29846 – NULL pointer segmentation fault when accessing field `the_bfd` in function `compare_symbols`

Bug 29846 - NULL pointer segmentation fault when accessing field `the_bfd` in function `compare_symbols`

Summary: NULL pointer segmentation fault when accessing field `the_bfd` in function `c...

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.40

Importance:	P2 normal
Target Milestone:	---
Assignee:	Alan Modra

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-12-04 03:34 UTC by 2019
Modified:	2022-12-04 23:51 UTC (History)
CC List:	0 users

See Also:
Host:
Target:	objdump
Build:	aaa8dbc1b31233f66131476e03ab8635805e515d
Last reconfirmed:	2022-12-04 00:00:00

Attachments
PoC (159.21 KB, application/x-executable) 2022-12-04 03:34 UTC, 2019	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 2019 2022-12-04 03:34:03 UTC

Created attachment 14478 [details]
PoC

# Reproduce

cd binutils-gdb
git reset --hard aaa8dbc1b31233f66131476e03ab8635805e515d
mkdir build && cd build
../configure --disable-gdb --disable-gdbserver --disable-gdbsupport --disable-libdecnumber --disable-readline --disable-sim --disable-libbacktrace --disable-gas --disable-ld --disable-werror --enable-targets=all CPPFLAGS=-DDEBUG CFLAGS="-g -O0 -fsanitize=address"
make all-binutils MAKEINFO=true && true
binutils/objdump -d the_bfd_null.elf

# Output

../the_bfd_null.elf:     file format elf32-sparc

binutils/objdump: ../the_bfd_null.elf: invalid string offset 626704 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 557220 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 896064 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 1232935 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536969381 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536990215 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536903819 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 2684360832 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 447495 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536990727 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 2686440967 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 1073709872 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 2684396036 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536903844 >= 3037 for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 50 has invalid symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 51 has invalid symbol index 1041
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 52 has invalid symbol index 7044096
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 53 has invalid symbol index 495360
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 55 has invalid symbol index 1041
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 56 has invalid symbol index 16342016
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 57 has invalid symbol index 507904
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 59 has invalid symbol index 1041
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 60 has invalid symbol index 16596992
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 61 has invalid symbol index 518656
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 62 has invalid symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 64 has invalid symbol index 6054912
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 65 has invalid symbol index 526336
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 66 has invalid symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 68 has invalid symbol index 16527360
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 69 has invalid symbol index 534784
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 70 has invalid symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 71 has invalid symbol index 32786
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 72 has invalid symbol index 3463168
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 73 has invalid symbol index 545536
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 74 has invalid symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 75 has invalid symbol index 20498
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 76 has invalid symbol index 16640000
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 77 has invalid symbol index 557312
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 78 has invalid symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 80 has invalid symbol index 5585920
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 81 has invalid symbol index 562432
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 84 has invalid symbol index 3666944
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 85 has invalid symbol index 569856
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 86 has invalid symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 87 has invalid symbol index 29714
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 88 has invalid symbol index 16486400
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 89 has invalid symbol index 577536
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 90 has invalid symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 91 has invalid symbol index 20498
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 92 has invalid symbol index 11744256
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 93 has invalid symbol index 584448
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 94 has invalid symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 95 has invalid symbol index 8210
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 96 has invalid symbol index 11737088
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 97 has invalid symbol index 595200
AddressSanitizer:DEADLYSIGNAL
=================================================================
==47678==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5624374ad9ff bp 0x7ffd6e78ffc0 sp 0x7ffd6e78ffb0 T0)
==47678==The signal is caused by a READ memory access.
==47678==Hint: address points to the zero page.
    #0 0x5624374ad9ff in bfd_get_flavour ../bfd/bfd.h:7805
    #1 0x5624374b1b77 in compare_symbols ../../binutils/objdump.c:1225
    #2 0x7f66174f840e in msort_with_tmp stdlib/msort.c:82
    #3 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:44
    #4 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:53
    #5 0x7f66174f83a4 in msort_with_tmp stdlib/msort.c:44
    #6 0x7f66174f83a4 in msort_with_tmp stdlib/msort.c:52
    #7 0x7f66174f83a4 in msort_with_tmp stdlib/msort.c:44
    #8 0x7f66174f83a4 in msort_with_tmp stdlib/msort.c:52
    #9 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:44
    #10 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:53
    #11 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:44
    #12 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:53
    #13 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:44
    #14 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:53
    #15 0x7f66174f8a55 in msort_with_tmp stdlib/msort.c:44
    #16 0x7f66174f8a55 in __GI___qsort_r stdlib/msort.c:296
    #17 0x7f661772f934 in __interceptor_qsort ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:9917
    #18 0x5624374bd547 in disassemble_section ../../binutils/objdump.c:3803
    #19 0x5624379b869d in bfd_map_over_sections ../../bfd/section.c:1374
    #20 0x5624374bf8a1 in disassemble_data ../../binutils/objdump.c:4175
    #21 0x5624374c769d in dump_bfd ../../binutils/objdump.c:5649
    #22 0x5624374c7977 in display_object_bfd ../../binutils/objdump.c:5712
    #23 0x5624374c7cb1 in display_any_bfd ../../binutils/objdump.c:5798
    #24 0x5624374c7d2a in display_file ../../binutils/objdump.c:5819
    #25 0x5624374c96e8 in main ../../binutils/objdump.c:6227
    #26 0x7f66174ddd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #27 0x7f66174dde3f in __libc_start_main_impl ../csu/libc-start.c:392
    #28 0x5624374ad584 in _start (/binutils-gdb/build/binutils/objdump+0xdfc584)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../bfd/bfd.h:7805 in bfd_get_flavour
==47678==ABORTING


# Analysis

This bug is a little bit similar to a previous one[1]. At function `_bfd_elf_get_synthetic_symtab`, field `the_bfd` is indeed properly initialized by copying the whole `asymbol` from `**p->sym_ptr_ptr`[2]. However, `p` is an iterator of array `relplt->relocation`, which is initialized by `asect->relocation = relents` at `elfcode.h`[3]. The `relents` variable is an array of `arelent` structure, which is initialized at function `elf_slurp_reloc_table_from_section`[4]. For the element that causes the NULL pointer problem, which is index `54` for PoC provided, it is initialized by `relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr`[5], which copies a pointer to a pointer to a global `asymbol` structure whose `the_bfd` is NULL to `sym_ptr_ptr` field. Later on this field is used to initialize `*s`[2], so it causes the NULL pointer exception.


[1] https://sourceware.org/bugzilla/show_bug.cgi?id=29677
[2] https://github.com/bminor/binutils-gdb/blob/aaa8dbc1b31233f66131476e03ab8635805e515d/bfd/elf.c#L13088
[3] https://github.com/bminor/binutils-gdb/blob/aaa8dbc1b31233f66131476e03ab8635805e515d/bfd/elfcode.h#L1640
[4] https://github.com/bminor/binutils-gdb/blob/aaa8dbc1b31233f66131476e03ab8635805e515d/bfd/elfcode.h#L1464
[5] https://github.com/bminor/binutils-gdb/blob/aaa8dbc1b31233f66131476e03ab8635805e515d/bfd/elfcode.h#L1521

Comment 1 Sourceware Commits 2022-12-04 21:53:27 UTC

The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3d3af4ba39e892b1c544d667ca241846bc3df386

commit 3d3af4ba39e892b1c544d667ca241846bc3df386
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Dec 4 22:15:40 2022 +1030

    PR29846, segmentation fault in objdump.c compare_symbols
    
    Fixes a fuzzed object file problem where plt relocs were manipulated
    in such a way that two synthetic symbols were generated at the same
    plt location.  Won't occur in real object files.
    
            PR 29846
            PR 20337
            * objdump.c (compare_symbols): Test symbol flags to exclude
            section and synthetic symbols before attempting to check flavour.

Comment 2 Alan Modra 2022-12-04 23:51:00 UTC

Fixed, thanks for the helpful analysis.