Bug 23065 - SEGFAULT in nm-new
Summary: SEGFAULT in nm-new
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-14 04:08 UTC by Thuan Pham
Modified: 2018-04-17 13:34 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
crash-inducing sample file (52.97 KB, application/x-executable)
2018-04-14 04:08 UTC, Thuan Pham
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thuan Pham 2018-04-14 04:08:14 UTC
Created attachment 10952 [details]
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & binutils was checked out from main repository at git://sourceware.org/git/binutils-gdb.git. Its commit is 68e91e42492551e165b103d819c021c4953da10b (April 14 2018) 


To reproduce:

Compile binutils with ASAN enabled

CC=gcc-6 CXX=g++-6 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

Download the attached file - crash3
nm-new -l crash3

*ASAN says:

                 U abort@@GLIBC_2.2.5
00000000004076b0 T adjust_relative_path elfcomm.c:398
dwarf2.c:1569:24: runtime error: member access within null pointer of type 'struct line_info_table'
ASAN:DEADLYSIGNAL
=================================================================
==8280==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000060bc37 bp 0x7ffea00f6420 sp 0x7ffea00f63d0 T0)
    #0 0x60bc36 in concat_filename dwarf2.c:1569
    #1 0x61520d in find_abstract_instance dwarf2.c:2971
    #2 0x616aec in scan_unit_for_symbols dwarf2.c:3169
    #3 0x619a72 in comp_unit_maybe_decode_line_info dwarf2.c:3662
    #4 0x619b48 in comp_unit_find_line dwarf2.c:3688
    #5 0x620efb in _bfd_dwarf2_find_nearest_line dwarf2.c:4646
    #6 0x53a09b in _bfd_elf_find_line /home/thuan/experiments/binutils-gdb-asan-newest/bfd/elf.c:8782
    #7 0x4093da in print_symbol /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1008
    #8 0x409ca2 in print_symbols /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1089
    #9 0x40ab5a in display_rel_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1205
    #10 0x40b5cc in display_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1325
    #11 0x40e0e5 in main /home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1799
    #12 0x7ff7288b382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x403358 in _start (/home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm-new+0x403358)


*Valgrind says:

==16435== Warning: set address range perms: large range [0x5ae1040, 0x18ae1fb6) (undefined)
==16435== Warning: set address range perms: large range [0x5ae1028, 0x18ae1fce) (noaccess)
==16435== Warning: set address range perms: large range [0x5ae1040, 0x18ae1fb6) (undefined)
==16435== Warning: set address range perms: large range [0x5ae1028, 0x18ae1fce) (noaccess)
==16435== Invalid read of size 4
==16435==    at 0x5DF863: concat_filename (dwarf2.c:1569)
==16435==    by 0x5EF700: find_abstract_instance.isra.29 (dwarf2.c:2971)
==16435==    by 0x5F4DB5: scan_unit_for_symbols (dwarf2.c:3169)
==16435==    by 0x5F92D3: comp_unit_maybe_decode_line_info (dwarf2.c:3662)
==16435==    by 0x5F92D3: comp_unit_find_line (dwarf2.c:3688)
==16435==    by 0x60390E: _bfd_dwarf2_find_nearest_line (dwarf2.c:4646)
==16435==    by 0x52BE53: _bfd_elf_find_line (elf.c:8782)
==16435==    by 0x408CE5: print_symbol (nm.c:1008)
==16435==    by 0x409D74: print_symbols (nm.c:1089)
==16435==    by 0x409D74: display_rel_file (nm.c:1205)
==16435==    by 0x40D095: display_file (nm.c:1325)
==16435==    by 0x4056B1: main (nm.c:1799)
==16435==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==16435== 
==16435== 
==16435== Process terminating with default action of signal 11 (SIGSEGV)
==16435==  Access not within mapped region at address 0x8
==16435==    at 0x5DF863: concat_filename (dwarf2.c:1569)
==16435==    by 0x5EF700: find_abstract_instance.isra.29 (dwarf2.c:2971)
==16435==    by 0x5F4DB5: scan_unit_for_symbols (dwarf2.c:3169)
==16435==    by 0x5F92D3: comp_unit_maybe_decode_line_info (dwarf2.c:3662)
==16435==    by 0x5F92D3: comp_unit_find_line (dwarf2.c:3688)
==16435==    by 0x60390E: _bfd_dwarf2_find_nearest_line (dwarf2.c:4646)
==16435==    by 0x52BE53: _bfd_elf_find_line (elf.c:8782)
==16435==    by 0x408CE5: print_symbol (nm.c:1008)
==16435==    by 0x409D74: print_symbols (nm.c:1089)
==16435==    by 0x409D74: display_rel_file (nm.c:1205)
==16435==    by 0x40D095: display_file (nm.c:1325)
==16435==    by 0x4056B1: main (nm.c:1799)


Thanks,

Thuan
Comment 1 Sourceware Commits 2018-04-17 13:31:28 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6327533b1fd29fa86f6bf34e61c332c010e3c689

commit 6327533b1fd29fa86f6bf34e61c332c010e3c689
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Apr 17 14:30:07 2018 +0100

    Add a check for a NULL table pointer before attempting to compute a DWARF filename.
    
    	PR 23065
    	* dwarf2.c (concat_filename): Check for a NULL table pointer.
Comment 2 Nick Clifton 2018-04-17 13:34:09 UTC
Hi Thuan,

  Thanks for reporting this bug.  I have checked in a small patch which
  should fix the problem.  Please let me know if you have any further
  issues with this problem.

Cheers
  Nick