Bug 23113 - objcopy segmentation fault
Summary: objcopy segmentation fault
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 23114 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-04-24 09:13 UTC by Guodong Zhu
Modified: 2018-04-24 16:00 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
the malformed crash input (296 bytes, application/octet-stream)
2018-04-24 09:13 UTC, Guodong Zhu
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Guodong Zhu 2018-04-24 09:13:18 UTC
Created attachment 10977 [details]
the malformed crash input

When processing a symtab entry with "SECTION" type and "0" value, objcopy fails to check pointer sym->section->output_section before calling ignore_section_sym in bfd/elf.c function "elf_map_symbols()". The value of output_section can be 0x0.

# ------------
# Cmdline:
$ objcopy /tmp/objcopy_crash.input /dev/null

# ------------
# gdb output
Program received signal SIGSEGV, Segmentation fault.
0x000000000045f66c in ignore_section_sym (abfd=0x788290, sym=0x78faf0) at ../../bfd/elf.c:4033
4033                   || (sym->section->output_section->owner == abfd
(gdb) bt
#0  0x000000000045f66c in ignore_section_sym (abfd=0x788290, sym=0x78faf0) at ../../bfd/elf.c:4033
#1  0x000000000045f7fc in elf_map_symbols (abfd=0x788290, pnum_locals=0x7fffffffdc98) at ../../bfd/elf.c:4082
#2  0x0000000000468d91 in swap_out_syms (abfd=0x788290, sttp=0x7fffffffdda8, relocatable_p=1) at ../../bfd/elf.c:7760
#3  0x000000000045fdac in _bfd_elf_compute_section_file_positions (abfd=0x788290, link_info=0x0) at ../../bfd/elf.c:4236
#4  0x0000000000465380 in _bfd_elf_write_object_contents (abfd=0x788290) at ../../bfd/elf.c:6368
#5  0x00000000004331ce in bfd_close (abfd=0x788290) at ../../bfd/opncls.c:731
#6  0x0000000000409021 in copy_file (
    input_filename=0x7fffffffe507 "/tmp/objcopy_crash.input",
    output_filename=0x7fffffffe548 "/dev/null", input_target=0x0, output_target=0x532953 "elf32-i386", input_arch=0x0)
    at ../../binutils/objcopy.c:3539
#7  0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe218) at ../../binutils/objcopy.c:5484
#8  0x000000000040d384 in main (argc=3, argv=0x7fffffffe218) at ../../binutils/objcopy.c:5588
(gdb) info registers
rax            0x0      0
rbx            0x0      0
rcx            0x1      1
rdx            0x7860d0 7889104
rsi            0x78fb30 7928624
rdi            0x7882c0 7897792
rbp            0x7fffffffdbe0   0x7fffffffdbe0
rsp            0x7fffffffdbe0   0x7fffffffdbe0
r8             0x7ffff7bce188   140737349738888
r9             0x1      1
r10            0x1      1
r11            0x246    582
r12            0x4025c0 4203968
r13            0x7fffffffe220   140737488347680
r14            0x0      0
r15            0x0      0
rip            0x45f66c 0x45f66c <ignore_section_sym+181>
eflags         0x10287  [ CF PF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) info proc mapping
process 7026
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x400000           0x566000   0x166000        0x0 /tmp/objcopy
            0x765000           0x777000    0x12000   0x165000 /tmp/objcopy
            0x777000           0x77e000     0x7000   0x177000 /tmp/objcopy
            0x77e000           0x7a4000    0x26000        0x0 [heap]
      0x7ffff7809000     0x7ffff79c9000   0x1c0000        0x0 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff79c9000     0x7ffff7bc9000   0x200000   0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff7bc9000     0x7ffff7bcd000     0x4000   0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff7bcd000     0x7ffff7bcf000     0x2000   0x1c4000 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff7bcf000     0x7ffff7bd3000     0x4000        0x0
      0x7ffff7bd3000     0x7ffff7bd6000     0x3000        0x0 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7bd6000     0x7ffff7dd5000   0x1ff000     0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7dd5000     0x7ffff7dd6000     0x1000     0x2000 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7dd6000     0x7ffff7dd7000     0x1000     0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7dd7000     0x7ffff7dfd000    0x26000        0x0 /lib/x86_64-linux-gnu/ld-2.23.so
      0x7ffff7e49000     0x7ffff7fe1000   0x198000        0x0 /usr/lib/locale/locale-archive
      0x7ffff7fe1000     0x7ffff7fe5000     0x4000        0x0
      0x7ffff7ff0000     0x7ffff7ff7000     0x7000        0x0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
      0x7ffff7ff7000     0x7ffff7ffa000     0x3000        0x0 [vvar]
      0x7ffff7ffa000     0x7ffff7ffc000     0x2000        0x0 [vdso]
      0x7ffff7ffc000     0x7ffff7ffd000     0x1000    0x25000 /lib/x86_64-linux-gnu/ld-2.23.so
      0x7ffff7ffd000     0x7ffff7ffe000     0x1000    0x26000 /lib/x86_64-linux-gnu/ld-2.23.so
      0x7ffff7ffe000     0x7ffff7fff000     0x1000        0x0
      0x7ffffffde000     0x7ffffffff000    0x21000        0x0 [stack]
  0xffffffffff600000 0xffffffffff601000     0x1000        0x0 [vsyscall]


# ------------
# Environment
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial


# ------------------------------
# Tested on the following two objcopy versions
# 1.
$ git rev-parse HEAD
5373441d20b652d5b0332b6cada74524af3ae707
# 2.
$ /usr/bin/objcopy --version
GNU objcopy (GNU Binutils for Ubuntu) 2.26.1
Copyright (C) 2015 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.


# ------------------------------
This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.
Comment 1 Nick Clifton 2018-04-24 15:41:51 UTC
*** Bug 23114 has been marked as a duplicate of this bug. ***
Comment 2 Sourceware Commits 2018-04-24 15:58:32 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=db0c309f4011ca94a4abc8458e27f3734dab92ac

commit db0c309f4011ca94a4abc8458e27f3734dab92ac
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Apr 24 16:57:04 2018 +0100

    Fix an illegal memory access when trying to copy an ELF binary with corrupt section symbols.
    
    	PR 23113
    	* elf.c (ignore_section_sym): Check for the output_section pointer
    	being NULL before dereferencing it.
Comment 3 Nick Clifton 2018-04-24 16:00:04 UTC
Hi Guodong,

  Thanks for reporting this bug.  I have checked in a small patch to the
  BFD library to add a check for a NULL output_section pointer before
  dereferencing it.  This should fix the bug.

Cheers
  Nick