Bug 25073

Summary: invalide free in function _bfd_dwarf2_cleanup_debug_info
Product: binutils Reporter: zjuchenyuan <bugzilla.sourceware>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED DUPLICATE    
Severity: normal CC: amodra
Priority: P2    
Version: 2.34   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: poc4
poc5

Description zjuchenyuan 2019-10-07 16:54:45 UTC
Created attachment 12028 [details]
poc4

poc4:

```
# gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc4_invalid-free__bfd_dwarf2_cleanup_debug_info' -ex bt -ex quit

free(): invalid next size (normal)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7603801 in __GI_abort () at abort.c:79
#2  0x00007ffff764c897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7779b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff765390a in malloc_printerr (str=str@entry=0x7ffff777b8b8 "free(): invalid next size (normal)") at malloc.c:5350
#4  0x00007ffff765b0ad in _int_free (have_lock=0, p=0xa18a40, av=0x7ffff79aec40 <main_arena>) at malloc.c:4286
#5  __GI___libc_free (mem=0xa18a50) at malloc.c:3124
#6  0x00000000006133b1 in _bfd_dwarf2_cleanup_debug_info (abfd=abfd@entry=0xa0d6b0, pinfo=pinfo@entry=0xa0db30) at ./dwarf2.c:5010
#7  0x00000000006138ab in _bfd_dwarf2_slurp_debug_info (abfd=abfd@entry=0xa0d6b0, debug_bfd=debug_bfd@entry=0x0, debug_sections=0x7c6e20 <dwarf_debug_sections>, symbols=symbols@entry=0xa181f0,
    pinfo=pinfo@entry=0xa0db30, do_place=1) at ./dwarf2.c:4354
#8  0x0000000000617ecb in _bfd_dwarf2_find_nearest_line (abfd=abfd@entry=0xa0d6b0, symbols=symbols@entry=0xa181f0, symbol=symbol@entry=0x0, section=section@entry=0xa0e890, offset=offset@entry=0,
    filename_ptr=filename_ptr@entry=0x7fffffffe198, functionname_ptr=0x7fffffffe1c0, linenumber_ptr=0x7fffffffe194, discriminator_ptr=0x0, debug_sections=0x7c6e20 <dwarf_debug_sections>, pinfo=0xa0db30)
    at ./dwarf2.c:4687
#9  0x0000000000539f6d in _bfd_elf_find_nearest_line (abfd=0xa0d6b0, symbols=0xa181f0, section=0xa0e890, offset=0, filename_ptr=0x7fffffffe198, functionname_ptr=0x7fffffffe1c0, line_ptr=0x7fffffffe194,
    discriminator_ptr=0x0) at elf.c:9005
#10 0x000000000040969b in print_symbol (abfd=abfd@entry=0xa0d6b0, sym=<optimized out>, ssize=ssize@entry=0, archive_bfd=archive_bfd@entry=0x0) at nm.c:1008
#11 0x000000000040a59d in print_symbols (archive_bfd=0x0, size=8, symcount=<optimized out>, minisyms=<optimized out>, is_dynamic=1, abfd=0xa0d6b0) at nm.c:1088
#12 display_rel_file (abfd=abfd@entry=0xa0d6b0, archive_bfd=archive_bfd@entry=0x0) at nm.c:1210
#13 0x000000000040d6de in display_file (filename=0x7fffffffe732 "poc4_invalid-free__bfd_dwarf2_cleanup_debug_info") at nm.c:1377
#14 0x0000000000405882 in main (argc=11, argv=0x7fffffffe438) at nm.c:1858
```
poc5:

```
Step 10/10 : RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc5_invalid-free__bfd_dwarf2_cleanup_debug_info || exit 0
 ---> Running in 7107b71ec7d3
./binutils-gdb/binutils/nm-new: warning: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a size (1e0000000008) larger than the file size
./binutils-gdb/binutils/nm-new: warning: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a size (fffffffffffffec0) larger than the file size
./binutils-gdb/binutils/nm-new: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info: unknown type [0xff000001] section `.debug_aranges'
./binutils-gdb/binutils/nm-new: warning: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a size (1e0000000008) larger than the file size
./binutils-gdb/binutils/nm-new: warning: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a size (fffffffffffffec0) larger than the file size
./binutils-gdb/binutils/nm-new: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info: warning: sh_link not set for section `.debug_aranges'
=================================================================
==7==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x61200000b5c0 in thread T0
    #0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x6a2c70 in _bfd_dwarf2_cleanup_debug_info dwarf2.c:5018
    #2 0x6a3332 in _bfd_dwarf2_slurp_debug_info dwarf2.c:4354
    #3 0x6a7a8e in _bfd_dwarf2_find_nearest_line dwarf2.c:4687
    #4 0x587f99 in _bfd_elf_find_nearest_line /binutils-gdb/bfd/elf.c:9005
    #5 0x40d9be in print_symbol /binutils-gdb/binutils/nm.c:1008
    #6 0x40ec98 in print_symbols /binutils-gdb/binutils/nm.c:1088
    #7 0x40ec98 in display_rel_file /binutils-gdb/binutils/nm.c:1210
    #8 0x411b5d in display_file /binutils-gdb/binutils/nm.c:1377
    #9 0x4077a7 in main /binutils-gdb/binutils/nm.c:1858
    #10 0x7ffff66a282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4094b8 in _start (/binutils-gdb/binutils/nm-new+0x4094b8)

0x61200000b5c0 is located 48 bytes inside of 253629440-byte region [0x61200000b590,0x61200f1ec990)
==7==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_allocator2.cc:186 "((res.trace)) != (0)" (0x0, 0x0)
    #0 0x7ffff6f0a631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7ffff6f0f5e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
    #2 0x7ffff6e8776c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d76c)
    #3 0x7ffff6e8861e  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1e61e)
    #4 0x7ffff6f07380  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9d380)
    #5 0x7ffff6f08727  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9e727)
    #6 0x7ffff6e8b617  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x21617)
    #7 0x7ffff6f0229d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
    #8 0x6a2c70 in _bfd_dwarf2_cleanup_debug_info dwarf2.c:5018
    #9 0x6a3332 in _bfd_dwarf2_slurp_debug_info dwarf2.c:4354
    #10 0x6a7a8e in _bfd_dwarf2_find_nearest_line dwarf2.c:4687
    #11 0x587f99 in _bfd_elf_find_nearest_line /binutils-gdb/bfd/elf.c:9005
    #12 0x40d9be in print_symbol /binutils-gdb/binutils/nm.c:1008
    #13 0x40ec98 in print_symbols /binutils-gdb/binutils/nm.c:1088
    #14 0x40ec98 in display_rel_file /binutils-gdb/binutils/nm.c:1210
    #15 0x411b5d in display_file /binutils-gdb/binutils/nm.c:1377
    #16 0x4077a7 in main /binutils-gdb/binutils/nm.c:1858
    #17 0x7ffff66a282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x4094b8 in _start (/binutils-gdb/binutils/nm-new+0x4094b8)

```


Reproducible docker image has been pushed to `zjuchenyuan/dockerized_poc:binutils-pocs`, but ASAN build seems cannot giving backtrace information.

Dockerfile: (I would suggest removing AFL_USE_ASAN environment if you want get poc4 backtrace information)

```
FROM zjuchenyuan/afl
ENV AFL_USE_ASAN=1
RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\
    cd binutils-gdb &&\
    git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\
    ./configure --disable-shared &&\
    for i in bfd libiberty opcodes libctf; do cd $i; ./configure --disable-shared && make -j; cd ..; done  &&\
    cd binutils  &&\
    ./configure --disable-shared &&\
    make objdump nm-new size readelf cxxfilt

RUN apt install -y gdb &&\
    echo -e "set pagination off\nset confirm off" > /root/.gdbinit

ADD . /

# we may need to compile again without ASAN to use gdb

RUN gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc4_invalid-free__bfd_dwarf2_cleanup_debug_info' -ex bt -ex quit

RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc5_invalid-free__bfd_dwarf2_cleanup_debug_info || exit 0


```
Comment 1 zjuchenyuan 2019-10-07 16:55:07 UTC
Created attachment 12029 [details]
poc5
Comment 2 Alan Modra 2019-10-09 01:06:52 UTC
Both of these testcases trigger the same overflow as pr25070

*** This bug has been marked as a duplicate of bug 25070 ***