[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/25073] New: invalide free in function _bfd_dwarf2_cleanup_
From: |
bugzilla.sourceware at qiushi dot ac.cn |
Subject: |
[Bug binutils/25073] New: invalide free in function _bfd_dwarf2_cleanup_debug_info |
Date: |
Mon, 07 Oct 2019 16:54:45 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=25073
Bug ID: 25073
Summary: invalide free in function
_bfd_dwarf2_cleanup_debug_info
Product: binutils
Version: 2.34 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: bugzilla.sourceware at qiushi dot ac.cn
Target Milestone: ---
Created attachment 12028
--> https://sourceware.org/bugzilla/attachment.cgi?id=12028&action=edit
poc4
poc4:
```
# gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms
--synthetic --with-symbol-versions -D
poc4_invalid-free__bfd_dwarf2_cleanup_debug_info' -ex bt -ex quit
free(): invalid next size (normal)
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff7603801 in __GI_abort () at abort.c:79
#2 0x00007ffff764c897 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7779b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff765390a in malloc_printerr (str=str@entry=0x7ffff777b8b8
"free(): invalid next size (normal)") at malloc.c:5350
#4 0x00007ffff765b0ad in _int_free (have_lock=0, p=0xa18a40, av=0x7ffff79aec40
<main_arena>) at malloc.c:4286
#5 __GI___libc_free (mem=0xa18a50) at malloc.c:3124
#6 0x00000000006133b1 in _bfd_dwarf2_cleanup_debug_info
(abfd=abfd@entry=0xa0d6b0, pinfo=pinfo@entry=0xa0db30) at ./dwarf2.c:5010
#7 0x00000000006138ab in _bfd_dwarf2_slurp_debug_info
(abfd=abfd@entry=0xa0d6b0, debug_bfd=debug_bfd@entry=0x0,
debug_sections=0x7c6e20 <dwarf_debug_sections>, symbols=symbols@entry=0xa181f0,
pinfo=pinfo@entry=0xa0db30, do_place=1) at ./dwarf2.c:4354
#8 0x0000000000617ecb in _bfd_dwarf2_find_nearest_line
(abfd=abfd@entry=0xa0d6b0, symbols=symbols@entry=0xa181f0,
symbol=symbol@entry=0x0, section=section@entry=0xa0e890, offset=offset@entry=0,
filename_ptr=filename_ptr@entry=0x7fffffffe198,
functionname_ptr=0x7fffffffe1c0, linenumber_ptr=0x7fffffffe194,
discriminator_ptr=0x0, debug_sections=0x7c6e20 <dwarf_debug_sections>,
pinfo=0xa0db30)
at ./dwarf2.c:4687
#9 0x0000000000539f6d in _bfd_elf_find_nearest_line (abfd=0xa0d6b0,
symbols=0xa181f0, section=0xa0e890, offset=0, filename_ptr=0x7fffffffe198,
functionname_ptr=0x7fffffffe1c0, line_ptr=0x7fffffffe194,
discriminator_ptr=0x0) at elf.c:9005
#10 0x000000000040969b in print_symbol (abfd=abfd@entry=0xa0d6b0,
sym=<optimized out>, ssize=ssize@entry=0, archive_bfd=archive_bfd@entry=0x0) at
nm.c:1008
#11 0x000000000040a59d in print_symbols (archive_bfd=0x0, size=8,
symcount=<optimized out>, minisyms=<optimized out>, is_dynamic=1,
abfd=0xa0d6b0) at nm.c:1088
#12 display_rel_file (abfd=abfd@entry=0xa0d6b0,
archive_bfd=archive_bfd@entry=0x0) at nm.c:1210
#13 0x000000000040d6de in display_file (filename=0x7fffffffe732
"poc4_invalid-free__bfd_dwarf2_cleanup_debug_info") at nm.c:1377
#14 0x0000000000405882 in main (argc=11, argv=0x7fffffffe438) at nm.c:1858
```
poc5:
```
Step 10/10 : RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms
--synthetic --with-symbol-versions -D
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info || exit 0
---> Running in 7107b71ec7d3
./binutils-gdb/binutils/nm-new: warning:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a
size (1e0000000008) larger than the file size
./binutils-gdb/binutils/nm-new: warning:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a
size (fffffffffffffec0) larger than the file size
./binutils-gdb/binutils/nm-new:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info: unknown type [0xff000001]
section `.debug_aranges'
./binutils-gdb/binutils/nm-new: warning:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a
size (1e0000000008) larger than the file size
./binutils-gdb/binutils/nm-new: warning:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a
size (fffffffffffffec0) larger than the file size
./binutils-gdb/binutils/nm-new:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info: warning: sh_link not set for
section `.debug_aranges'
=================================================================
==7==ERROR: AddressSanitizer: attempting free on address which was not
malloc()-ed: 0x61200000b5c0 in thread T0
#0 0x7ffff6f022ca in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x6a2c70 in _bfd_dwarf2_cleanup_debug_info dwarf2.c:5018
#2 0x6a3332 in _bfd_dwarf2_slurp_debug_info dwarf2.c:4354
#3 0x6a7a8e in _bfd_dwarf2_find_nearest_line dwarf2.c:4687
#4 0x587f99 in _bfd_elf_find_nearest_line /binutils-gdb/bfd/elf.c:9005
#5 0x40d9be in print_symbol /binutils-gdb/binutils/nm.c:1008
#6 0x40ec98 in print_symbols /binutils-gdb/binutils/nm.c:1088
#7 0x40ec98 in display_rel_file /binutils-gdb/binutils/nm.c:1210
#8 0x411b5d in display_file /binutils-gdb/binutils/nm.c:1377
#9 0x4077a7 in main /binutils-gdb/binutils/nm.c:1858
#10 0x7ffff66a282f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x4094b8 in _start (/binutils-gdb/binutils/nm-new+0x4094b8)
0x61200000b5c0 is located 48 bytes inside of 253629440-byte region
[0x61200000b590,0x61200f1ec990)
==7==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/asan/asan_allocator2.cc:186 "((res.trace)) != (0)"
(0x0, 0x0)
#0 0x7ffff6f0a631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
#1 0x7ffff6f0f5e3 in __sanitizer::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
#2 0x7ffff6e8776c (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d76c)
#3 0x7ffff6e8861e (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1e61e)
#4 0x7ffff6f07380 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9d380)
#5 0x7ffff6f08727 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9e727)
#6 0x7ffff6e8b617 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x21617)
#7 0x7ffff6f0229d in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
#8 0x6a2c70 in _bfd_dwarf2_cleanup_debug_info dwarf2.c:5018
#9 0x6a3332 in _bfd_dwarf2_slurp_debug_info dwarf2.c:4354
#10 0x6a7a8e in _bfd_dwarf2_find_nearest_line dwarf2.c:4687
#11 0x587f99 in _bfd_elf_find_nearest_line /binutils-gdb/bfd/elf.c:9005
#12 0x40d9be in print_symbol /binutils-gdb/binutils/nm.c:1008
#13 0x40ec98 in print_symbols /binutils-gdb/binutils/nm.c:1088
#14 0x40ec98 in display_rel_file /binutils-gdb/binutils/nm.c:1210
#15 0x411b5d in display_file /binutils-gdb/binutils/nm.c:1377
#16 0x4077a7 in main /binutils-gdb/binutils/nm.c:1858
#17 0x7ffff66a282f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#18 0x4094b8 in _start (/binutils-gdb/binutils/nm-new+0x4094b8)
```
Reproducible docker image has been pushed to
`zjuchenyuan/dockerized_poc:binutils-pocs`, but ASAN build seems cannot giving
backtrace information.
Dockerfile: (I would suggest removing AFL_USE_ASAN environment if you want get
poc4 backtrace information)
```
FROM zjuchenyuan/afl
ENV AFL_USE_ASAN=1
RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\
cd binutils-gdb &&\
git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\
./configure --disable-shared &&\
for i in bfd libiberty opcodes libctf; do cd $i; ./configure
--disable-shared && make -j; cd ..; done &&\
cd binutils &&\
./configure --disable-shared &&\
make objdump nm-new size readelf cxxfilt
RUN apt install -y gdb &&\
echo -e "set pagination off\nset confirm off" > /root/.gdbinit
ADD . /
# we may need to compile again without ASAN to use gdb
RUN gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms
--synthetic --with-symbol-versions -D
poc4_invalid-free__bfd_dwarf2_cleanup_debug_info' -ex bt -ex quit
RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D poc5_invalid-free__bfd_dwarf2_cleanup_debug_info ||
exit 0
```
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/25073] New: invalide free in function _bfd_dwarf2_cleanup_debug_info,
bugzilla.sourceware at qiushi dot ac.cn <=