Bug 25073 - invalide free in function _bfd_dwarf2_cleanup_debug_info
Summary: invalide free in function _bfd_dwarf2_cleanup_debug_info
Status: RESOLVED DUPLICATE of bug 25070
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.34
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-07 16:54 UTC by zjuchenyuan
Modified: 2019-10-09 01:06 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
poc4 (10.13 KB, application/x-object)
2019-10-07 16:54 UTC, zjuchenyuan 		Details
poc5 (10.95 KB, application/x-object)
2019-10-07 16:55 UTC, zjuchenyuan 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description zjuchenyuan 2019-10-07 16:54:45 UTC 
Created attachment 12028 [details]
poc4

poc4:

```
# gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc4_invalid-free__bfd_dwarf2_cleanup_debug_info' -ex bt -ex quit

free(): invalid next size (normal)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7603801 in __GI_abort () at abort.c:79
#2  0x00007ffff764c897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7779b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff765390a in malloc_printerr (str=str@entry=0x7ffff777b8b8 "free(): invalid next size (normal)") at malloc.c:5350
#4  0x00007ffff765b0ad in _int_free (have_lock=0, p=0xa18a40, av=0x7ffff79aec40 <main_arena>) at malloc.c:4286
#5  __GI___libc_free (mem=0xa18a50) at malloc.c:3124
#6  0x00000000006133b1 in _bfd_dwarf2_cleanup_debug_info (abfd=abfd@entry=0xa0d6b0, pinfo=pinfo@entry=0xa0db30) at ./dwarf2.c:5010
#7  0x00000000006138ab in _bfd_dwarf2_slurp_debug_info (abfd=abfd@entry=0xa0d6b0, debug_bfd=debug_bfd@entry=0x0, debug_sections=0x7c6e20 <dwarf_debug_sections>, symbols=symbols@entry=0xa181f0,
    pinfo=pinfo@entry=0xa0db30, do_place=1) at ./dwarf2.c:4354
#8  0x0000000000617ecb in _bfd_dwarf2_find_nearest_line (abfd=abfd@entry=0xa0d6b0, symbols=symbols@entry=0xa181f0, symbol=symbol@entry=0x0, section=section@entry=0xa0e890, offset=offset@entry=0,
    filename_ptr=filename_ptr@entry=0x7fffffffe198, functionname_ptr=0x7fffffffe1c0, linenumber_ptr=0x7fffffffe194, discriminator_ptr=0x0, debug_sections=0x7c6e20 <dwarf_debug_sections>, pinfo=0xa0db30)
    at ./dwarf2.c:4687
#9  0x0000000000539f6d in _bfd_elf_find_nearest_line (abfd=0xa0d6b0, symbols=0xa181f0, section=0xa0e890, offset=0, filename_ptr=0x7fffffffe198, functionname_ptr=0x7fffffffe1c0, line_ptr=0x7fffffffe194,
    discriminator_ptr=0x0) at elf.c:9005
#10 0x000000000040969b in print_symbol (abfd=abfd@entry=0xa0d6b0, sym=<optimized out>, ssize=ssize@entry=0, archive_bfd=archive_bfd@entry=0x0) at nm.c:1008
#11 0x000000000040a59d in print_symbols (archive_bfd=0x0, size=8, symcount=<optimized out>, minisyms=<optimized out>, is_dynamic=1, abfd=0xa0d6b0) at nm.c:1088
#12 display_rel_file (abfd=abfd@entry=0xa0d6b0, archive_bfd=archive_bfd@entry=0x0) at nm.c:1210
#13 0x000000000040d6de in display_file (filename=0x7fffffffe732 "poc4_invalid-free__bfd_dwarf2_cleanup_debug_info") at nm.c:1377
#14 0x0000000000405882 in main (argc=11, argv=0x7fffffffe438) at nm.c:1858
```
poc5:

```
Step 10/10 : RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc5_invalid-free__bfd_dwarf2_cleanup_debug_info || exit 0
 ---> Running in 7107b71ec7d3
./binutils-gdb/binutils/nm-new: warning: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a size (1e0000000008) larger than the file size
./binutils-gdb/binutils/nm-new: warning: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a size (fffffffffffffec0) larger than the file size
./binutils-gdb/binutils/nm-new: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info: unknown type [0xff000001] section `.debug_aranges'
./binutils-gdb/binutils/nm-new: warning: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a size (1e0000000008) larger than the file size
./binutils-gdb/binutils/nm-new: warning: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a size (fffffffffffffec0) larger than the file size
./binutils-gdb/binutils/nm-new: poc5_invalid-free__bfd_dwarf2_cleanup_debug_info: warning: sh_link not set for section `.debug_aranges'
=================================================================
==7==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x61200000b5c0 in thread T0
    #0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x6a2c70 in _bfd_dwarf2_cleanup_debug_info dwarf2.c:5018
    #2 0x6a3332 in _bfd_dwarf2_slurp_debug_info dwarf2.c:4354
    #3 0x6a7a8e in _bfd_dwarf2_find_nearest_line dwarf2.c:4687
    #4 0x587f99 in _bfd_elf_find_nearest_line /binutils-gdb/bfd/elf.c:9005
    #5 0x40d9be in print_symbol /binutils-gdb/binutils/nm.c:1008
    #6 0x40ec98 in print_symbols /binutils-gdb/binutils/nm.c:1088
    #7 0x40ec98 in display_rel_file /binutils-gdb/binutils/nm.c:1210
    #8 0x411b5d in display_file /binutils-gdb/binutils/nm.c:1377
    #9 0x4077a7 in main /binutils-gdb/binutils/nm.c:1858
    #10 0x7ffff66a282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4094b8 in _start (/binutils-gdb/binutils/nm-new+0x4094b8)

0x61200000b5c0 is located 48 bytes inside of 253629440-byte region [0x61200000b590,0x61200f1ec990)
==7==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_allocator2.cc:186 "((res.trace)) != (0)" (0x0, 0x0)
    #0 0x7ffff6f0a631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7ffff6f0f5e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
    #2 0x7ffff6e8776c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d76c)
    #3 0x7ffff6e8861e  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1e61e)
    #4 0x7ffff6f07380  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9d380)
    #5 0x7ffff6f08727  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9e727)
    #6 0x7ffff6e8b617  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x21617)
    #7 0x7ffff6f0229d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
    #8 0x6a2c70 in _bfd_dwarf2_cleanup_debug_info dwarf2.c:5018
    #9 0x6a3332 in _bfd_dwarf2_slurp_debug_info dwarf2.c:4354
    #10 0x6a7a8e in _bfd_dwarf2_find_nearest_line dwarf2.c:4687
    #11 0x587f99 in _bfd_elf_find_nearest_line /binutils-gdb/bfd/elf.c:9005
    #12 0x40d9be in print_symbol /binutils-gdb/binutils/nm.c:1008
    #13 0x40ec98 in print_symbols /binutils-gdb/binutils/nm.c:1088
    #14 0x40ec98 in display_rel_file /binutils-gdb/binutils/nm.c:1210
    #15 0x411b5d in display_file /binutils-gdb/binutils/nm.c:1377
    #16 0x4077a7 in main /binutils-gdb/binutils/nm.c:1858
    #17 0x7ffff66a282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x4094b8 in _start (/binutils-gdb/binutils/nm-new+0x4094b8)

```


Reproducible docker image has been pushed to `zjuchenyuan/dockerized_poc:binutils-pocs`, but ASAN build seems cannot giving backtrace information.

Dockerfile: (I would suggest removing AFL_USE_ASAN environment if you want get poc4 backtrace information)

```
FROM zjuchenyuan/afl
ENV AFL_USE_ASAN=1
RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\
    cd binutils-gdb &&\
    git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\
    ./configure --disable-shared &&\
    for i in bfd libiberty opcodes libctf; do cd $i; ./configure --disable-shared && make -j; cd ..; done  &&\
    cd binutils  &&\
    ./configure --disable-shared &&\
    make objdump nm-new size readelf cxxfilt

RUN apt install -y gdb &&\
    echo -e "set pagination off\nset confirm off" > /root/.gdbinit

ADD . /

# we may need to compile again without ASAN to use gdb

RUN gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc4_invalid-free__bfd_dwarf2_cleanup_debug_info' -ex bt -ex quit

RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc5_invalid-free__bfd_dwarf2_cleanup_debug_info || exit 0


```
Comment 1 zjuchenyuan 2019-10-07 16:55:07 UTC 
Created attachment 12029 [details]
poc5
Comment 2 Alan Modra 2019-10-09 01:06:52 UTC 
Both of these testcases trigger the same overflow as pr25070

*** This bug has been marked as a duplicate of bug 25070 ***