[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/20931] New: STRIP crashes during copy of private bfd data
|
From: |
boehme.marcel at gmail dot com |
|
Subject: |
[Bug binutils/20931] New: STRIP crashes during copy of private bfd data |
|
Date: |
Tue, 06 Dec 2016 04:47:34 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=20931
Bug ID: 20931
Summary: STRIP crashes during copy of private bfd data
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
Dear all,
The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.
Objcopy/Strip crashes with an invalid read of size 8 for the following
execution on Ubuntu 14.04 x86_64 in Binutils trunk. However, this execution
does *not* crash on preinstalled version v2.26.1 on Ubuntu 16.04 x86_64 or
preinstalled version v2.24 on Ubuntu 14.04 x86_64.
$ printf
"\x7fELF\x01\x01\x0100000000000\x03\x00000000000000\x0c\x00\x00\x0000000000\x00\x0000\x00\x00\x03\x00\x00\x00\x00\x00\x08\x00\x00\x000000000000000000\x00\x00\x00\x00000000000000\x00\x00\x00\x000000000000000000\x00\x00\x00\x00\x00\x00\x00\x00000000000000\x00\x00\x00\x000000000000000\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00000000000000\x00\x00\x00\x0000000000000000000000\x00\x00\x00\x00000000000000\x00\x00\x00\x0000000000000000000000\x00\x00\x00\x00000000000000\x00\x00\x00\x0000000000000000000000\x00\x00\x00\x00000000000000\x00\x00\x00\x0000000000000000000000\x00\x00\x00\x00000000000000\x00\x00\x00\x0000000000000000000000\x02\x00\x00\x00000000000000\x00\x00\x00\x0000000000000000000000\x00\x00\x00\x00000000000000\x00\x00\x00\x00000\xff0000000000000000\x00\xff\x00\x00000000000000\x00\x00\x00\x0000000000000000000000\x00\x00\x00\x00000000000000"
> test
$ strip test
VALGRIND says:
==145571== Invalid read of size 8
==145571== at 0x5702D9: copy_special_section_fields (elf.c:1349)
==145571== by 0x57B7ED: _bfd_elf_copy_private_bfd_data (elf.c:1471)
==145571== by 0x42BA8B: copy_object.part.18 (objcopy.c:2517)
==145571== by 0x42F645: copy_object (objcopy.c:1849)
==145571== by 0x42F645: copy_file (objcopy.c:2879)
==145571== by 0x41670E: strip_main (objcopy.c:3790)
==145571== by 0x41670E: main (objcopy.c:4890)
==145571== Address 0x5482cc0 is 393,552 bytes inside an unallocated block of
size 4,052,080 in arena "client"
==145571==
/home/ubuntu/subjects/binutils-gdb_fixed/obj-afl/binutils/strip-new: BFD (GNU
Binutils) 2.27.51.20161206 assertion fail ../../bfd/elf.c:1274
==145571== Invalid read of size 8
==145571== at 0x56E9DA: find_link.isra.7 (elf.c:1277)
==145571== by 0x5702E1: copy_special_section_fields (elf.c:1349)
==145571== by 0x57B7ED: _bfd_elf_copy_private_bfd_data (elf.c:1471)
==145571== by 0x42BA8B: copy_object.part.18 (objcopy.c:2517)
==145571== by 0x42F645: copy_object (objcopy.c:1849)
==145571== by 0x42F645: copy_file (objcopy.c:2879)
==145571== by 0x41670E: strip_main (objcopy.c:3790)
==145571== by 0x41670E: main (objcopy.c:4890)
==145571== Address 0x5497fe0 is 480,240 bytes inside an unallocated block of
size 4,051,952 in arena "client"
==145571==
==145571== Invalid read of size 4
==145571== at 0x56EB3C: section_match (elf.c:1258)
==145571== by 0x56EB3C: find_link.isra.7 (elf.c:1287)
==145571== by 0x5702E1: copy_special_section_fields (elf.c:1349)
==145571== by 0x57B7ED: _bfd_elf_copy_private_bfd_data (elf.c:1471)
==145571== by 0x42BA8B: copy_object.part.18 (objcopy.c:2517)
==145571== by 0x42F645: copy_object (objcopy.c:1849)
==145571== by 0x42F645: copy_file (objcopy.c:2879)
==145571== by 0x41670E: strip_main (objcopy.c:3790)
==145571== by 0x41670E: main (objcopy.c:4890)
==145571== Address 0x4 is not stack'd, malloc'd or (recently) free'd
GDB says:
0x00000000005702d9 in copy_special_section_fields (address@hidden,
address@hidden, iheader=0xb3a470, address@hidden,
address@hidden) at ../../bfd/elf.c:1349
1349 sh_link = find_link (obfd, iheaders[iheader->sh_link],
iheader->sh_link);
(gdb) bt
#0 0x00000000005702d9 in copy_special_section_fields
(address@hidden, address@hidden, iheader=0xb3a470,
address@hidden, address@hidden) at ../../bfd/elf.c:1349
#1 0x000000000057b7ee in _bfd_elf_copy_private_bfd_data (ibfd=0xb37c40,
obfd=0xb39fe0) at ../../bfd/elf.c:1471
#2 0x000000000042ba8c in copy_object (address@hidden,
address@hidden, address@hidden) at
../../binutils/objcopy.c:2517
#3 0x000000000042f646 in copy_object (input_arch=0x0, obfd=0xb39fe0,
ibfd=0xb37c40) at ../../binutils/objcopy.c:1849
#4 copy_file (input_filename=0x7fffffffe6a6 "test",
address@hidden "stf2lcWK",
address@hidden, output_target=<optimized out>,
address@hidden, address@hidden) at
../../binutils/objcopy.c:2879
#5 0x000000000041670f in strip_main (argv=<optimized out>, argc=<optimized
out>) at ../../binutils/objcopy.c:3790
#6 main (argc=<optimized out>, argv=<optimized out>) at
../../binutils/objcopy.c:4890
Best regards,
- Marcel
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/20931] New: STRIP crashes during copy of private bfd data,
boehme.marcel at gmail dot com <=