Summary: | objcopy segmentation fault | ||
---|---|---|---|
Product: | binutils | Reporter: | Guodong Zhu <donald.zgd> |
Component: | binutils | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nickc |
Priority: | P2 | ||
Version: | 2.31 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: | the malformed crash input |
*** Bug 23114 has been marked as a duplicate of this bug. *** The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=db0c309f4011ca94a4abc8458e27f3734dab92ac commit db0c309f4011ca94a4abc8458e27f3734dab92ac Author: Nick Clifton <nickc@redhat.com> Date: Tue Apr 24 16:57:04 2018 +0100 Fix an illegal memory access when trying to copy an ELF binary with corrupt section symbols. PR 23113 * elf.c (ignore_section_sym): Check for the output_section pointer being NULL before dereferencing it. Hi Guodong, Thanks for reporting this bug. I have checked in a small patch to the BFD library to add a check for a NULL output_section pointer before dereferencing it. This should fix the bug. Cheers Nick |
Created attachment 10977 [details] the malformed crash input When processing a symtab entry with "SECTION" type and "0" value, objcopy fails to check pointer sym->section->output_section before calling ignore_section_sym in bfd/elf.c function "elf_map_symbols()". The value of output_section can be 0x0. # ------------ # Cmdline: $ objcopy /tmp/objcopy_crash.input /dev/null # ------------ # gdb output Program received signal SIGSEGV, Segmentation fault. 0x000000000045f66c in ignore_section_sym (abfd=0x788290, sym=0x78faf0) at ../../bfd/elf.c:4033 4033 || (sym->section->output_section->owner == abfd (gdb) bt #0 0x000000000045f66c in ignore_section_sym (abfd=0x788290, sym=0x78faf0) at ../../bfd/elf.c:4033 #1 0x000000000045f7fc in elf_map_symbols (abfd=0x788290, pnum_locals=0x7fffffffdc98) at ../../bfd/elf.c:4082 #2 0x0000000000468d91 in swap_out_syms (abfd=0x788290, sttp=0x7fffffffdda8, relocatable_p=1) at ../../bfd/elf.c:7760 #3 0x000000000045fdac in _bfd_elf_compute_section_file_positions (abfd=0x788290, link_info=0x0) at ../../bfd/elf.c:4236 #4 0x0000000000465380 in _bfd_elf_write_object_contents (abfd=0x788290) at ../../bfd/elf.c:6368 #5 0x00000000004331ce in bfd_close (abfd=0x788290) at ../../bfd/opncls.c:731 #6 0x0000000000409021 in copy_file ( input_filename=0x7fffffffe507 "/tmp/objcopy_crash.input", output_filename=0x7fffffffe548 "/dev/null", input_target=0x0, output_target=0x532953 "elf32-i386", input_arch=0x0) at ../../binutils/objcopy.c:3539 #7 0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe218) at ../../binutils/objcopy.c:5484 #8 0x000000000040d384 in main (argc=3, argv=0x7fffffffe218) at ../../binutils/objcopy.c:5588 (gdb) info registers rax 0x0 0 rbx 0x0 0 rcx 0x1 1 rdx 0x7860d0 7889104 rsi 0x78fb30 7928624 rdi 0x7882c0 7897792 rbp 0x7fffffffdbe0 0x7fffffffdbe0 rsp 0x7fffffffdbe0 0x7fffffffdbe0 r8 0x7ffff7bce188 140737349738888 r9 0x1 1 r10 0x1 1 r11 0x246 582 r12 0x4025c0 4203968 r13 0x7fffffffe220 140737488347680 r14 0x0 0 r15 0x0 0 rip 0x45f66c 0x45f66c <ignore_section_sym+181> eflags 0x10287 [ CF PF SF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) info proc mapping process 7026 Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x566000 0x166000 0x0 /tmp/objcopy 0x765000 0x777000 0x12000 0x165000 /tmp/objcopy 0x777000 0x77e000 0x7000 0x177000 /tmp/objcopy 0x77e000 0x7a4000 0x26000 0x0 [heap] 0x7ffff7809000 0x7ffff79c9000 0x1c0000 0x0 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff79c9000 0x7ffff7bc9000 0x200000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff7bc9000 0x7ffff7bcd000 0x4000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff7bcd000 0x7ffff7bcf000 0x2000 0x1c4000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff7bcf000 0x7ffff7bd3000 0x4000 0x0 0x7ffff7bd3000 0x7ffff7bd6000 0x3000 0x0 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7bd6000 0x7ffff7dd5000 0x1ff000 0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7dd5000 0x7ffff7dd6000 0x1000 0x2000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7dd6000 0x7ffff7dd7000 0x1000 0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7dd7000 0x7ffff7dfd000 0x26000 0x0 /lib/x86_64-linux-gnu/ld-2.23.so 0x7ffff7e49000 0x7ffff7fe1000 0x198000 0x0 /usr/lib/locale/locale-archive 0x7ffff7fe1000 0x7ffff7fe5000 0x4000 0x0 0x7ffff7ff0000 0x7ffff7ff7000 0x7000 0x0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache 0x7ffff7ff7000 0x7ffff7ffa000 0x3000 0x0 [vvar] 0x7ffff7ffa000 0x7ffff7ffc000 0x2000 0x0 [vdso] 0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x25000 /lib/x86_64-linux-gnu/ld-2.23.so 0x7ffff7ffd000 0x7ffff7ffe000 0x1000 0x26000 /lib/x86_64-linux-gnu/ld-2.23.so 0x7ffff7ffe000 0x7ffff7fff000 0x1000 0x0 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] # ------------ # Environment $ uname -a Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial # ------------------------------ # Tested on the following two objcopy versions # 1. $ git rev-parse HEAD 5373441d20b652d5b0332b6cada74524af3ae707 # 2. $ /usr/bin/objcopy --version GNU objcopy (GNU Binutils for Ubuntu) 2.26.1 Copyright (C) 2015 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. # ------------------------------ This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.