32640 – ld SEGV in bfd_putl64 (bfd/libbfd.c:989:11) with -w option

Bug 32640 - ld SEGV in bfd_putl64 (bfd/libbfd.c:989:11) with -w option

Summary: ld SEGV in bfd_putl64 (bfd/libbfd.c:989:11) with -w option

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	ld (show other bugs)
Version:	2.43

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-02-05 12:24 UTC by 孙文举
Modified:	2025-02-06 02:08 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
poc (2.49 KB, application/x-object) 2025-02-05 12:24 UTC, 孙文举	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 孙文举 2025-02-05 12:24:28 UTC

Created attachment 15915 [details]
poc

**Description**
A segv can occur in ld (part of binutils 2.43) when using the -w option with a specially crafted input file. This issue leads to memory corruption (illegal memory access)and crashes.

**Affected Version**
GNU ld (GNU Binutils) 2.43

**Steps to Reproduce**

Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address" ./configure && make -j).
Run the following command:
./binutils-2.43/bins/bin/ld -w  $poc
Observe the AddressSanitizer error indicating a segv.

$ ./binutils-2.43/bins/bin/ld -w /tmp/poc
./binutils-2.43/bins/bin/ld: warning: /tmp/poc has a section extending past end of file
AddressSanitizer:DEADLYSIGNAL
=================================================================
==484973==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000007 (pc 0x557c2d205250 bp 0x7ffc11e6c490 sp 0x7ffc11e6c3f0 T0)
==484973==The signal is caused by a WRITE memory access.
==484973==Hint: address points to the zero page.
    #0 0x557c2d205250 in bfd_putl64 ./binutils-2.43/bfd/libbfd.c:989:11
    #1 0x557c2d25d6f3 in elf_x86_64_relocate_section ./binutils-2.43/bfd/elf64-x86-64.c:4101:8
    #2 0x557c2d38714e in elf_link_input_bfd ./binutils-2.43/bfd/elflink.c:11848:10
    #3 0x557c2d378f0d in bfd_elf_final_link ./binutils-2.43/bfd/elflink.c:13107:11
    #4 0x557c2d171d0e in ldwrite ./binutils-2.43/ld/ldwrite.c:550:8
    #5 0x557c2d16c4e9 in main ./binutils-2.43/ld/./ldmain.c:556:3
    #6 0x7f6584b14082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x557c2d0446bd in _start (./binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId: d9731e405748db264b62c84ded760ba4f068cb0a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./binutils-2.43/bfd/libbfd.c:989:11 in bfd_putl64
==484973==ABORTING

** Env **
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal

Comment 1 Nick Clifton 2025-02-05 13:21:13 UTC

This bug has been fixed at some point between the 2.43 and 2.44 releases.   (I did not perform a triage to find exactly which commit fixes the problem).  Anyway the point is that the problem is fixed with 2.44.

Comment 2 孙文举 2025-02-06 02:08:03 UTC

(In reply to Nick Clifton from comment #1)
> This bug has been fixed at some point between the 2.43 and 2.44 releases.  
> (I did not perform a triage to find exactly which commit fixes the problem).
> Anyway the point is that the problem is fixed with 2.44.

Got it, thanks.