Bug 23063 - Crash in readelf (assertion failure)
Summary: Crash in readelf (assertion failure)
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-14 01:27 UTC by Thuan Pham
Modified: 2018-04-17 15:50 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
crash-inducing sample file (661 bytes, application/octet-stream)
2018-04-14 01:27 UTC, Thuan Pham
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thuan Pham 2018-04-14 01:27:31 UTC
Created attachment 10950 [details]
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 68e91e42492551e165b103d819c021c4953da10b (April 14 2018) 

To reproduce:
Download the attached file - crash2
readelf -aW crash2

Error message:

readelf: Warning: section 30: sh_link value of 234 is larger than the number of sections
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x02420 0x00120 R E 0x4
readelf: Error: the PHDR segment is not covered by a LOAD segment
  INTERP         0x000054 0x08048000 0x08048000 0x005c4 0x005c4 R E 0x10f9
      [Requesting program interpreter: ]
  LOAD           0x000f08 0x08049f08 0x08049f08 0x0018d 0x00118 RW  0
readelf: Error: the segment's file size is larger than its memory size
  DYNAMIC        0x000f0a 0x00009f14 0x00170000 0x00000 0x00d00     0x45000009
readelf: Error: no .dynamic section in the dynamic segment
  NOTE           0x000168 0x08048168 0x20008168 0x00054 0x0fa44  W  0x4
  LOPROC+0x374e5 0x0004cc 0x1c041000 0x080484cc 0x0ec2c 0xe600002c R   0x4
  GNU_MBIND+0x2f 0xfc0000 0x00000062 0x00000000 0x00000 0x00000 RW  0xbcbcbcbc
  <unknown>: bcb 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc R   0xbcbcbcbc
  <unknown>: bcb 0xbcbcbcbc 0xbcbcbcbc 0x6f732e78 0x0002e 0x00000 R   0xd4110004

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type None is not currently supported.

Symbol table '<no-strings>' contains 0 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name

Symbol table '<no-strings>' contains 1 entry:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000 0x20003400 NOTYPE  LOCAL  INTERNAL [<other>: 8]  bad section index[10240] <corrupt>

No version information found in this file.

Displaying notes found at file offset 0x00000168 with length 0x00000054:
  Owner                 Data size       Description
readelf: readelf.c:516: print_symbol: Assertion `width != 0' failed.
  !N�������������������������:Aborted


Valgrind says:

readelf: Error: the segment's file size is larger than its memory size
  DYNAMIC        0x000f0a 0x00009f14 0x00170000 0x00000 0x00d00     0x45000009
readelf: Error: no .dynamic section in the dynamic segment
  NOTE           0x000168 0x08048168 0x20008168 0x00054 0x0fa44  W  0x4
  LOPROC+0x374e5 0x0004cc 0x1c041000 0x080484cc 0x0ec2c 0xe600002c R   0x4
  GNU_MBIND+0x2f 0xfc0000 0x00000062 0x00000000 0x00000 0x00000 RW  0xbcbcbcbc
  <unknown>: bcb 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc R   0xbcbcbcbc
  <unknown>: bcb 0xbcbcbcbc 0xbcbcbcbc 0x6f732e78 0x0002e 0x00000 R   0xd4110004

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type None is not currently supported.

Symbol table '<no-strings>' contains 0 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name

Symbol table '<no-strings>' contains 1 entry:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000 0x20003400 NOTYPE  LOCAL  INTERNAL [<other>: 8]  bad section index[10240] <corrupt>

No version information found in this file.

Displaying notes found at file offset 0x00000168 with length 0x00000054:
  Owner                 Data size       Description
readelf: readelf.c:516: print_symbol: Assertion `width != 0' failed.
  !N�������������������������:==14623== 
==14623== Process terminating with default action of signal 6 (SIGABRT)
==14623==    at 0x4E6F428: raise (raise.c:54)
==14623==    by 0x4E71029: abort (abort.c:89)
==14623==    by 0x4E67BD6: __assert_fail_base (assert.c:92)
==14623==    by 0x4E67C81: __assert_fail (assert.c:101)
==14623==    by 0x419C90: print_symbol (readelf.c:516)
==14623==    by 0x46B9F3: print_gnu_build_attribute_name (readelf.c:17896)
==14623==    by 0x46B9F3: process_note (readelf.c:17966)
==14623==    by 0x46B9F3: process_notes_at.part.58 (readelf.c:18166)
==14623==    by 0x4C728D: process_notes_at (readelf.c:18200)
==14623==    by 0x4C728D: process_corefile_note_segments (readelf.c:18196)
==14623==    by 0x4C728D: process_note_sections (readelf.c:18324)
==14623==    by 0x4C728D: process_notes (readelf.c:18337)
==14623==    by 0x4C728D: process_object (readelf.c:18695)
==14623==    by 0x404841: process_file (readelf.c:19104)
==14623==    by 0x404841: main (readelf.c:19163)

Thanks,

Thuan
Comment 1 cvs-commit@gcc.gnu.org 2018-04-17 15:20:19 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4a91159afa222c1025f1535f42e382b91dc6b73

commit c4a91159afa222c1025f1535f42e382b91dc6b73
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Apr 17 16:19:19 2018 +0100

    Fix typo in ChangeLog entry in previous delta.
    
    	PR 23063
    	* readelf.c (print_symbol): If the width is zero, return straight
    	away.
Comment 2 Nick Clifton 2018-04-17 15:50:40 UTC
Hi Thuan,

  Thanks for reporting this problem.  I have checked in a small patch to
  address the issue, so the bug should now be fixed.

Cheers
  Nick