Bug 28055 - Segment fault on nm-new -l
Summary: Segment fault on nm-new -l
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.38 (HEAD)
: P2 normal
Target Milestone: 2.38
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-04 22:13 UTC by Shaohua Li
Modified: 2021-07-06 01:14 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2021-07-05 00:00:00


Attachments
poc (784 bytes, application/x-object)
2021-07-04 22:13 UTC, Shaohua Li
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Shaohua Li 2021-07-04 22:13:03 UTC
Created attachment 13536 [details]
poc

Hi there,

I crashed `nm-new -l` with a fuzzer.

- Compiler: clang12
- Platform: Ubuntu 18.04.5 LTS, x86_64
- Reproduce: run `nm-new -l poc`

AddressSanitizer report:

==8695==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000097d395 bp 0x000000000008 sp 0x7ffd8e175e40 T0)
==8695==The signal is caused by a READ memory access.
==8695==Hint: address points to the zero page.
    #0 0x97d395 in bpf_elf_generic_reloc //shared/targets/nm-new/repo/bfd/elf64-bpf.c:651:7
    #1 0x10414f8 in bfd_perform_relocation //shared/targets/nm-new/repo/bfd/reloc.c:711:14
    #2 0x1044646 in bfd_generic_get_relocated_section_contents //shared/targets/nm-new/repo/bfd/reloc.c:8463:10
    #3 0x1045a35 in bfd_simple_get_relocated_section_contents //shared/targets/nm-new/repo/bfd/simple.c:298:14
    #4 0x62f126 in read_section //shared/targets/nm-new/repo/bfd/./dwarf2.c:582:7
    #5 0x62c867 in _bfd_dwarf2_slurp_debug_info //shared/targets/nm-new/repo/bfd/./dwarf2.c:4740:13
    #6 0x635cdd in _bfd_dwarf2_find_nearest_line //shared/targets/nm-new/repo/bfd/./dwarf2.c:4988:9
    #7 0x59692a in _bfd_elf_find_line //shared/targets/nm-new/repo/bfd/elf.c:9241:10
    #8 0x4cea5a in print_symbol //shared/targets/nm-new/repo/binutils/nm.c:1071:9
    #9 0x4ccfed in print_symbols //shared/targets/nm-new/repo/binutils/nm.c:1152:7
    #10 0x4ccfed in display_rel_file //shared/targets/nm-new/repo/binutils/nm.c:1279:5
    #11 0x4c94ea in display_file //shared/targets/nm-new/repo/binutils/nm.c:1446:7
    #12 0x4c8add in main //shared/targets/nm-new/repo/binutils/nm.c:1965:12
    #13 0x7f07677b5bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #14 0x41c149 in _start (/out_bin/nm-new+0x41c149)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV //shared/targets/nm-new/repo/bfd/elf64-bpf.c:651:7 in bpf_elf_generic_reloc
==8695==ABORTING
Comment 1 cvs-commit@gcc.gnu.org 2021-07-05 12:23:23 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b4c4b8aaad84853ddf1b2779a5f1bbe5be157397

commit b4c4b8aaad84853ddf1b2779a5f1bbe5be157397
Author: Alan Modra <amodra@gmail.com>
Date:   Mon Jul 5 16:31:30 2021 +0930

    PR28055, segfault in bpf special reloc function
    
    The testcase in this PR tickled two bugs fixed here.  output_bfd is
    NULL when a reloc special_function is called for final linking and
    when called from bfd_generic_get_relocated_section_contents.  Clearly
    using output_bfd is wrong as it results in segfaults.  Not only that,
    the endianness of the reloc field really should be that of the input.
    The second bug was not checking that the entire reloc field was
    contained in the section contents.
    
            PR 28055
            * elf64-bpf.c (bpf_elf_generic_reloc): Use correct bfd for bfd_put
            and bfd_put_32 calls.  Correct section limit checks.
Comment 2 Alan Modra 2021-07-05 12:37:14 UTC
Patch applied
Comment 3 cvs-commit@gcc.gnu.org 2021-07-06 01:14:48 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=07b2745f850232e1c2fdafb0f65ea88e6127218b

commit 07b2745f850232e1c2fdafb0f65ea88e6127218b
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Jul 6 10:23:10 2021 +0930

    Re: PR28055, segfault in bpf special reloc function
    
            PR 28055
            * elf64-bpf.c (bpf_elf_generic_reloc): Add missing ATTRIBUTE_UNUSED.