe3ae8114 in elf_link_input_bfd
./binutils-2.43/bfd/elflink.c:12142:12
    #2 0x564fe3ad6f0d in bfd_elf_final_link
./binutils-2.43/bfd/elflink.c:13107:11
    #3 0x564fe38cfd0e in ldwrite ./binutils-2.43/ld/ldwrite.c:550:8
    #4 0x564fe38ca4e9 in main ./binutils-2.43/ld/./ldmain.c:556:3
    #5 0x7f1c87b4a082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x564fe37a26bd in _start (./binutils-2.43/bins/bin/ld+0x15a6bd)
(BuildId: d9731e405748db264b62c84ded760ba4f068cb0a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./binutils-2.43/bfd/elf-eh-frame.c:2234:29 in
_bfd_elf_write_section_eh_frame
==485892==ABORTING

** Env **
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug ld/32642] New: ld SEGV (illegal read access) in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with --gc-sections --gc-keep-exported option, swj22 at mails dot tsinghua.edu.cn <=
- [Bug ld/32642] ld SEGV (illegal read access) in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with --gc-sections --gc-keep-exported option, nickc at redhat dot com, 2025/02/05

Prev by Date: [Bug ld/32641] New: ld SEGV (illegal read access) in _bfd_x86_elf_check_relocs (bfd/elfxx-x86.c:980:19) with -w option
Next by Date: [Bug ld/32638] ld SEGV in bfd_putl64 (bfd/libbfd.c:989:11)
Previous by thread: [Bug ld/32641] New: ld SEGV (illegal read access) in _bfd_x86_elf_check_relocs (bfd/elfxx-x86.c:980:19) with -w option
Next by thread: [Bug ld/32642] ld SEGV (illegal read access) in _bfd_elf_write_section_eh_frame (bfd/elf-eh-frame.c:2234:29) with --gc-sections --gc-keep-exported option
Index(es):
- Date
- Thread