Created attachment 16348 [details] POC ## Description - Version: Binutils 2.45 - Environment: Ubuntu 20.04.6 LTS, Clang 12.0.0 ## Steps to reproduce export CC="clang" export CFLAGS="-g -fsanitize=address" ./configure make -j ./ld/ld-new --gc-sections --no-print-gc-sections -w $POC ## Sanitizer output ==139060==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x00000078475b bp 0x7ffd531ce9f0 sp 0x7ffd531ce8a0 T0) ==139060==The signal is caused by a READ memory access. ==139060==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. #0 0x78475b in bfd_elf_gc_record_vtentry /benchmark/bin/binutils-2.45/bfd/elflink.c:14898:48 #1 0x64f209 in elf_x86_64_scan_relocs /benchmark/bin/binutils-2.45/bfd/elf64-x86-64.c:3061:9 #2 0x729d55 in _bfd_elf_link_iterate_on_relocs /benchmark/bin/binutils-2.45/bfd/elflink.c:4282:9 #3 0x629244 in elf_x86_64_early_size_sections /benchmark/bin/binutils-2.45/bfd/elf64-x86-64.c:3106:6 #4 0x73c762 in bfd_elf_size_dynamic_sections /benchmark/bin/binutils-2.45/bfd/elflink.c:6916:11 #5 0x59afe4 in ldelf_before_allocation /benchmark/bin/binutils-2.45/ld/ldelf.c:1840:10 #6 0x57acc0 in gldelf_x86_64_before_allocation /benchmark/bin/binutils-2.45/ld/eelf_x86_64.c:172:3 #7 0x57111b in elf_x86_64_before_allocation /benchmark/bin/binutils-2.45/ld/eelf_x86_64.c:115:3 #8 0x554af7 in ldemul_before_allocation /benchmark/bin/binutils-2.45/ld/ldemul.c:104:3 #9 0x50cdcc in lang_process /benchmark/bin/binutils-2.45/ld/ldlang.c:8627:3 #10 0x53ca89 in main /benchmark/bin/binutils-2.45/ld/./ldmain.c:882:3 #11 0x7f274cee4082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #12 0x41d6ad in _start (/benchmark/bin/binutils-2.45/ld/ld-new+0x41d6ad) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /benchmark/bin/binutils-2.45/bfd/elflink.c:14898:48 in bfd_elf_gc_record_vtentry ==139060==ABORTING ## Credit Reported by Yifan Zhang, [PLL](https://pl.cs.pku.edu.cn/en/)
Dup. *** This bug has been marked as a duplicate of bug 33457 ***
After applying the patch for bug 33457, the bug can still be triggered using a new POC, which I have uploaded.
Created attachment 16360 [details] POC_patch_33457
Created attachment 16377 [details] POC_patch_33457_correct
Sorry, I uploaded by mistake. The most recently uploaded POC is the correct one.
Created attachment 16378 [details] POC_patch_33457_correct1
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc commit 047435dd988a3975d40c6626a8f739a0b2e154bc Author: Alan Modra <amodra@gmail.com> Date: Thu Sep 25 08:22:24 2025 +0930 PR 33452 SEGV in bfd_elf_gc_record_vtentry Limit addends on vtentry relocs, otherwise ld might attempt to allocate a stupidly large array. This also fixes the expression overflow leading to pr33452. A vtable of 33M entries on a 64-bit host is surely large enough, especially considering that VTINHERIT and VTENTRY relocations are to support -fvtable-gc that disappeared from gcc over 20 years ago. PR ld/33452 * elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
Fixed mainline