Bug 23111 - objcopy segmentation fault
Summary: objcopy segmentation fault
Status: RESOLVED DUPLICATE of bug 23110
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2018-04-24 09:08 UTC by Guodong Zhu
Modified: 2018-04-24 15:26 UTC (History)
1 user (show)

See Also:
Last reconfirmed:

the malformed crash input (158 bytes, application/x-ms-dos-executable)
2018-04-24 09:08 UTC, Guodong Zhu

Note You need to log in before you can comment on or make changes to this bug.
Description Guodong Zhu 2018-04-24 09:08:39 UTC
Created attachment 10975 [details]
the malformed crash input

When objcopy copying private info(in file bfd/pex64igen.c function: "_bfd_pex64_bfd_copy_private_bfd_data_common()""), it has an unbounded loop that increase the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceed its own memory region, results into an unwrittable memory space.

# ------------
# Cmdline:
$ objcopy /tmp/objcopy_crash.input /dev/null

# ------------
# gdb output
Program received signal SIGSEGV, Segmentation fault.
0x00000000004318aa in bfd_getl32 (p=0x7a4000) at ../../bfd/libbfd.c:635
635       v = (unsigned long) addr[0];
(gdb) bt
#0  0x00000000004318aa in bfd_getl32 (p=0x7a4000) at ../../bfd/libbfd.c:635
#1  0x00000000004bf023 in _bfd_pei_swap_debugdir_in (abfd=0x788290, ext1=0x7a3ff4, in1=0x7fffffffdcb0) at peigen.c:1123
#2  0x00000000004c37fc in _bfd_pe_bfd_copy_private_bfd_data_common (ibfd=0x784ec0, obfd=0x788290) at peigen.c:3004
#3  0x00000000004b50fb in pe_bfd_copy_private_bfd_data (ibfd=0x784ec0, obfd=0x788290) at ../../bfd/peicode.h:361
#4  0x00000000004082b9 in copy_object (ibfd=0x784ec0, obfd=0x788290, input_arch=0x0) at ../../binutils/objcopy.c:3170
#5  0x0000000000408fea in copy_file (
    input_filename=0x7fffffffe537 "/tmp/objcopy_crash.input",
    output_filename=0x7fffffffe578 "/dev/null", input_target=0x0, output_target=0x533778 "pei-i386", input_arch=0x0)
    at ../../binutils/objcopy.c:3532
#6  0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe258) at ../../binutils/objcopy.c:5484
#7  0x000000000040d384 in main (argc=3, argv=0x7fffffffe258) at ../../binutils/objcopy.c:5588
(gdb) info registers
rax            0x7a4000 8011776
rbx            0x0      0
rcx            0x7a3ff4 8011764
rdx            0x7a4000 8011776
rsi            0x7a3ff4 8011764
rdi            0x7a4000 8011776
rbp            0x7fffffffdc00   0x7fffffffdc00
rsp            0x7fffffffdc00   0x7fffffffdc00
r8             0xedff   60927
r9             0x11     17
r10            0xe      14
r11            0x246    582
r12            0x4025c0 4203968
r13            0x7fffffffe250   140737488347728
r14            0x0      0
r15            0x0      0
rip            0x4318aa 0x4318aa <bfd_getl32+20>
eflags         0x10216  [ PF AF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) info proc mappings
process 10041
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x400000           0x566000   0x166000        0x0 /tmp/objcopy
            0x765000           0x777000    0x12000   0x165000 /tmp/objcopy
            0x777000           0x77e000     0x7000   0x177000 /tmp/objcopy
            0x77e000           0x7a4000    0x26000        0x0 [heap]
      0x7ffff771b000     0x7ffff7809000    0xee000        0x0
      0x7ffff7809000     0x7ffff79c9000   0x1c0000        0x0 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff79c9000     0x7ffff7bc9000   0x200000   0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff7bc9000     0x7ffff7bcd000     0x4000   0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff7bcd000     0x7ffff7bcf000     0x2000   0x1c4000 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff7bcf000     0x7ffff7bd3000     0x4000        0x0
      0x7ffff7bd3000     0x7ffff7bd6000     0x3000        0x0 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7bd6000     0x7ffff7dd5000   0x1ff000     0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7dd5000     0x7ffff7dd6000     0x1000     0x2000 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7dd6000     0x7ffff7dd7000     0x1000     0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7dd7000     0x7ffff7dfd000    0x26000        0x0 /lib/x86_64-linux-gnu/ld-2.23.so
      0x7ffff7e1b000     0x7ffff7e49000    0x2e000        0x0
      0x7ffff7e49000     0x7ffff7fe1000   0x198000        0x0 /usr/lib/locale/locale-archive
      0x7ffff7fe1000     0x7ffff7fe5000     0x4000        0x0
      0x7ffff7ff0000     0x7ffff7ff7000     0x7000        0x0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
      0x7ffff7ff7000     0x7ffff7ffa000     0x3000        0x0 [vvar]
      0x7ffff7ffa000     0x7ffff7ffc000     0x2000        0x0 [vdso]
      0x7ffff7ffc000     0x7ffff7ffd000     0x1000    0x25000 /lib/x86_64-linux-gnu/ld-2.23.so
      0x7ffff7ffd000     0x7ffff7ffe000     0x1000    0x26000 /lib/x86_64-linux-gnu/ld-2.23.so
      0x7ffff7ffe000     0x7ffff7fff000     0x1000        0x0
      0x7ffffffde000     0x7ffffffff000    0x21000        0x0 [stack]
  0xffffffffff600000 0xffffffffff601000     0x1000        0x0 [vsyscall]

# ------------
# Environment
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial

# ------------------------------
# Tested on the following two objcopy versions
# 1.
$ git rev-parse HEAD
# 2.
$ /usr/bin/objcopy --version
GNU objcopy (GNU Binutils for Ubuntu) 2.26.1
Copyright (C) 2015 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

# ------------------------------
This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.
Comment 1 Nick Clifton 2018-04-24 15:26:50 UTC

*** This bug has been marked as a duplicate of bug 23110 ***