Created attachment 16351 [details] POC ## Description - Version: Binutils 2.45 - Environment: Ubuntu 20.04.6 LTS, Clang 12.0.0 ## Steps to reproduce export CC="clang" export CFLAGS="-g -fsanitize=address" ./configure make -j ./ld/ld-new --version-exports-section symbol --shared $POC ## Sanitizer output ==139070==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa9714de6e5 bp 0x7ffdd1276670 sp 0x7ffdd1275e28 T0) ==139070==The signal is caused by a READ memory access. ==139070==Hint: address points to the zero page. #0 0x7fa9714de6e5 (/lib/x86_64-linux-gnu/libc.so.6+0x1886e5) #1 0x436bae in fputs /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1254:5 #2 0x5555c7 in vfinfo /benchmark/RUNDIR-binutils-2.45/binutils-2.45/ld/ldmisc.c:527:8 #3 0x55761a in lfinfo /benchmark/RUNDIR-binutils-2.45/binutils-2.45/ld/ldmisc.c:745:3 #4 0x55608d in vfinfo /benchmark/RUNDIR-binutils-2.45/binutils-2.45/ld/ldmisc.c:466:5 #5 0x557a09 in einfo /benchmark/RUNDIR-binutils-2.45/binutils-2.45/ld/ldmisc.c:608:3 #6 0x5f3d28 in bfd_generic_get_relocated_section_contents /benchmark/RUNDIR-binutils-2.45/binutils-2.45/bfd/reloc.c #7 0x5e2bdb in default_indirect_link_order /benchmark/RUNDIR-binutils-2.45/binutils-2.45/bfd/linker.c:2739:23 #8 0x5e3336 in _bfd_default_link_order /benchmark/RUNDIR-binutils-2.45/binutils-2.45/bfd/linker.c:2558:14 #9 0x734736 in bfd_elf_final_link /benchmark/RUNDIR-binutils-2.45/binutils-2.45/bfd/elflink.c:13198:14 #10 0x542fc9 in ldwrite /benchmark/RUNDIR-binutils-2.45/binutils-2.45/ld/ldwrite.c:548:8 #11 0x53a80d in main /benchmark/RUNDIR-binutils-2.45/binutils-2.45/ld/./ldmain.c:912:3 #12 0x7fa97137a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #13 0x41d69d in _start (/benchmark/bin/DAFL/ld-new-2025-1178+0x41d69d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x1886e5) ==139070==ABORTING ## Credit Reported by Yifan Zhang, [PLL](https://pl.cs.pku.edu.cn/en/)
Created attachment 16357 [details] A patch Try this.
Someone did allocate a CVE for this bug: CVE-2025-11840 https://nvd.nist.gov/vuln/detail/CVE-2025-11840 You never know, but is it really possible there's a supply chain attack that could deliver a corrupt file in a pipeline somewhere that would make ld segfault accessing a NULL pointer, triggering a catastrophic failure ... go figure.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f6b0f53a36820da91eadfa9f466c22f92e4256e0 commit f6b0f53a36820da91eadfa9f466c22f92e4256e0 Author: Alan Modra <amodra@gmail.com> Date: Mon Nov 3 09:03:37 2025 +1030 PR 33455 SEGV in vfinfo at ldmisc.c:527 A reloc howto set up with EMPTY_HOWTO has a NULL name. More than one place emitting diagnostics assumes a reloc howto won't have a NULL name. PR 33455 * coffcode.h (coff_slurp_reloc_table): Don't allow a howto with a NULL name.
Fixed for 2.46