Bug 26348

Summary: Malloc error in write_zeros
Product: binutils Reporter: zhouan <seviezhou>
Component: binutilsAssignee: Alan Modra <amodra>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 2.36   
Target Milestone: 2.36   
Host: Target:
Build: Last reconfirmed: 2020-08-12 00:00:00
Attachments: malloc-size-error-write_zeros-elf-5406

Description zhouan 2020-08-07 16:54:07 UTC 
Created attachment 12753 [details]
malloc-size-error-write_zeros-elf-5406

I found a malloc size error in strip-new, source line is elf.c:5406:9, here is the detail:

## System info

Ubuntu x86_64, gcc (Ubuntu 5.5.0-12ubuntu1), binutils (2.36 8c4c18181ea382adf407df235c7991feb0647bab)

## Configure

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

## Command line

./binutils/strip-new -s -g -S -d -w -x -X -v -o /dev/null ./malloc-size-error-write_zeros-elf-5406

## AddressSanitizer output

```
==37618==WARNING: AddressSanitizer failed to allocate 0x2fffffffffff770 bytes
==37618==AddressSanitizer's allocator is terminating the process instead of returning 0
==37618==If you don't like this behavior set allocator_may_return_null=1
==37618==AddressSanitizer CHECK failed: /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225 "((0)) != (0)" (0x0, 0x0)
    #0 0x4e841f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_rtl.cc:69
    #1 0x505395 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x4ee246 in __sanitizer::ReportAllocatorCannotReturnNull() /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225
    #3 0x4ee283 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:241
    #4 0x41f356 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_allocator.cc:856
    #5 0x4def04 in malloc /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:89
    #6 0x59167a in bfd_malloc /home/seviezhou/binutils/bfd/libbfd.c:275:9
    #7 0x591980 in bfd_zmalloc /home/seviezhou/binutils/bfd/libbfd.c:326:15
    #8 0x669bcf in write_zeros /home/seviezhou/binutils/bfd/elf.c:5406:9
    #9 0x669bcf in assign_file_positions_for_load_sections /home/seviezhou/binutils/bfd/elf.c:5831
    #10 0x63bcd5 in assign_file_positions_except_relocs /home/seviezhou/binutils/bfd/elf.c:6388:12
    #11 0x63bcd5 in _bfd_elf_compute_section_file_positions /home/seviezhou/binutils/bfd/elf.c:4336
    #12 0x658cd6 in _bfd_elf_set_section_contents /home/seviezhou/binutils/bfd/elf.c:9276:12
    #13 0x59fd29 in bfd_set_section_contents /home/seviezhou/binutils/bfd/section.c:1520:7
    #14 0x528fc8 in copy_section /home/seviezhou/binutils/binutils/objcopy.c:4430:12
    #15 0x59f6dc in bfd_map_over_sections /home/seviezhou/binutils/bfd/section.c:1379:5
    #16 0x525bb5 in copy_object /home/seviezhou/binutils/binutils/objcopy.c:3266:3
    #17 0x51eeea in copy_file /home/seviezhou/binutils/binutils/objcopy.c:3831:13
    #18 0x5177d9 in strip_main /home/seviezhou/binutils/binutils/objcopy.c:4818:7
    #19 0x5177d9 in main /home/seviezhou/binutils/binutils/objcopy.c:6016
    #20 0x7f9cfcd9f83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #21 0x41ad18 in _start (/home/seviezhou/experiment-5/AlphaFuzz-strip/test/strip-new+0x41ad18)

```
Comment 1 Sourceware Commits 2020-08-12 22:43:37 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75e100a30d5dfdd3ac2b0391c17173645fc77633

commit 75e100a30d5dfdd3ac2b0391c17173645fc77633
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Aug 12 20:18:43 2020 +0930

    PR26348, Malloc error in write_zeros
    
    This adds a few more sanity checks on ELF objects, and a BFD flag to
    disable objcopy and strip when fuzzed input files belong in the "too
    hard" basket.
    
    bfd/
            PR 26348
            * bfd.c (struct bfd): Add read_only.
            * elfcode.h (elf_swap_shdr_in): Test both sh_offset and sh_size.
            Set read_only on warning.
            (elf_object_p): Sanity check program header alignment.  Set
            read_only on warning.
            * bfd-in2.h: Regenerate.
    binutils/
            PR 26348
            * objcopy.c (copy_object): Report file name with endian error.
            Error and return on abfd->read_only.
Comment 2 Alan Modra 2020-08-12 22:48:14 UTC 
Fixed