Bug 23405

Summary: Some inputs may cause objcopy to crash, without being detected by error checking or assertions
Product: binutils Reporter: zhanggen12
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED DUPLICATE    
Severity: normal CC: amodra
Priority: P2    
Version: 2.30   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: crash input

Description zhanggen12 2018-07-12 10:06:45 UTC 
Created attachment 11123 [details]
crash input

http://git.hunter-ht.cn/zhanggen/objcopy_crash_input_1
please download the latest version of objcopy and the crash input file.
COMMAND LINE: ./objcopy crash\ input a.elf
Then you will see the segmentation fault
Comment 1 Alan Modra 2018-07-12 10:46:29 UTC 
Seems to already be fixed with 2.31 or master binutils
Comment 2 zhanggen12 2018-07-13 00:17:57 UTC 
(In reply to Alan Modra from comment #1)
> Seems to already be fixed with 2.31 or master binutils

The stack trace is as follows from gdb:

#0  aout_32_swap_std_reloc_out (abfd=abfd@entry=0x7482f0, g=0x74a730, natptr=natptr@entry=0x748658)
    at aoutx.h:1971
#1  0x000000000048980f in aout_32_squirt_out_relocs (abfd=abfd@entry=0x7482f0, section=<optimized out>)
    at aoutx.h:2444
#2  0x00000000004840a1 in i386linux_write_object_contents (abfd=0x7482f0) at i386linux.c:77
#3  0x000000000043066a in bfd_close (abfd=0x7482f0) at opncls.c:731
#4  0x000000000040bd36 in copy_file (
    input_filename=input_filename@entry=0x7fffffffe284 "./crashes/id:000024,sig:11,src:002665,op:flip1,pos:52", output_filename=output_filename@entry=0x7fffffffe2ba "a.elf",
    input_target=input_target@entry=0x0, output_target=<optimized out>, output_target@entry=0x0,
    input_arch=input_arch@entry=0x0) at objcopy.c:3530
#5  0x0000000000404924 in copy_main (argv=<optimized out>, argc=<optimized out>) at objcopy.c:5478
#6  main (argc=3, argv=0x7fffffffdef8) at objcopy.c:5582

So the crash happens in aoutx.h, a header file in Binary File Descriptor library.
Comment 3 Alan Modra 2018-07-13 06:48:44 UTC 
Yes, I see a segfault with 2.30, but don't with 2.31.  I don't believe we should be spending time fixing bugs that are only tickled by fuzzed objects, on anything but master binutils.

*** This bug has been marked as a duplicate of bug 22887 ***
Comment 4 zhanggen12 2018-07-18 10:23:28 UTC 
(In reply to Alan Modra from comment #3)
> Yes, I see a segfault with 2.30, but don't with 2.31.  I don't believe we
> should be spending time fixing bugs that are only tickled by fuzzed objects,
> on anything but master binutils.
> 
> *** This bug has been marked as a duplicate of bug 22887 ***

Hi, Alan. I checked out Binutils official download website http://ftp.gnu.org/gnu/binutils/. 2.31 was uploaded in 2018-7-14. But I submitted bug 23405 in 2018-7-12. And I was told my bug is fixed in 2.31. And I just wanna know, is there any other websites where Binutils 2.31 can be downloaded before I submitted bug 23405? I just cannot understand this logic.
Comment 5 H.J. Lu 2018-07-18 13:10:30 UTC 
(In reply to zhanggen12 from comment #4)
> (In reply to Alan Modra from comment #3)
> > Yes, I see a segfault with 2.30, but don't with 2.31.  I don't believe we
> > should be spending time fixing bugs that are only tickled by fuzzed objects,
> > on anything but master binutils.
> > 
> > *** This bug has been marked as a duplicate of bug 22887 ***
> 
> Hi, Alan. I checked out Binutils official download website
> http://ftp.gnu.org/gnu/binutils/. 2.31 was uploaded in 2018-7-14. But I
> submitted bug 23405 in 2018-7-12. And I was told my bug is fixed in 2.31.
> And I just wanna know, is there any other websites where Binutils 2.31 can
> be downloaded before I submitted bug 23405? I just cannot understand this
> logic.

You should also test the latest release branch, binutils-2_31-branch,
which was created on June 24, 2018.