Bug 29230 - nm-new segv in lookup_symbol_in_variable_table:dwarf2.c:3303
Summary: nm-new segv in lookup_symbol_in_variable_table:dwarf2.c:3303
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.39
: P2 normal
Target Milestone: 2.39
Assignee: Alan Modra
URL:
Keywords:
: 29231 (view as bug list)
Depends on:
Blocks:
 
Reported: 2022-06-07 21:06 UTC by Shaohua Li
Modified: 2022-06-15 04:07 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2022-06-14 00:00:00


Attachments
poc (5.25 KB, application/x-sharedlib)
2022-06-07 21:06 UTC, Shaohua Li
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Shaohua Li 2022-06-07 21:06:07 UTC
Created attachment 14135 [details]
poc

On the given poc file, `nm-new -l` crashes.

AddressSanitizer report:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3976414==ERROR: AddressSanitizer: SEGV on unknown address 0x00001601006a (pc 0x000000430fc5 bp 0x7ffd20f95920 sp 0x7ffd20f950c0 T0)
==3976414==The signal is caused by a READ memory access.
    #0 0x430fc5 in strcmp (/objdump/repo/binutils-asan/binutils/nm-new+0x430fc5)
    #1 0x9e854e in lookup_symbol_in_variable_table //objdump/repo/binutils-asan/bfd/./dwarf2.c:3303:5
    #2 0x9aeee6 in comp_unit_find_line //objdump/repo/binutils-asan/bfd/./dwarf2.c:4636:10
    #3 0x9aa86b in _bfd_dwarf2_find_nearest_line //objdump/repo/binutils-asan/bfd/./dwarf2.c:5729:11
    #4 0x77d87f in _bfd_elf_find_line //objdump/repo/binutils-asan/bfd/elf.c:9349:10
    #5 0x4e2723 in print_symbol //objdump/repo/binutils-asan/binutils/nm.c:1322:9
    #6 0x4db407 in print_symbols //objdump/repo/binutils-asan/binutils/nm.c:1403:7
    #7 0x4d7434 in display_rel_file //objdump/repo/binutils-asan/binutils/nm.c:1530:5
    #8 0x4cd20d in display_file //objdump/repo/binutils-asan/binutils/nm.c:1683:7
    #9 0x4cc1f0 in main //objdump/repo/binutils-asan/binutils/nm.c:2203:12
    #10 0x7f6de33cb082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #11 0x41c52d in _start (/objdump/repo/binutils-asan/binutils/nm-new+0x41c52d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/objdump/repo/binutils-asan/binutils/nm-new+0x430fc5) in strcmp
==3976414==ABORTING
Comment 1 Alan Modra 2022-06-14 03:30:22 UTC
*** Bug 29231 has been marked as a duplicate of this bug. ***
Comment 2 cvs-commit@gcc.gnu.org 2022-06-15 04:06:53 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31d6c13defeba7716ebc9d5c8f81f2f35fe39980

commit 31d6c13defeba7716ebc9d5c8f81f2f35fe39980
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Jun 14 12:46:42 2022 +0930

    PR29230, segv in lookup_symbol_in_variable_table
    
    The PR23230 testcase uses indexed strings without specifying
    SW_AT_str_offsets_base.  In this case we left u.str with garbage (from
    u.val) which then led to a segfault when attempting to access the
    string.  Fix that by clearing u.str.  The patch also adds missing
    sanity checks in the recently committed read_indexed_address and
    read_indexed_string functions.
    
            PR 29230
            * dwarf2.c (read_indexed_address): Return uint64_t.  Sanity check idx.
            (read_indexed_string): Use uint64_t for str_offset.  Sanity check idx.
            (read_attribute_value): Clear u.str for indexed string forms when
            DW_AT_str_offsets_base is not yet read or missing.
Comment 3 Alan Modra 2022-06-15 04:07:35 UTC
Fixed.