Bug 25072 - malloc(): memory corruption in function print_symbol
Summary: malloc(): memory corruption in function print_symbol
Status: RESOLVED DUPLICATE of bug 25070
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.34
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2019-10-07 16:49 UTC by zjuchenyuan
Modified: 2019-10-09 01:02 UTC (History)
2 users (show)

See Also:
Last reconfirmed:

poc3 (10.14 KB, application/x-executable)
2019-10-07 16:49 UTC, zjuchenyuan

Note You need to log in before you can comment on or make changes to this bug.
Description zjuchenyuan 2019-10-07 16:49:38 UTC
Created attachment 12027 [details]

# gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc3_malloc-memory-corruption_print_symbol' -ex bt -ex quit

malloc(): memory corruption

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7603801 in __GI_abort () at abort.c:79
#2  0x00007ffff764c897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7779b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff765390a in malloc_printerr (str=str@entry=0x7ffff7777e0e "malloc(): memory corruption") at malloc.c:5350
#4  0x00007ffff7657994 in _int_malloc (av=av@entry=0x7ffff79aec40 <main_arena>, bytes=bytes@entry=280) at malloc.c:3738
#5  0x00007ffff765a0fc in __GI___libc_malloc (bytes=280) at malloc.c:3057
#6  0x00000000007b608d in xmalloc (size=<optimized out>) at ./xmalloc.c:147
#7  0x0000000000408f5b in print_symbol (abfd=abfd@entry=0xa0d6b0, sym=0xa1d4a0, ssize=ssize@entry=0, archive_bfd=archive_bfd@entry=0x0) at nm.c:965
#8  0x000000000040a59d in print_symbols (archive_bfd=0x0, size=8, symcount=<optimized out>, minisyms=<optimized out>, is_dynamic=1, abfd=0xa0d6b0) at nm.c:1088
#9  display_rel_file (abfd=abfd@entry=0xa0d6b0, archive_bfd=archive_bfd@entry=0x0) at nm.c:1210
#10 0x000000000040d6de in display_file (filename=0x7fffffffe738 "poc3_malloc-memory-corruption_print_symbol") at nm.c:1377
#11 0x0000000000405882 in main (argc=11, argv=0x7fffffffe448) at nm.c:1858

Reproducible docker image has been pushed to `zjuchenyuan/dockerized_poc:binutils-pocs`, but ASAN build seems cannot giving backtrace information.

Dockerfile: (I would suggest removing AFL_USE_ASAN environment)

FROM zjuchenyuan/afl
RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\
    cd binutils-gdb &&\
    git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\
    ./configure --disable-shared &&\
    for i in bfd libiberty opcodes libctf; do cd $i; ./configure --disable-shared && make -j; cd ..; done  &&\
    cd binutils  &&\
    ./configure --disable-shared &&\
    make objdump nm-new size readelf cxxfilt

RUN apt install -y gdb &&\
    echo -e "set pagination off\nset confirm off" > /root/.gdbinit

ADD . /

# we may need to compile again without ASAN to use gdb

RUN gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc3_malloc-memory-corruption_print_symbol' -ex bt -ex quit

Comment 1 Alan Modra 2019-10-09 01:02:13 UTC
Same underlying problem as PR25070

*** This bug has been marked as a duplicate of bug 25070 ***