Bug 28542 - Undefined behaviours in readelf.c
Summary: Undefined behaviours in readelf.c
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.38
: P2 normal
Target Milestone: 2.38
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-04 10:58 UTC by Shaohua Li
Modified: 2021-11-15 02:22 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
poc_undefined (4.59 KB, application/x-sharedlib)
2021-11-04 10:58 UTC, Shaohua Li
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Shaohua Li 2021-11-04 10:58:25 UTC
Created attachment 13758 [details]
poc_undefined

Hi there,

I compiled binutils (git Head) with -fsanitize=undefined, and found the sanitizer complained on two locations in readelf.c.

Another consequence of this issue is: if you compile binutils with gcc11, you would find their outputs are different.

- Compiler: clang13 (compile with -fsanitize=undefined)

- Platform: Ubuntu 20.04.3 LTS, x86_64

- Reproduce: run `readelf -aD poc_undefined  | grep Undefined`

Undefined sanitizer report:
===============
readelf.c:1761:15: runtime error: applying non-zero offset 320 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior readelf.c:1761:15 in
861,863c85

readelf.c:12635:18: runtime error: applying non-zero offset 320 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior readelf.c:12635:18
Comment 1 cvs-commit@gcc.gnu.org 2021-11-09 22:50:44 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b9af637988e82ddfe71bde5ddcb5d9b3a4673acd

commit b9af637988e82ddfe71bde5ddcb5d9b3a4673acd
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Nov 9 09:02:03 2021 +1030

    PR28542, Undefined behaviours in readelf.c
    
            PR 28542
            * readelf.c (dump_relocations): Check that section headers have
            been read before attempting to access section name.
            (print_dynamic_symbol): Likewise.
            (process_mips_specific): Delete dead code.
Comment 2 Alan Modra 2021-11-15 02:22:55 UTC
Fixed