Created attachment 10978 [details] the malformed crash input When calling "ignore_section_sym()" in function "elf_map_symbols()", objcopy fails to check the value of sym->section->output_section. The value of output_section can be 0x0. # ------------ # Cmdline: $ objcopy /tmp/objcopy_crash.input /dev/null # ------------ # gdb output Program received signal SIGSEGV, Segmentation fault. 0x000000000045f66c in ignore_section_sym (abfd=0x7882a0, sym=0x78ea80) at ../../bfd/elf.c:4033 4033 || (sym->section->output_section->owner == abfd (gdb) bt #0 0x000000000045f66c in ignore_section_sym (abfd=0x7882a0, sym=0x78ea80) at ../../bfd/elf.c:4033 #1 0x000000000045f8df in elf_map_symbols (abfd=0x7882a0, pnum_locals=0x7fffffffdcc8) at ../../bfd/elf.c:4099 #2 0x0000000000468d91 in swap_out_syms (abfd=0x7882a0, sttp=0x7fffffffddd8, relocatable_p=1) at ../../bfd/elf.c:7760 #3 0x000000000045fdac in _bfd_elf_compute_section_file_positions (abfd=0x7882a0, link_info=0x0) at ../../bfd/elf.c:4236 #4 0x0000000000465380 in _bfd_elf_write_object_contents (abfd=0x7882a0) at ../../bfd/elf.c:6368 #5 0x00000000004331ce in bfd_close (abfd=0x7882a0) at ../../bfd/opncls.c:731 #6 0x0000000000409021 in copy_file ( input_filename=0x7fffffffe52e "/tmp/objcopy_crash.input", output_filename=0x7fffffffe578 "/dev/null", input_target=0x0, output_target=0x532953 "elf32-i386", input_arch=0x0) at ../../binutils/objcopy.c:3539 #7 0x000000000040d048 in copy_main (argc=3, argv=0x7fffffffe248) at ../../binutils/objcopy.c:5484 #8 0x000000000040d384 in main (argc=3, argv=0x7fffffffe248) at ../../binutils/objcopy.c:5588 (gdb) info registers rax 0x0 0 rbx 0x0 0 rcx 0x1 1 rdx 0x7860a0 7889056 rsi 0x78ea80 7924352 rdi 0x7882a0 7897760 rbp 0x7fffffffdc00 0x7fffffffdc00 rsp 0x7fffffffdc00 0x7fffffffdc00 r8 0x7ffff7bce188 140737349738888 r9 0x1 1 r10 0x1 1 r11 0x246 582 r12 0x4025c0 4203968 r13 0x7fffffffe240 140737488347712 r14 0x0 0 r15 0x0 0 rip 0x45f66c 0x45f66c <ignore_section_sym+181> eflags 0x10283 [ CF SF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) info proc mappings process 12323 Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x566000 0x166000 0x0 /tmp/objcopy 0x765000 0x777000 0x12000 0x165000 /tmp/objcopy 0x777000 0x77e000 0x7000 0x177000 /tmp/objcopy 0x77e000 0x7a4000 0x26000 0x0 [heap] 0x7ffff7809000 0x7ffff79c9000 0x1c0000 0x0 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff79c9000 0x7ffff7bc9000 0x200000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff7bc9000 0x7ffff7bcd000 0x4000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff7bcd000 0x7ffff7bcf000 0x2000 0x1c4000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7ffff7bcf000 0x7ffff7bd3000 0x4000 0x0 0x7ffff7bd3000 0x7ffff7bd6000 0x3000 0x0 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7bd6000 0x7ffff7dd5000 0x1ff000 0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7dd5000 0x7ffff7dd6000 0x1000 0x2000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7dd6000 0x7ffff7dd7000 0x1000 0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7ffff7dd7000 0x7ffff7dfd000 0x26000 0x0 /lib/x86_64-linux-gnu/ld-2.23.so 0x7ffff7e49000 0x7ffff7fe1000 0x198000 0x0 /usr/lib/locale/locale-archive 0x7ffff7fe1000 0x7ffff7fe5000 0x4000 0x0 0x7ffff7ff0000 0x7ffff7ff7000 0x7000 0x0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache 0x7ffff7ff7000 0x7ffff7ffa000 0x3000 0x0 [vvar] 0x7ffff7ffa000 0x7ffff7ffc000 0x2000 0x0 [vdso] 0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x25000 /lib/x86_64-linux-gnu/ld-2.23.so 0x7ffff7ffd000 0x7ffff7ffe000 0x1000 0x26000 /lib/x86_64-linux-gnu/ld-2.23.so 0x7ffff7ffe000 0x7ffff7fff000 0x1000 0x0 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] # ------------ # Environment $ uname -a Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial # ------------------------------ # Tested on the following two objcopy versions # 1. $ git rev-parse HEAD 5373441d20b652d5b0332b6cada74524af3ae707 # 2. $ /usr/bin/objcopy --version GNU objcopy (GNU Binutils for Ubuntu) 2.26.1 Copyright (C) 2015 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. # ------------------------------ This bug was found by Guodong Zhu and Kang Li with Team Seri0us at 360.
Despite the reproducer being slightly different, this PR is actually caused by the same bug as PR 23113 and it is fixed by the same patch. *** This bug has been marked as a duplicate of bug 23113 ***