Created attachment 13536 [details] poc Hi there, I crashed `nm-new -l` with a fuzzer. - Compiler: clang12 - Platform: Ubuntu 18.04.5 LTS, x86_64 - Reproduce: run `nm-new -l poc` AddressSanitizer report: ==8695==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000097d395 bp 0x000000000008 sp 0x7ffd8e175e40 T0) ==8695==The signal is caused by a READ memory access. ==8695==Hint: address points to the zero page. #0 0x97d395 in bpf_elf_generic_reloc //shared/targets/nm-new/repo/bfd/elf64-bpf.c:651:7 #1 0x10414f8 in bfd_perform_relocation //shared/targets/nm-new/repo/bfd/reloc.c:711:14 #2 0x1044646 in bfd_generic_get_relocated_section_contents //shared/targets/nm-new/repo/bfd/reloc.c:8463:10 #3 0x1045a35 in bfd_simple_get_relocated_section_contents //shared/targets/nm-new/repo/bfd/simple.c:298:14 #4 0x62f126 in read_section //shared/targets/nm-new/repo/bfd/./dwarf2.c:582:7 #5 0x62c867 in _bfd_dwarf2_slurp_debug_info //shared/targets/nm-new/repo/bfd/./dwarf2.c:4740:13 #6 0x635cdd in _bfd_dwarf2_find_nearest_line //shared/targets/nm-new/repo/bfd/./dwarf2.c:4988:9 #7 0x59692a in _bfd_elf_find_line //shared/targets/nm-new/repo/bfd/elf.c:9241:10 #8 0x4cea5a in print_symbol //shared/targets/nm-new/repo/binutils/nm.c:1071:9 #9 0x4ccfed in print_symbols //shared/targets/nm-new/repo/binutils/nm.c:1152:7 #10 0x4ccfed in display_rel_file //shared/targets/nm-new/repo/binutils/nm.c:1279:5 #11 0x4c94ea in display_file //shared/targets/nm-new/repo/binutils/nm.c:1446:7 #12 0x4c8add in main //shared/targets/nm-new/repo/binutils/nm.c:1965:12 #13 0x7f07677b5bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #14 0x41c149 in _start (/out_bin/nm-new+0x41c149) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV //shared/targets/nm-new/repo/bfd/elf64-bpf.c:651:7 in bpf_elf_generic_reloc ==8695==ABORTING
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b4c4b8aaad84853ddf1b2779a5f1bbe5be157397 commit b4c4b8aaad84853ddf1b2779a5f1bbe5be157397 Author: Alan Modra <amodra@gmail.com> Date: Mon Jul 5 16:31:30 2021 +0930 PR28055, segfault in bpf special reloc function The testcase in this PR tickled two bugs fixed here. output_bfd is NULL when a reloc special_function is called for final linking and when called from bfd_generic_get_relocated_section_contents. Clearly using output_bfd is wrong as it results in segfaults. Not only that, the endianness of the reloc field really should be that of the input. The second bug was not checking that the entire reloc field was contained in the section contents. PR 28055 * elf64-bpf.c (bpf_elf_generic_reloc): Use correct bfd for bfd_put and bfd_put_32 calls. Correct section limit checks.
Patch applied
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=07b2745f850232e1c2fdafb0f65ea88e6127218b commit 07b2745f850232e1c2fdafb0f65ea88e6127218b Author: Alan Modra <amodra@gmail.com> Date: Tue Jul 6 10:23:10 2021 +0930 Re: PR28055, segfault in bpf special reloc function PR 28055 * elf64-bpf.c (bpf_elf_generic_reloc): Add missing ATTRIBUTE_UNUSED.