Created attachment 10952 [details] crash-inducing sample file Dear all, This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This bug was found on Ubuntu 16.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 68e91e42492551e165b103d819c021c4953da10b (April 14 2018) To reproduce: Compile binutils with ASAN enabled CC=gcc-6 CXX=g++-6 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim Download the attached file - crash3 nm-new -l crash3 *ASAN says: U abort@@GLIBC_2.2.5 00000000004076b0 T adjust_relative_path elfcomm.c:398 dwarf2.c:1569:24: runtime error: member access within null pointer of type 'struct line_info_table' ASAN:DEADLYSIGNAL ================================================================= ==8280==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000060bc37 bp 0x7ffea00f6420 sp 0x7ffea00f63d0 T0) #0 0x60bc36 in concat_filename dwarf2.c:1569 #1 0x61520d in find_abstract_instance dwarf2.c:2971 #2 0x616aec in scan_unit_for_symbols dwarf2.c:3169 #3 0x619a72 in comp_unit_maybe_decode_line_info dwarf2.c:3662 #4 0x619b48 in comp_unit_find_line dwarf2.c:3688 #5 0x620efb in _bfd_dwarf2_find_nearest_line dwarf2.c:4646 #6 0x53a09b in _bfd_elf_find_line /home/thuan/experiments/binutils-gdb-asan-newest/bfd/elf.c:8782 #7 0x4093da in print_symbol /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1008 #8 0x409ca2 in print_symbols /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1089 #9 0x40ab5a in display_rel_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1205 #10 0x40b5cc in display_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1325 #11 0x40e0e5 in main /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1799 #12 0x7ff7288b382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x403358 in _start (/home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm-new+0x403358) *Valgrind says: ==16435== Warning: set address range perms: large range [0x5ae1040, 0x18ae1fb6) (undefined) ==16435== Warning: set address range perms: large range [0x5ae1028, 0x18ae1fce) (noaccess) ==16435== Warning: set address range perms: large range [0x5ae1040, 0x18ae1fb6) (undefined) ==16435== Warning: set address range perms: large range [0x5ae1028, 0x18ae1fce) (noaccess) ==16435== Invalid read of size 4 ==16435== at 0x5DF863: concat_filename (dwarf2.c:1569) ==16435== by 0x5EF700: find_abstract_instance.isra.29 (dwarf2.c:2971) ==16435== by 0x5F4DB5: scan_unit_for_symbols (dwarf2.c:3169) ==16435== by 0x5F92D3: comp_unit_maybe_decode_line_info (dwarf2.c:3662) ==16435== by 0x5F92D3: comp_unit_find_line (dwarf2.c:3688) ==16435== by 0x60390E: _bfd_dwarf2_find_nearest_line (dwarf2.c:4646) ==16435== by 0x52BE53: _bfd_elf_find_line (elf.c:8782) ==16435== by 0x408CE5: print_symbol (nm.c:1008) ==16435== by 0x409D74: print_symbols (nm.c:1089) ==16435== by 0x409D74: display_rel_file (nm.c:1205) ==16435== by 0x40D095: display_file (nm.c:1325) ==16435== by 0x4056B1: main (nm.c:1799) ==16435== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==16435== ==16435== ==16435== Process terminating with default action of signal 11 (SIGSEGV) ==16435== Access not within mapped region at address 0x8 ==16435== at 0x5DF863: concat_filename (dwarf2.c:1569) ==16435== by 0x5EF700: find_abstract_instance.isra.29 (dwarf2.c:2971) ==16435== by 0x5F4DB5: scan_unit_for_symbols (dwarf2.c:3169) ==16435== by 0x5F92D3: comp_unit_maybe_decode_line_info (dwarf2.c:3662) ==16435== by 0x5F92D3: comp_unit_find_line (dwarf2.c:3688) ==16435== by 0x60390E: _bfd_dwarf2_find_nearest_line (dwarf2.c:4646) ==16435== by 0x52BE53: _bfd_elf_find_line (elf.c:8782) ==16435== by 0x408CE5: print_symbol (nm.c:1008) ==16435== by 0x409D74: print_symbols (nm.c:1089) ==16435== by 0x409D74: display_rel_file (nm.c:1205) ==16435== by 0x40D095: display_file (nm.c:1325) ==16435== by 0x4056B1: main (nm.c:1799) Thanks, Thuan
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6327533b1fd29fa86f6bf34e61c332c010e3c689 commit 6327533b1fd29fa86f6bf34e61c332c010e3c689 Author: Nick Clifton <nickc@redhat.com> Date: Tue Apr 17 14:30:07 2018 +0100 Add a check for a NULL table pointer before attempting to compute a DWARF filename. PR 23065 * dwarf2.c (concat_filename): Check for a NULL table pointer.
Hi Thuan, Thanks for reporting this bug. I have checked in a small patch which should fix the problem. Please let me know if you have any further issues with this problem. Cheers Nick