Bug 26774 - objcopy : SIGSEGV in srec.c:1099
Summary: objcopy : SIGSEGV in srec.c:1099
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.36
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-22 13:37 UTC by WU,ZONG-YUAN
Modified: 2020-10-28 11:10 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
file that reproduces this problem (2.03 KB, application/x-executable)
2020-10-22 13:37 UTC, WU,ZONG-YUAN 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description WU,ZONG-YUAN 2020-10-22 13:37:45 UTC 
Created attachment 12916 [details]
file that reproduces this problem

OS : ubuntu 18.04.3
kernel : gnu/linux 5.4.0-52-generic
CPU : Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
compiler : gcc version 7.5.0

Steps to Reproduce :
download the sample from attachment

~/binutils-gdb/binutils/objcopy  -O symbolsrec --add-symbol function_name=.text:0x900,function,global./sample

gdb backtrace :
gdb-peda$ bt
#0  0x00005555555b11f8 in sprintf (__fmt=0x55555565cd7b "%016lx", __s=0x7fffffffdab2 "") at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
#1  srec_write_symbols (abfd=0x5555558b35f0) at srec.c:1099
#2  internal_srec_write_object_contents (abfd=0x5555558b35f0, symbols=<optimized out>) at srec.c:1130
#3  0x00005555555ab56a in bfd_close (abfd=0x5555558b35f0) at opncls.c:775
#4  0x000055555558ed56 in copy_file (input_filename=0x7fffffffe1d9 "/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/id:000000,sig:06,src:000000,op:arg1,pos:0", 
    output_filename=0x5555558b2440 "/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/stUTQ9Kk", input_target=<optimized out>, output_target=<optimized out>, input_arch=0x0) at objcopy.c:3845
#5  0x0000555555587458 in copy_main (argv=<optimized out>, argc=<optimized out>) at objcopy.c:5899
#6  main (argc=<optimized out>, argc@entry=0x6, argv=<optimized out>, argv@entry=0x7fffffffddd8) at objcopy.c:6025
#7  0x00007ffff7801b97 in __libc_start_main (main=0x555555587030 <main>, argc=0x6, argv=0x7fffffffddd8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffddc8)
    at ../csu/libc-start.c:310
#8  0x0000555555589b2a in _start ()

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555558b3970 --> 0x5555558b9920 --> 0x5555558b35f0 --> 0x5555558b9430 ("/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/stUTQ9Kk")
RCX: 0x55555565cd7b --> 0x4c00786c36313025 ('%016lx')
RDX: 0x29 (')')
RSI: 0x1 
RDI: 0x7fffffffdab0 --> 0x0 
RBP: 0x5555558b3978 --> 0x0 
RSP: 0x7fffffffdaa0 --> 0xd ('\r')
RIP: 0x5555555b11f8 (<internal_srec_write_object_contents+712>:	add    r8,QWORD PTR [rax+0x38])
R8 : 0x900 ('')
R9 : 0x0 
R10: 0x5555558b0010 --> 0x1010101010101 
R11: 0x1 
R12: 0x5555558b35f0 --> 0x5555558b9430 ("/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/stUTQ9Kk")
R13: 0x5555558b9470 --> 0x5555558b9950 --> 0x5555558b9990 --> 0x5555558b99d0 --> 0x5555558b9a18 --> 0x5555558b9a70 (--> ...)
R14: 0x7fffffffdab2 --> 0x8982000000000000 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555555b11ec <internal_srec_write_object_contents+700>:	mov    rax,QWORD PTR [rax+0x70]
   0x5555555b11f0 <internal_srec_write_object_contents+704>:	add    r8,QWORD PTR [r14+0x10]
   0x5555555b11f4 <internal_srec_write_object_contents+708>:	lea    r14,[rdi+0x2]
=> 0x5555555b11f8 <internal_srec_write_object_contents+712>:	add    r8,QWORD PTR [rax+0x38]
   0x5555555b11fc <internal_srec_write_object_contents+716>:	mov    rdi,r14
   0x5555555b11ff <internal_srec_write_object_contents+719>:	xor    eax,eax
   0x5555555b1201 <internal_srec_write_object_contents+721>:	call   0x555555585150 <__sprintf_chk@plt>
   0x5555555b1206 <internal_srec_write_object_contents+726>:	cmp    BYTE PTR [rsp+0x12],0x30
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdaa0 --> 0xd ('\r')
0008| 0x7fffffffdaa8 --> 0x7fffffffdab0 --> 0x0 
0016| 0x7fffffffdab0 --> 0x0 
0024| 0x7fffffffdab8 --> 0x5f918982 
0032| 0x7fffffffdac0 --> 0x15ac54a8 
0040| 0x7fffffffdac8 --> 0x5f918982 
0048| 0x7fffffffdad0 --> 0x15ac54a8 
0056| 0x7fffffffdad8 --> 0x5f918982 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555b11f8 in sprintf (__fmt=0x55555565cd7b "%016lx", __s=0x7fffffffdab2 "") at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
33	  return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
Comment 1 WU,ZONG-YUAN 2020-10-23 10:58:05 UTC 
I forget to add one space
Steps to Reproduce is :
~/binutils-gdb/binutils/objcopy -O symbolsrec --add-symbol function_name=.text:0x900,function,global ./sample
Comment 2 Sourceware Commits 2020-10-28 11:08:36 UTC 
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2aec1123f9ec86cd190767c9852cb77ed2c017ec

commit 2aec1123f9ec86cd190767c9852cb77ed2c017ec
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Oct 28 11:07:02 2020 +0000

    Fix a potential illegal memory access when creating an srec format file.
    
            PR 26774
            * srec.c (srec_write_symbols): Do not emit symbols in sections
            that have been removed from the output.
Comment 3 Nick Clifton 2020-10-28 11:10:28 UTC 
Hi Wu,

  Thanks for reporting this bug.  The code to create the srec format
  output file was assuming that all symbols had been assigned to 
  sections, but your test case proved that this does not have to be
  true.  I have checked in a small patch to add a check for this
  situation.

Cheers
  Nick