bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/20891] New: Segfault in addr2line


From: thuanpv at comp dot nus.edu.sg
Subject: [Bug binutils/20891] New: Segfault in addr2line
Date: Thu, 01 Dec 2016 09:55:01 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=20891

            Bug ID: 20891
           Summary: Segfault in addr2line
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: thuanpv at comp dot nus.edu.sg
  Target Milestone: ---

Dear all,
Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, we found an
input causing addr2line to crash. Valgrind says that it is an invalid write.

The bug was found on Ubuntu 14.04 & binutils was checked out from
https://github.com/bminor/binutils-gdb repository. Its commit is 
268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016)

To reproduce:

printf
"\x0b\x01\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x30\x30\x30\x30\x1c\x00\x00\x00\x30\x30\x30\x30\x00\x00\x00\x00\x00\x01\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x64\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x64\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x1b\x01\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
> fd

addr2line s -e fd
ASAN says:
ASAN:DEADLYSIGNAL
=================================================================
==47318==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f7e6ee49029 bp 0xffffffffffffffff sp 0x7ffe86e5a8b0 T0)
    #0 0x7f7e6ee49028 in __vsprintf_chk
(/lib/x86_64-linux-gnu/libc.so.6+0x109028)
    #1 0x7f7e6ee48f7c in __sprintf_chk
(/lib/x86_64-linux-gnu/libc.so.6+0x108f7c)
    #2 0x5515c9 in sprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
    #3 0x5515c9 in aout_32_find_nearest_line ../../bfd/aoutx.h:2814
    #4 0x40cb9d in find_address_in_section ../../binutils/addr2line.c:187
    #5 0x42186f in bfd_map_over_sections ../../bfd/section.c:1395
    #6 0x40b19a in translate_addresses ../../binutils/addr2line.c:265
    #7 0x40b19a in process_file ../../binutils/addr2line.c:402
    #8 0x40b19a in main ../../binutils/addr2line.c:509
    #9 0x7f7e6ed61f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #10 0x40c806 
(/home/ubuntu/subjects/binutils-asan/obj-asan/binutils/addr2line+0x40c806)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x109028) in
__vsprintf_chk
==47318==ABORTING

Valgrind says:
==46463== Invalid write of size 1
==46463==    at 0x5144029: __vsprintf_chk (vsprintf_chk.c:86)
==46463==    by 0x5143F7C: __sprintf_chk (sprintf_chk.c:31)
==46463==    by 0x638930: sprintf (stdio2.h:33)
==46463==    by 0x638930: aout_32_find_nearest_line (aoutx.h:2814)
==46463==    by 0x40762C: find_address_in_section (addr2line.c:187)
==46463==    by 0x43D55B: bfd_map_over_sections (section.c:1395)
==46463==    by 0x405F12: translate_addresses (addr2line.c:265)
==46463==    by 0x405F12: process_file (addr2line.c:402)
==46463==    by 0x405F12: main (addr2line.c:509)
==46463==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==46463==
==46463==
==46463== Process terminating with default action of signal 11 (SIGSEGV)
==46463==  Access not within mapped region at address 0x0
==46463==    at 0x5144029: __vsprintf_chk (vsprintf_chk.c:86)
==46463==    by 0x5143F7C: __sprintf_chk (sprintf_chk.c:31)
==46463==    by 0x638930: sprintf (stdio2.h:33)
==46463==    by 0x638930: aout_32_find_nearest_line (aoutx.h:2814)
==46463==    by 0x40762C: find_address_in_section (addr2line.c:187)
==46463==    by 0x43D55B: bfd_map_over_sections (section.c:1395)
==46463==    by 0x405F12: translate_addresses (addr2line.c:265)
==46463==    by 0x405F12: process_file (addr2line.c:402)
==46463==    by 0x405F12: main (addr2line.c:509)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]