**Description** A segmentation fault (SEGV) occurs in the ld command when the -w and -o options are used simultaneously, and the file specified by the -o option either does not have write permissions for the current user or points to a directory. This issue is detected by AddressSanitizer, which identifies a read access to an invalid memory address, leading to a program crash. **Affected Versions** binutils 2.43 **Impact** This vulnerability can cause the program to crash, affecting system stability and availability. In some cases, an attacker may exploit this vulnerability to perform a denial-of-service (DoS) attack. **Example** (base) swj@amax /tmp $ /data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld -w -o/root/1234 AddressSanitizer:DEADLYSIGNAL ================================================================= ==376931==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x5621f87aa617 bp 0x7ffe400e2e50 sp 0x7ffe400e2da0 T0) ==376931==The signal is caused by a READ memory access. ==376931==Hint: address points to the zero page. #0 0x5621f87aa617 in bfd_set_format /data/swj/optfuzz/benchmark/binutils-2.43/bfd/format.c:765:7 #1 0x5621f870a34f in open_output /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:3443:8 #2 0x5621f86efb32 in ldlang_open_output /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:3464:7 #3 0x5621f86d3c57 in lang_for_each_statement_worker /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:1040:7 #4 0x5621f86d3e9b in lang_for_each_statement /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:1083:3 #5 0x5621f86ed960 in lang_process /data/swj/optfuzz/benchmark/binutils-2.43/ld/ldlang.c:8172:3 #6 0x5621f871834c in main /data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:529:3 #7 0x7fc91d1fe082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 #8 0x5621f85f06bd in _start (/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId: d9731e405748db264b62c84ded760ba4f068cb0a) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /data/swj/optfuzz/benchmark/binutils-2.43/bfd/format.c:765:7 in bfd_set_format ==376931==ABORTING No poc file is needed
*** Bug 32646 has been marked as a duplicate of this bug. ***
*** Bug 32645 has been marked as a duplicate of this bug. ***
-w breaks every single call to einfo that is supposed to exit due to the presence of %F.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150 commit 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150 Author: Alan Modra <amodra@gmail.com> Date: Thu Feb 6 21:46:22 2025 +1030 PR 32603, ld -w misbehaviour ld -w currently causes segmentation faults and other misbehaviour since it changes einfo with %F in the format string (fatal error) to not exit. This patch fixes that by introducing a new variant of einfo called "fatal" that always exits, and replaces all einfo calls using %F with a call to fatal without the %F. I considered modifying einfo to inspect the first 2 or 4 chars in the format string, looking for %F, but decided that was probably a bad idea given that translators might have moved the %F. It's also a little nicer to inform the compiler of a function that doesn't return. The patch also fixes some formatting nits, and makes use of %pA to print section names in a couple of places in aix.em.
Fixed for 2.45
Hello, did this bug present in binutils 2.44 release?
(In reply to Huaqi from comment #6) > Hello, did this bug present in binutils 2.44 release? yes.
*** Bug 32661 has been marked as a duplicate of this bug. ***
(In reply to Sam James from comment #7) > (In reply to Huaqi from comment #6) > > Hello, did this bug present in binutils 2.44 release? > > yes. Thanks, maybe this commit could be backport to binutils-2_44-branch, so future 2.44.x release could have this fix.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d26161914cf286171b29767916a212685f9aadf3 commit d26161914cf286171b29767916a212685f9aadf3 Author: Alan Modra <amodra@gmail.com> Date: Sun Feb 16 23:34:55 2025 +1030 PR 32603, more ld -w misbehaviour Commit 8d97c1a53f3d claimed to replace all einfo calls using %F with a call to fatal. It did so only for the ld/ directory. This patch adds a "fatal" to linker callbacks, and replaces those calls in bfd/ too.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6d74c1f313df5e82bb9ef0940a477cba5d76db00 commit 6d74c1f313df5e82bb9ef0940a477cba5d76db00 Author: Alan Modra <amodra@gmail.com> Date: Tue Apr 22 12:36:47 2025 +0930 PR 32603 followup, remove %F from einfo No uses of %F remain. * ldmisc.c (vfinfo): Remove %F handling.
The binutils-2_44-branch branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0b7f992b78fe0984fc7d84cc748d0794e4a400e3 commit 0b7f992b78fe0984fc7d84cc748d0794e4a400e3 Author: Alan Modra <amodra@gmail.com> Date: Thu Feb 6 21:46:22 2025 +1030 PR 32603, ld -w misbehaviour ld -w currently causes segmentation faults and other misbehaviour since it changes einfo with %F in the format string (fatal error) to not exit. This patch fixes that by introducing a new variant of einfo called "fatal" that always exits, and replaces all einfo calls using %F with a call to fatal without the %F. I considered modifying einfo to inspect the first 2 or 4 chars in the format string, looking for %F, but decided that was probably a bad idea given that translators might have moved the %F. It's also a little nicer to inform the compiler of a function that doesn't return. The patch also fixes some formatting nits, and makes use of %pA to print section names in a couple of places in aix.em. (cherry picked from commit 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150)
The binutils-2_44-branch branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31e9e2e8d1090da0c1da97a70005d8841fff8ddd commit 31e9e2e8d1090da0c1da97a70005d8841fff8ddd Author: Alan Modra <amodra@gmail.com> Date: Sun Feb 16 23:34:55 2025 +1030 PR 32603, more ld -w misbehaviour Commit 8d97c1a53f3d claimed to replace all einfo calls using %F with a call to fatal. It did so only for the ld/ directory. This patch adds a "fatal" to linker callbacks, and replaces those calls in bfd/ too. (cherry picked from commit d26161914cf286171b29767916a212685f9aadf3)
The binutils-2_44-branch branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fe459e33c676883b5f28cc96c00e242973d906a9 commit fe459e33c676883b5f28cc96c00e242973d906a9 Author: Alan Modra <amodra@gmail.com> Date: Thu Apr 24 10:01:29 2025 +0930 PR 32603, revert message changes in 0b7f992b78fe and 31e9e2e8d109 This puts back %F into translated fatal error messages (and reverts a few other small changes), to not disturb translation work done for the 2.44 branch.