(this issue is discovered when UBSAN is enabled) On version 2.30.51.20180206 and master branch of binutils: there is an unchecked strnlen operation, which could be triggered by the POC below. As shown in line 1201, the first parameter ("name") of strnlen could be manipulated by the input file. When "name" is NULL and the second parameter is larger than NULL, the program would fail with segmentation fault. 1174 static char * 1175 bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out) 1176 { 1199 name = (char *) contents; 1200 /* PR 17597: avoid reading off the end of the buffer. */ 1201 crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1; 1202 crc_offset = (crc_offset + 3) & ~3; 1208 } ./src/bfd/opncls.c:1201:16: runtime error: null pointer passed as argument 1, which is declared to never be null To reproduce the issue, run: ./bin/nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $POC POC: https://github.com/ProbeFuzzer/poc/blob/master/binutils/binutils_2-30-51_nm_unchecked_strlen_bfd_get_debug_link_info_1
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=64e234d417d5685a4aec0edc618114d9991c031b commit 64e234d417d5685a4aec0edc618114d9991c031b Author: Nick Clifton <nickc@redhat.com> Date: Tue Feb 6 15:48:29 2018 +0000 Prevent attempts to call strncpy with a zero-length field by chacking the size of debuglink sections. PR 22794 * opncls.c (bfd_get_debug_link_info_1): Check the size of the section before attempting to read it in. (bfd_get_alt_debug_link_info): Likewise.
Thanks for reporting this bug. I have applied a small patch to check the size of the debuglink sections before attempting to load their contents. Cheers Nick