[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22887] New: null pointer dereference in aout_32_swap_std_r
|
From: |
luanjunchao at 163 dot com |
|
Subject: |
[Bug binutils/22887] New: null pointer dereference in aout_32_swap_std_reloc_out |
|
Date: |
Sat, 24 Feb 2018 06:24:55 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22887
Bug ID: 22887
Summary: null pointer dereference in aout_32_swap_std_reloc_out
Product: binutils
Version: 2.31 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: luanjunchao at 163 dot com
Target Milestone: ---
The test command is objcopy with specific elf file.
Below is part of gdb debugging output.
Program received signal SIGSEGV, Segmentation fault.
0x084cf65c in aout_32_swap_std_reloc_out (natptr=0xf590528c, g=0xf4b03fe8,
abfd=<optimized out>) at /work/binutils-gdb/bfd/aoutx.h:1971
1971 asection *output_section = sym->section->output_section;
(gdb) bt
#0 0x084cf65c in aout_32_swap_std_reloc_out (natptr=0xf590528c, g=0xf4b03fe8,
abfd=<optimized out>) at /work/binutils-gdb/bfd/aoutx.h:1971
#1 aout_32_squirt_out_relocs (abfd=0xf5b03970, section=0xf5903d48) at
/work/binutils-gdb/bfd/aoutx.h:2444
#2 0x0849ae05 in i386linux_write_object_contents (abfd=0xf5b03970) at
/work/binutils-gdb/bfd/i386linux.c:77
#3 0x081a9940 in bfd_close (abfd=0xf5b03970) at
/work/binutils-gdb/bfd/opncls.c:731
#4 0x08080bbe in copy_file (address@hidden
"out/slave/crashes/id:000125,sig:06,src:003346+002348,op:splice,rep:8",
address@hidden "out/slave/crashes/stv31c0r",
input_target=<optimized out>,
output_target=0x87f6320 "a.out-i386-linux", input_arch=0x0) at
/work/binutils-gdb/binutils/objcopy.c:3530
#5 0x0805b429 in copy_main (argv=<optimized out>, argc=<optimized out>) at
/work/binutils-gdb/binutils/objcopy.c:5478
#6 main (argc=2, argv=0xffffd7c4) at
/work/binutils-gdb/binutils/objcopy.c:5582
(gdb) list
1966 asymbol *sym = *(g->sym_ptr_ptr);
1967 int r_extern;
1968 unsigned int r_length;
1969 int r_pcrel;
1970 int r_baserel, r_jmptable, r_relative;
1971 asection *output_section = sym->section->output_section;
1972
1973 PUT_WORD (abfd, g->address, natptr->r_address);
1974
1975 BFD_ASSERT (g->howto != NULL);
(gdb) p sym
$1 = (asymbol *) 0x0
It seems that there is lack of check if sym is null.
The test elf file is
https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22887] New: null pointer dereference in aout_32_swap_std_reloc_out,
luanjunchao at 163 dot com <=
- [Bug binutils/22887] null pointer dereference in aout_32_swap_std_reloc_out, luanjunchao at 163 dot com, 2018/02/27
- [Bug binutils/22887] null pointer dereference in aout_32_swap_std_reloc_out, amodra at gmail dot com, 2018/02/28
- [Bug binutils/22887] null pointer dereference in aout_32_swap_std_reloc_out, cvs-commit at gcc dot gnu.org, 2018/02/28
- [Bug binutils/22887] null pointer dereference in aout_32_swap_std_reloc_out, luanjunchao at 163 dot com, 2018/02/28
- [Bug binutils/22887] null pointer dereference in aout_32_swap_std_reloc_out, cvs-commit at gcc dot gnu.org, 2018/02/28
- [Bug binutils/22887] null pointer dereference in aout_32_swap_std_reloc_out, amodra at gmail dot com, 2018/02/28