[Bug binutils/23065] New: SEGFAULT in nm-new

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23065] New: SEGFAULT in nm-new

From:	thuanpv at comp dot nus.edu.sg
Subject:	[Bug binutils/23065] New: SEGFAULT in nm-new
Date:	Sat, 14 Apr 2018 04:08:14 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=23065

            Bug ID: 23065
           Summary: SEGFAULT in nm-new
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: thuanpv at comp dot nus.edu.sg
  Target Milestone: ---

Created attachment 10952
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10952&action=edit
crash-inducing sample file

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. 

This bug was found on Ubuntu 16.04 64-bit & binutils was checked out from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
68e91e42492551e165b103d819c021c4953da10b (April 14 2018) 


To reproduce:

Compile binutils with ASAN enabled

CC=gcc-6 CXX=g++-6 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all
-fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error"
CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb
--disable-libdecnumber --disable-readline --disable-sim

Download the attached file - crash3
nm-new -l crash3

*ASAN says:

                 U abort@@GLIBC_2.2.5
00000000004076b0 T adjust_relative_path elfcomm.c:398
dwarf2.c:1569:24: runtime error: member access within null pointer of type
'struct line_info_table'
ASAN:DEADLYSIGNAL
=================================================================
==8280==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc
0x00000060bc37 bp 0x7ffea00f6420 sp 0x7ffea00f63d0 T0)
    #0 0x60bc36 in concat_filename dwarf2.c:1569
    #1 0x61520d in find_abstract_instance dwarf2.c:2971
    #2 0x616aec in scan_unit_for_symbols dwarf2.c:3169
    #3 0x619a72 in comp_unit_maybe_decode_line_info dwarf2.c:3662
    #4 0x619b48 in comp_unit_find_line dwarf2.c:3688
    #5 0x620efb in _bfd_dwarf2_find_nearest_line dwarf2.c:4646
    #6 0x53a09b in _bfd_elf_find_line
/home/thuan/experiments/binutils-gdb-asan-newest/bfd/elf.c:8782
    #7 0x4093da in print_symbol
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1008
    #8 0x409ca2 in print_symbols
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1089
    #9 0x40ab5a in display_rel_file
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1205
    #10 0x40b5cc in display_file
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1325
    #11 0x40e0e5 in main
/home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm.c:1799
    #12 0x7ff7288b382f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x403358 in _start
(/home/thuan/experiments/binutils-gdb-asan-newest/binutils/nm-new+0x403358)


*Valgrind says:

==16435== Warning: set address range perms: large range [0x5ae1040, 0x18ae1fb6)
(undefined)
==16435== Warning: set address range perms: large range [0x5ae1028, 0x18ae1fce)
(noaccess)
==16435== Warning: set address range perms: large range [0x5ae1040, 0x18ae1fb6)
(undefined)
==16435== Warning: set address range perms: large range [0x5ae1028, 0x18ae1fce)
(noaccess)
==16435== Invalid read of size 4
==16435==    at 0x5DF863: concat_filename (dwarf2.c:1569)
==16435==    by 0x5EF700: find_abstract_instance.isra.29 (dwarf2.c:2971)
==16435==    by 0x5F4DB5: scan_unit_for_symbols (dwarf2.c:3169)
==16435==    by 0x5F92D3: comp_unit_maybe_decode_line_info (dwarf2.c:3662)
==16435==    by 0x5F92D3: comp_unit_find_line (dwarf2.c:3688)
==16435==    by 0x60390E: _bfd_dwarf2_find_nearest_line (dwarf2.c:4646)
==16435==    by 0x52BE53: _bfd_elf_find_line (elf.c:8782)
==16435==    by 0x408CE5: print_symbol (nm.c:1008)
==16435==    by 0x409D74: print_symbols (nm.c:1089)
==16435==    by 0x409D74: display_rel_file (nm.c:1205)
==16435==    by 0x40D095: display_file (nm.c:1325)
==16435==    by 0x4056B1: main (nm.c:1799)
==16435==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==16435== 
==16435== 
==16435== Process terminating with default action of signal 11 (SIGSEGV)
==16435==  Access not within mapped region at address 0x8
==16435==    at 0x5DF863: concat_filename (dwarf2.c:1569)
==16435==    by 0x5EF700: find_abstract_instance.isra.29 (dwarf2.c:2971)
==16435==    by 0x5F4DB5: scan_unit_for_symbols (dwarf2.c:3169)
==16435==    by 0x5F92D3: comp_unit_maybe_decode_line_info (dwarf2.c:3662)
==16435==    by 0x5F92D3: comp_unit_find_line (dwarf2.c:3688)
==16435==    by 0x60390E: _bfd_dwarf2_find_nearest_line (dwarf2.c:4646)
==16435==    by 0x52BE53: _bfd_elf_find_line (elf.c:8782)
==16435==    by 0x408CE5: print_symbol (nm.c:1008)
==16435==    by 0x409D74: print_symbols (nm.c:1089)
==16435==    by 0x409D74: display_rel_file (nm.c:1205)
==16435==    by 0x40D095: display_file (nm.c:1325)
==16435==    by 0x4056B1: main (nm.c:1799)


Thanks,

Thuan

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/23065] New: SEGFAULT in nm-new, thuanpv at comp dot nus.edu.sg <=
- [Bug binutils/23065] SEGFAULT in nm-new, cvs-commit at gcc dot gnu.org, 2018/04/17
- [Bug binutils/23065] SEGFAULT in nm-new, nickc at redhat dot com, 2018/04/17

Prev by Date: [Bug binutils/23064] New: Buffer overflow (read of size 8) in Dwarf
Next by Date: [Bug gold/23046] gold crashes while linking armv7hl binaries built with clang 6.0
Previous by thread: [Bug binutils/23064] New: Buffer overflow (read of size 8) in Dwarf
Next by thread: [Bug binutils/23065] SEGFAULT in nm-new
Index(es):
- Date
- Thread