Bug 22881 - null pointer dereference in assign_file_positions_for_non_load_sections
Summary: null pointer dereference in assign_file_positions_for_non_load_sections
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Alan Modra
Depends on:
Reported: 2018-02-23 08:43 UTC by skysider
Modified: 2018-03-31 12:34 UTC (History)
1 user (show)

See Also:
Last reconfirmed: 2018-02-23 00:00:00


Note You need to log in before you can comment on or make changes to this bug.
Description skysider 2018-02-23 08:43:35 UTC
When I test latest objcopy with elf file, there is null pointer dereference problem.
Here is part of output.

==23042==ERROR: AddressSanitizer: SEGV on unknown address 0x00000038 (pc 0x082cd8d8 bp 0x1ea219a1 sp 0xffa84c10 T0)                    
    #0 0x82cd8d7 in assign_file_positions_for_non_load_sections /work/binutils-gdb/bfd/elf.c:5908                                      
    #1 0x82cd8d7 in assign_file_positions_except_relocs /work/binutils-gdb/bfd/elf.c:6093                                              
    #2 0x82cd8d7 in _bfd_elf_compute_section_file_positions /work/binutils-gdb/bfd/elf.c:4260                                          
    #3 0x82ffe3a in _bfd_elf_set_section_contents /work/binutils-gdb/bfd/elf.c:8839                                                    
    #4 0x81ba6ee in bfd_set_section_contents /work/binutils-gdb/bfd/section.c:1532                                                     
    #5 0x806a3be in copy_section /work/binutils-gdb/binutils/objcopy.c:4099                                                            
    #6 0x81b9f44 in bfd_map_over_sections /work/binutils-gdb/bfd/section.c:1394                                                        
    #7 0x80743ac in copy_object /work/binutils-gdb/binutils/objcopy.c:3048                                                             
    #8 0x808087b in copy_object /work/binutils-gdb/binutils/objcopy.c:2432                                                             
    #9 0x808087b in copy_file /work/binutils-gdb/binutils/objcopy.c:3523                                                               
    #10 0x805596c in copy_main /work/binutils-gdb/binutils/objcopy.c:5478                                                              
    #11 0x805596c in main /work/binutils-gdb/binutils/objcopy.c:5582                                                                   
    #12 0xf70af636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)                                                        
    #13 0x8060dc5  (/work/build/binutils/objcopy+0x8060dc5)   

The snippt of function assign_file_positions_for_non_load_sections.
(gdb) list
5903                        break;
5904                    }
5905                  BFD_ASSERT (lm != NULL);
5907                  /* Find the section starting the RELRO segment.  */
5908                  for (i = 0; i < lm->count; i++)
5909                    {
5910                      asection *s = lm->sections[i];
5911                      if (s->vma >= start
5912                          && s->vma < end

It seems that BFD_ASSERT(lm != NULL) doesn't end the execution which leads to null pointer dereference.
The test command is `objcopy test.elf` and the test elf file is https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf
Comment 1 Sourceware Commits 2018-02-23 11:16:54 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:


commit 01f7e10cf2dcf403462b2feed06c43135651556d
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Feb 23 21:22:43 2018 +1030

    PR22881, null pointer dereference in assign_file_positions_for_non_load_sections
    	PR 22881
    	* elf.c (assign_file_positions_for_non_load_sections): Remove RELRO
    	segment if no matching LOAD segment.
Comment 2 Alan Modra 2018-02-23 11:46:07 UTC