Created attachment 16353 [details] POC ## Description - Version: Binutils 2.45 - Environment: Ubuntu 20.04.6 LTS, Clang 12.0.0 ## Steps to reproduce export CC="clang" export CFLAGS="-g -fsanitize=address" ./configure make -j ./ld/ld-new --version-exports-section symbol --shared $POC ## Sanitizer output ==139074==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a0000005f4 at pc 0x00000043609e bp 0x7fff559183a0 sp 0x7fff55917b68 READ of size 1408 at 0x61a0000005f4 thread T0 #0 0x43609d in fwrite /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143:16 #1 0x92a7c6 in cache_bwrite /benchmark/bin/binutils-2.45/bfd/cache.c:435:12 #2 0x5c4c2e in bfd_write /benchmark/bin/binutils-2.45/bfd/bfdio.c:412:12 #3 0x5e14df in _bfd_generic_set_section_contents /benchmark/bin/binutils-2.45/bfd/libbfd.c:1351:10 #4 0x6e9348 in _bfd_elf_set_section_contents /benchmark/bin/binutils-2.45/bfd/elf.c:10018:10 #5 0x602d88 in bfd_set_section_contents /benchmark/bin/binutils-2.45/bfd/section.c:1527:7 #6 0x76cce8 in elf_link_input_bfd /benchmark/bin/binutils-2.45/bfd/elflink.c:12286:14 #7 0x75b599 in bfd_elf_final_link /benchmark/bin/binutils-2.45/bfd/elflink.c:13185:11 #8 0x545133 in ldwrite /benchmark/bin/binutils-2.45/ld/ldwrite.c:548:8 #9 0x53cc51 in main /benchmark/bin/binutils-2.45/ld/./ldmain.c:912:3 #10 0x7f58bfd3d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #11 0x41d6ad in _start (/benchmark/bin/binutils-2.45/ld/ld-new+0x41d6ad) 0x61a0000005f4 is located 0 bytes to the right of 1396-byte region [0x61a000000080,0x61a0000005f4) allocated by thread T0 here: #0 0x49917d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x5dcf72 in bfd_malloc /benchmark/bin/binutils-2.45/bfd/libbfd.c:291:9 #2 0x5c9c41 in bfd_get_full_section_contents /benchmark/bin/binutils-2.45/bfd/compress.c:742:21 #3 0x6f6d26 in elf_mmap_section_contents /benchmark/bin/binutils-2.45/bfd/elf.c:14328:14 #4 0x6acf51 in _bfd_elf_mmap_section_contents /benchmark/bin/binutils-2.45/bfd/elf.c:14340:10 #5 0x6498cc in elf_x86_64_scan_relocs /benchmark/bin/binutils-2.45/bfd/elf64-x86-64.c:2515:13 #6 0x729d55 in _bfd_elf_link_iterate_on_relocs /benchmark/bin/binutils-2.45/bfd/elflink.c:4282:9 #7 0x629244 in elf_x86_64_early_size_sections /benchmark/bin/binutils-2.45/bfd/elf64-x86-64.c:3106:6 #8 0x73c762 in bfd_elf_size_dynamic_sections /benchmark/bin/binutils-2.45/bfd/elflink.c:6916:11 #9 0x59afe4 in ldelf_before_allocation /benchmark/bin/binutils-2.45/ld/ldelf.c:1840:10 #10 0x57acc0 in gldelf_x86_64_before_allocation /benchmark/bin/binutils-2.45/ld/eelf_x86_64.c:172:3 #11 0x57111b in elf_x86_64_before_allocation /benchmark/bin/binutils-2.45/ld/eelf_x86_64.c:115:3 #12 0x554af7 in ldemul_before_allocation /benchmark/bin/binutils-2.45/ld/ldemul.c:104:3 #13 0x50cdcc in lang_process /benchmark/bin/binutils-2.45/ld/ldlang.c:8627:3 #14 0x53ca89 in main /benchmark/bin/binutils-2.45/ld/./ldmain.c:882:3 #15 0x7f58bfd3d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143:16 in fwrite Shadow bytes around the buggy address: 0x0c347fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa 0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==139074==ABORTING ## Credit Reported by Yifan Zhang, [PLL](https://pl.cs.pku.edu.cn/en/)
Created attachment 16356 [details] A patch Try this.
*** Bug 33456 has been marked as a duplicate of this bug. ***
*** Bug 33453 has been marked as a duplicate of this bug. ***
*** Bug 33454 has been marked as a duplicate of this bug. ***
*** Bug 33450 has been marked as a duplicate of this bug. ***
*** Bug 33452 has been marked as a duplicate of this bug. ***
*** Bug 33449 has been marked as a duplicate of this bug. ***
*** Bug 33451 has been marked as a duplicate of this bug. ***
The master branch has been updated by H.J. Lu <hjl@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490 commit 9ca499644a21ceb3f946d1c179c38a83be084490 Author: H.J. Lu <hjl.tools@gmail.com> Date: Thu Sep 18 16:59:25 2025 -0700 elf: Don't match corrupt section header in linker input Don't swap in nor match corrupt section header in linker input to avoid linker crash later. PR ld/33457 * elfcode.h (elf_swap_shdr_in): Changed to return bool. Return false for corrupt section header in linker input. (elf_object_p): Reject if elf_swap_shdr_in returns false. Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Fixed for 2.46.