Created attachment 10975 [details] the malformed crash input When objcopy copying private info(in file bfd/pex64igen.c function: "_bfd_pex64_bfd_copy_private_bfd_data_common()""), it has an unbounded loop that increase the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceed its own memory region, results into an unwrittable memory space. # ------------ # Cmdline: $ objcopy /tmp/objcopy_crash.input /dev/null # ------------ # gdb output Program received signal SIGSEGV, Segmentation fault. 0x00000000004318aa in bfd_getl32 (p=0x7a4000) at ../../bfd/libbfd.c:635 635 v = (unsigned long) addr[0]; (gdb) bt #0 0x00000000004318aa in bfd_getl32 (p=0x7a4000) at ../../bfd/libbfd.c:635 #1 0x00000000004bf023 in _bfd_pei_swap_debugdir_in (abfd=0x788290, ext1=0x7a3ff4, in1=0x7fffffffdcb0) at peigen.c:1123 #2 0x00000000004c37fc in _bfd_pe_bfd_copy_private_bfd_data_common (ibfd=0x784ec0, obfd=0x788290) at peigen.c:3004 #3 0x00000000004b50fb in pe_bfd_copy_private_bfd_data (ibfd=0x784ec0, obfd=0x788290) at ../../bfd/peicode.h:361 #4 0x00000000004082b9 in copy_object (ibfd=0x784ec0, obfd=0x788290, input_arch=0x0) at ../../binutils/objcopy.c:3170 #5 0x0000000000408fea in copy_file ( input_filename=0x7fffffffe537 "/tmp/objcopy_crash.input", output_filename=0x7fffffffe578 "/dev/null", input_target=0x0, output_target=0x533778 "pei-i386", input_arch=0x0) at ../../binutils/objcopy.c:3532 #6 0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe258) at ../../binutils/objcopy.c:5484 #7 0x000000000040d384 in main (argc=3, argv=0x7fffffffe258) at ../../binutils/objcopy.c:5588 (gdb) info registers rax 0x7a4000 8011776 rbx 0x0 0 rcx 0x7a3ff4 8011764 rdx 0x7a4000 8011776 rsi 0x7a3ff4 8011764 rdi 0x7a4000 8011776 rbp 0x7fffffffdc00 0x7fffffffdc00 rsp 0x7fffffffdc00 0x7fffffffdc00 r8 0xedff 60927 r9 0x11 17 r10 0xe 14 r11 0x246 582 r12 0x4025c0 4203968 r13 0x7fffffffe250 140737488347728 r14 0x0 0 r15 0x0 0 rip 0x4318aa 0x4318aa <bfd_getl32+20> eflags 0x10216 [ PF AF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) info proc mappings process 10041 Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x566000 0x166000 0x0 /tmp/objcopy 0x765000 0x777000 0x12000 0x165000 /tmp/objcopy 0x777000 0x77e000 0x7000 0x177000 /tmp/objcopy 0x77e000 0x7a4000 0x26000 0x0 [heap] 0x7ffff771b000 0x7ffff7809000 0xee000 0x0 0x7ffff7809000 0x7ffff79c9000 0x1c0000 0x0 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff79c9000 0x7ffff7bc9000 0x200000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff7bc9000 0x7ffff7bcd000 0x4000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff7bcd000 0x7ffff7bcf000 0x2000 0x1c4000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff7bcf000 0x7ffff7bd3000 0x4000 0x0 0x7ffff7bd3000 0x7ffff7bd6000 0x3000 0x0 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7bd6000 0x7ffff7dd5000 0x1ff000 0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7dd5000 0x7ffff7dd6000 0x1000 0x2000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7dd6000 0x7ffff7dd7000 0x1000 0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7dd7000 0x7ffff7dfd000 0x26000 0x0 /lib/x86_64-linux-gnu/ld-2.23.so 0x7ffff7e1b000 0x7ffff7e49000 0x2e000 0x0 0x7ffff7e49000 0x7ffff7fe1000 0x198000 0x0 /usr/lib/locale/locale-archive 0x7ffff7fe1000 0x7ffff7fe5000 0x4000 0x0 0x7ffff7ff0000 0x7ffff7ff7000 0x7000 0x0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache 0x7ffff7ff7000 0x7ffff7ffa000 0x3000 0x0 [vvar] 0x7ffff7ffa000 0x7ffff7ffc000 0x2000 0x0 [vdso] 0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x25000 /lib/x86_64-linux-gnu/ld-2.23.so 0x7ffff7ffd000 0x7ffff7ffe000 0x1000 0x26000 /lib/x86_64-linux-gnu/ld-2.23.so 0x7ffff7ffe000 0x7ffff7fff000 0x1000 0x0 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] # ------------ # Environment $ uname -a Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial # ------------------------------ # Tested on the following two objcopy versions # 1. $ git rev-parse HEAD 5373441d20b652d5b0332b6cada74524af3ae707 # 2. $ /usr/bin/objcopy --version GNU objcopy (GNU Binutils for Ubuntu) 2.26.1 Copyright (C) 2015 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. # ------------------------------ This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.
Duplicate *** This bug has been marked as a duplicate of bug 23110 ***