Bug 23114 - objcopy segmentation fault
Summary: objcopy segmentation fault
Status: RESOLVED DUPLICATE of bug 23113
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.31
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-24 09:15 UTC by Guodong Zhu
Modified: 2018-04-24 15:41 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
the malformed crash input (211 bytes, application/octet-stream)
2018-04-24 09:15 UTC, Guodong Zhu
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Guodong Zhu 2018-04-24 09:15:31 UTC
Created attachment 10978 [details]
the malformed crash input

When calling "ignore_section_sym()" in function "elf_map_symbols()", objcopy fails to check the value of sym->section->output_section. The value of output_section can be 0x0.


# ------------
# Cmdline:
$ objcopy /tmp/objcopy_crash.input /dev/null

# ------------
# gdb output
Program received signal SIGSEGV, Segmentation fault.
0x000000000045f66c in ignore_section_sym (abfd=0x7882a0, sym=0x78ea80) at ../../bfd/elf.c:4033
4033                   || (sym->section->output_section->owner == abfd
(gdb) bt
#0  0x000000000045f66c in ignore_section_sym (abfd=0x7882a0, sym=0x78ea80) at ../../bfd/elf.c:4033
#1  0x000000000045f8df in elf_map_symbols (abfd=0x7882a0, pnum_locals=0x7fffffffdcc8) at ../../bfd/elf.c:4099
#2  0x0000000000468d91 in swap_out_syms (abfd=0x7882a0, sttp=0x7fffffffddd8, relocatable_p=1) at ../../bfd/elf.c:7760
#3  0x000000000045fdac in _bfd_elf_compute_section_file_positions (abfd=0x7882a0, link_info=0x0) at ../../bfd/elf.c:4236
#4  0x0000000000465380 in _bfd_elf_write_object_contents (abfd=0x7882a0) at ../../bfd/elf.c:6368
#5  0x00000000004331ce in bfd_close (abfd=0x7882a0) at ../../bfd/opncls.c:731
#6  0x0000000000409021 in copy_file (
    input_filename=0x7fffffffe52e "/tmp/objcopy_crash.input",
    output_filename=0x7fffffffe578 "/dev/null", input_target=0x0, output_target=0x532953 "elf32-i386", input_arch=0x0)
    at ../../binutils/objcopy.c:3539
#7  0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe248) at ../../binutils/objcopy.c:5484
#8  0x000000000040d384 in main (argc=3, argv=0x7fffffffe248) at ../../binutils/objcopy.c:5588
(gdb) info registers
rax            0x0      0
rbx            0x0      0
rcx            0x1      1
rdx            0x7860a0 7889056
rsi            0x78ea80 7924352
rdi            0x7882a0 7897760
rbp            0x7fffffffdc00   0x7fffffffdc00
rsp            0x7fffffffdc00   0x7fffffffdc00
r8             0x7ffff7bce188   140737349738888
r9             0x1      1
r10            0x1      1
r11            0x246    582
r12            0x4025c0 4203968
r13            0x7fffffffe240   140737488347712
r14            0x0      0
r15            0x0      0
rip            0x45f66c 0x45f66c <ignore_section_sym+181>
eflags         0x10283  [ CF SF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) info proc mappings
process 12323
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x400000           0x566000   0x166000        0x0 /tmp/objcopy
            0x765000           0x777000    0x12000   0x165000 /tmp/objcopy
            0x777000           0x77e000     0x7000   0x177000 /tmp/objcopy
            0x77e000           0x7a4000    0x26000        0x0 [heap]
      0x7ffff7809000     0x7ffff79c9000   0x1c0000        0x0 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff79c9000     0x7ffff7bc9000   0x200000   0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff7bc9000     0x7ffff7bcd000     0x4000   0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff7bcd000     0x7ffff7bcf000     0x2000   0x1c4000 /lib/x86_64-linux-gnu/libc-2.23.so
      0x7ffff7bcf000     0x7ffff7bd3000     0x4000        0x0
      0x7ffff7bd3000     0x7ffff7bd6000     0x3000        0x0 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7bd6000     0x7ffff7dd5000   0x1ff000     0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7dd5000     0x7ffff7dd6000     0x1000     0x2000 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7dd6000     0x7ffff7dd7000     0x1000     0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so
      0x7ffff7dd7000     0x7ffff7dfd000    0x26000        0x0 /lib/x86_64-linux-gnu/ld-2.23.so
      0x7ffff7e49000     0x7ffff7fe1000   0x198000        0x0 /usr/lib/locale/locale-archive
      0x7ffff7fe1000     0x7ffff7fe5000     0x4000        0x0
      0x7ffff7ff0000     0x7ffff7ff7000     0x7000        0x0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
      0x7ffff7ff7000     0x7ffff7ffa000     0x3000        0x0 [vvar]
      0x7ffff7ffa000     0x7ffff7ffc000     0x2000        0x0 [vdso]
      0x7ffff7ffc000     0x7ffff7ffd000     0x1000    0x25000 /lib/x86_64-linux-gnu/ld-2.23.so
      0x7ffff7ffd000     0x7ffff7ffe000     0x1000    0x26000 /lib/x86_64-linux-gnu/ld-2.23.so
      0x7ffff7ffe000     0x7ffff7fff000     0x1000        0x0
      0x7ffffffde000     0x7ffffffff000    0x21000        0x0 [stack]
  0xffffffffff600000 0xffffffffff601000     0x1000        0x0 [vsyscall]


# ------------
# Environment
$ uname -a
Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial


# ------------------------------
# Tested on the following two objcopy versions
# 1.
$ git rev-parse HEAD
5373441d20b652d5b0332b6cada74524af3ae707
# 2.
$ /usr/bin/objcopy --version
GNU objcopy (GNU Binutils for Ubuntu) 2.26.1
Copyright (C) 2015 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.


# ------------------------------
This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.
Comment 1 Nick Clifton 2018-04-24 15:41:51 UTC
Despite the reproducer being slightly different, this PR is actually caused
by the same bug as PR 23113 and it is fixed by the same patch.

*** This bug has been marked as a duplicate of bug 23113 ***