Bug 27779 - SEGV on parse_gnu_debuglink()
Summary: SEGV on parse_gnu_debuglink()
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.36
: P2 normal
Target Milestone: ---
Assignee: Nick Clifton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-27 01:09 UTC by liuchenyifan
Modified: 2022-06-22 06:31 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2021-04-27 00:00:00


Attachments
objdump crash (62 bytes, text/x-matlab)
2021-04-27 01:09 UTC, liuchenyifan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description liuchenyifan 2021-04-27 01:09:07 UTC
Created attachment 13400 [details]
objdump crash

environment: binutils 2.36.50.20210426 on centos linux 7.7.1908
command: objdump -D PoC

information below from asan:
ASAN:DEADLYSIGNAL
=================================================================
==29822==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7fff555aa340 sp 0x7fff555aa318 T0)
==29822==Hint: pc points to the zero page.
==29822==The signal is caused by a READ memory access.
==29822==Hint: address points to the zero page.

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
==29822==ABORTING

information below from valgrind:
==11147== Memcheck, a memory error detector
==11147== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==11147== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==11147== Command: /root/target_programs/binutils-gdb/program/objdump -D ./crash/id:000000,sig:11,src:1345252670,op:flip2,pos:7
==11147== 

==11147== Jump to the invalid address stated on the next line
==11147==    at 0x0: ???
==11147==    by 0x46C28E: parse_gnu_debuglink (dwarf.c:10964)
==11147==    by 0x46C28E: load_separate_debug_info (dwarf.c:11110)
==11147==    by 0x46C28E: check_for_and_load_links (dwarf.c:11415)
==11147==    by 0x4E6A9A: load_separate_debug_files (dwarf.c:11531)
==11147==    by 0x42C3FA: dump_bfd (objdump.c:4815)
==11147==    by 0x42E6D4: display_object_bfd (objdump.c:5001)
==11147==    by 0x40F6F6: display_file (objdump.c:5112)
==11147==    by 0x40F6F6: main (objdump.c:5462)
==11147==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==11147== 
==11147== 
==11147== Process terminating with default action of signal 11 (SIGSEGV)
==11147==  Bad permissions for mapped region at address 0x0
==11147==    at 0x0: ???
==11147==    by 0x46C28E: parse_gnu_debuglink (dwarf.c:10964)
==11147==    by 0x46C28E: load_separate_debug_info (dwarf.c:11110)
==11147==    by 0x46C28E: check_for_and_load_links (dwarf.c:11415)
==11147==    by 0x4E6A9A: load_separate_debug_files (dwarf.c:11531)
==11147==    by 0x42C3FA: dump_bfd (objdump.c:4815)
==11147==    by 0x42E6D4: display_object_bfd (objdump.c:5001)
==11147==    by 0x40F6F6: display_file (objdump.c:5112)
==11147==    by 0x40F6F6: main (objdump.c:5462)
==11147== 
==11147== HEAP SUMMARY:
==11147==     in use at exit: 78,130 bytes in 33 blocks
==11147==   total heap usage: 105 allocs, 72 frees, 342,311 bytes allocated
==11147== 
==11147== LEAK SUMMARY:
==11147==    definitely lost: 0 bytes in 0 blocks
==11147==    indirectly lost: 0 bytes in 0 blocks
==11147==      possibly lost: 0 bytes in 0 blocks
==11147==    still reachable: 78,130 bytes in 33 blocks
==11147==         suppressed: 0 bytes in 0 blocks
==11147== Rerun with --leak-check=full to see details of leaked memory
==11147== 
==11147== For lists of detected and suppressed errors, rerun with: -s
==11147== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Comment 1 cvs-commit@gcc.gnu.org 2021-04-27 14:20:11 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3d64c987c7ca9451bae7dd23ce147ce460caeb20

commit 3d64c987c7ca9451bae7dd23ce147ce460caeb20
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Apr 27 15:19:41 2021 +0100

    Reject debuglink sections with no associated filename.
    
            PR 27779
            * dwarf.c (parse_gnu_debuglink): Reject empty names.
            (parse_gnu_debugaltlink): Likewise.
Comment 2 Nick Clifton 2021-04-27 14:21:16 UTC
Hi Liuchenyifan,

  Thanks for reporting this bug.  I have checked in a small patch to fix the problem.

Cheers
  Nick
Comment 3 liuchenyifan 2021-08-14 08:30:29 UTC
(In reply to Nick Clifton from comment #2)
> Hi Liuchenyifan,
> 
>   Thanks for reporting this bug.  I have checked in a small patch to fix the
> problem.
> 
> Cheers
>   Nick

Hi Nick,

    Could I get a CVE number for this bug?If I could,please tell me how to go there.

Thanks
  Liu
Comment 4 Nick Clifton 2021-08-16 13:10:04 UTC
(In reply to liuchenyifan from comment #3)
Hi Liu,

>     Could I get a CVE number for this bug?If I could,please tell me how to
> go there.

Sorry - I cannot allocate CVE numbers.  You need to contact the Mitre organization:

  https://cve.mitre.org/cve/request_id.html
Comment 5 liuchenyifan 2021-08-16 14:24:38 UTC
(In reply to Nick Clifton from comment #4)
> (In reply to liuchenyifan from comment #3)
> Hi Liu,
> 
> >     Could I get a CVE number for this bug?If I could,please tell me how to
> > go there.
> 
> Sorry - I cannot allocate CVE numbers.  You need to contact the Mitre
> organization:
> 
>   https://cve.mitre.org/cve/request_id.html

yeah, I have tried it. My colleagues and me have reported some pretty serious bug, but won't get any reply from cve_mitre since last year.
Anyway, thanks for your reply.