[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/25914] New: Bad free in binutils-2.34/bfd/coffgen.c:1782
|
From: |
xiaoxiong_wang at foxmail dot com |
|
Subject: |
[Bug binutils/25914] New: Bad free in binutils-2.34/bfd/coffgen.c:1782 |
|
Date: |
Sun, 03 May 2020 15:01:38 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=25914
Bug ID: 25914
Summary: Bad free in binutils-2.34/bfd/coffgen.c:1782
Product: binutils
Version: 2.34
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: xiaoxiong_wang at foxmail dot com
Target Milestone: ---
Created attachment 12500
--> https://sourceware.org/bugzilla/attachment.cgi?id=12500&action=edit
The file can cause objdump crash with the parameter -d.
Tested in Ubuntu 16.04, 64bit.
I use the following command:
```shell
./objdump -d bad_free
```
and get (absolute path information omitted):
```
bad_free: file format pei-i386
Disassembly of section .text:
00000000 <��>:
0: ff 25 00 00 00 00 jmp *0x0
6: 90 nop
7: 90 nop
*** Error in `./objdump': free(): invalid pointer: 0x000000000104ab90 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc81e8287e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fc81e83137a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc81e83553c]
./objdump[0x87d831]
./objdump[0x61e7b3]
./objdump[0x40b569]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fc81e7d1830]
./objdump[0x40c2a9]
======= Memory map: ========
00400000-00b23000 r-xp 00000000 103:01 21657469
./objdump
00d22000-00d23000 r--p 00722000 103:01 21657469
./objdump
00d23000-00d2b000 rw-p 00723000 103:01 21657469
./objdump
00d2b000-00d34000 rw-p 00000000 00:00 0
01046000-01067000 rw-p 00000000 00:00 0 [heap]
7fc818000000-7fc818021000 rw-p 00000000 00:00 0
7fc818021000-7fc81c000000 ---p 00000000 00:00 0
7fc81e10e000-7fc81e125000 r-xp 00000000 103:01 10504621
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fc81e125000-7fc81e324000 ---p 00017000 103:01 10504621
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fc81e324000-7fc81e325000 r--p 00016000 103:01 10504621
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fc81e325000-7fc81e326000 rw-p 00017000 103:01 10504621
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fc81e326000-7fc81e7b1000 r--p 00000000 103:01 14811834
/usr/lib/locale/locale-archive
7fc81e7b1000-7fc81e971000 r-xp 00000000 103:01 10487655
/lib/x86_64-linux-gnu/libc-2.23.so
7fc81e971000-7fc81eb71000 ---p 001c0000 103:01 10487655
/lib/x86_64-linux-gnu/libc-2.23.so
7fc81eb71000-7fc81eb75000 r--p 001c0000 103:01 10487655
/lib/x86_64-linux-gnu/libc-2.23.so
7fc81eb75000-7fc81eb77000 rw-p 001c4000 103:01 10487655
/lib/x86_64-linux-gnu/libc-2.23.so
7fc81eb77000-7fc81eb7b000 rw-p 00000000 00:00 0
7fc81eb7b000-7fc81eb7e000 r-xp 00000000 103:01 10485854
/lib/x86_64-linux-gnu/libdl-2.23.so
7fc81eb7e000-7fc81ed7d000 ---p 00003000 103:01 10485854
/lib/x86_64-linux-gnu/libdl-2.23.so
7fc81ed7d000-7fc81ed7e000 r--p 00002000 103:01 10485854
/lib/x86_64-linux-gnu/libdl-2.23.so
7fc81ed7e000-7fc81ed7f000 rw-p 00003000 103:01 10485854
/lib/x86_64-linux-gnu/libdl-2.23.so
7fc81ed7f000-7fc81eda5000 r-xp 00000000 103:01 10485855
/lib/x86_64-linux-gnu/ld-2.23.so
7fc81ef71000-7fc81ef75000 rw-p 00000000 00:00 0
7fc81ef9c000-7fc81ef9d000 rw-p 00000000 00:00 0
7fc81ef9d000-7fc81efa4000 r--s 00000000 103:01 15079042
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7fc81efa4000-7fc81efa5000 r--p 00025000 103:01 10485855
/lib/x86_64-linux-gnu/ld-2.23.so
7fc81efa5000-7fc81efa6000 rw-p 00026000 103:01 10485855
/lib/x86_64-linux-gnu/ld-2.23.so
7fc81efa6000-7fc81efa7000 rw-p 00000000 00:00 0
7ffdb18b5000-7ffdb18d7000 rw-p 00000000 00:00 0
[stack]
7ffdb1988000-7ffdb198b000 r--p 00000000 00:00 0 [vvar]
7ffdb198b000-7ffdb198d000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted (core dumped)
```
I use **AddressSanitizer** to build binutils2.34 and running objdump with the
following command:
```shell
./objdump -d bad_free
```
This is the ASAN information (absolute path information omitted):
```
bad_free: file format pei-i386
crashes/crashes1/id:000000,sig:06,src:002244,op:flip1,pos:12: file format
pei-i386
Disassembly of section .text:
00000000 <��>:
0: ff 25 00 00 00 00 jmp *0x0
6: 90 nop
7: 90 nop
=================================================================
==17144==ERROR: AddressSanitizer: attempting free on address which was not
malloc()-ed: 0x61e00000f4e0 in thread T0
#0 0x7fa6f620432a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
#1 0x69c8be in _bfd_coff_free_symbols binutils-2.34/bfd/coffgen.c:1782
#2 0x6a437d in _bfd_coff_close_and_cleanup binutils-2.34/bfd/coffgen.c:3180
#3 0x4f8498 in bfd_close_all_done binutils-2.34/bfd/opncls.c:789
#4 0x4186f6 in display_file objdump.c:5016
#5 0x4199a4 in main objdump.c:5349
#6 0x7fa6f5bbe82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x403418 in _start (objdump+0x403418)
0x61e00000f4e0 is located 1120 bytes inside of 2511-byte region
[0x61e00000f080,0x61e00000fa4f)
allocated by thread T0 here:
#0 0x7fa6f6204662 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
#1 0x4f3bec in bfd_malloc binutils-2.34/bfd/libbfd.c:275
#2 0x4f3dcd in bfd_zmalloc binutils-2.34/bfd/libbfd.c:360
#3 0x6520e2 in pe_ILF_build_a_bfd binutils-2.34/bfd/peicode.h:834
#4 0x653c32 in pe_ILF_object_p binutils-2.34/bfd/peicode.h:1302
#5 0x6546d0 in pe_bfd_object_p binutils-2.34/bfd/peicode.h:1428
#6 0x4f02bd in bfd_check_format_matches binutils-2.34/bfd/format.c:328
#7 0x418349 in display_object_bfd objdump.c:4890
#8 0x418661 in display_any_bfd objdump.c:4982
#9 0x4186d6 in display_file objdump.c:5003
#10 0x4199a4 in main objdump.c:5349
#11 0x7fa6f5bbe82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free
==17144==ABORTING
```
I use **valgrind** to analysis the bug and get the below information (absolute
path information omitted):
```
==3062== Memcheck, a memory error detector
==3062== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==3062== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==3062== Command: ./objdump -d bad_free
==3062==
bad_free: file format pei-i386
Disassembly of section .text:
00000000 <��>:
0: ff 25 00 00 00 00 jmp *0x0
6: 90 nop
7: 90 nop
==3062== Invalid free() / delete / delete[] / realloc()
==3062== at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3062== by 0x87D830: _bfd_coff_free_symbols (coffgen.c:1782)
==3062== by 0x87D830: _bfd_coff_close_and_cleanup (coffgen.c:3180)
==3062== by 0x61E7B2: bfd_close_all_done (opncls.c:789)
==3062== by 0x40B568: display_file (objdump.c:5016)
==3062== by 0x40B568: main (objdump.c:5349)
==3062== Address 0x541f340 is 1,120 bytes inside a block of size 2,511 alloc'd
==3062== at 0x4C2FB55: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3062== by 0x616258: bfd_malloc (libbfd.c:275)
==3062== by 0x616258: bfd_zmalloc (libbfd.c:360)
==3062== by 0x826A91: pe_ILF_build_a_bfd (peicode.h:834)
==3062== by 0x826A91: pe_ILF_object_p (peicode.h:1302)
==3062== by 0x826A91: pe_bfd_object_p (peicode.h:1428)
==3062== by 0x60C587: bfd_check_format_matches (format.c:328)
==3062== by 0x42247F: display_object_bfd (objdump.c:4890)
==3062== by 0x42247F: display_any_bfd (objdump.c:4982)
==3062== by 0x40B51D: display_file (objdump.c:5003)
==3062== by 0x40B51D: main (objdump.c:5349)
==3062==
==3062== Invalid free() / delete / delete[] / realloc()
==3062== at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3062== by 0x87D90C: _bfd_coff_free_symbols (coffgen.c:1789)
==3062== by 0x87D90C: _bfd_coff_close_and_cleanup (coffgen.c:3180)
==3062== by 0x61E7B2: bfd_close_all_done (opncls.c:789)
==3062== by 0x40B568: display_file (objdump.c:5016)
==3062== by 0x40B568: main (objdump.c:5349)
==3062== Address 0x541f5d0 is 1,776 bytes inside a block of size 2,511 alloc'd
==3062== at 0x4C2FB55: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3062== by 0x616258: bfd_malloc (libbfd.c:275)
==3062== by 0x616258: bfd_zmalloc (libbfd.c:360)
==3062== by 0x826A91: pe_ILF_build_a_bfd (peicode.h:834)
==3062== by 0x826A91: pe_ILF_object_p (peicode.h:1302)
==3062== by 0x826A91: pe_bfd_object_p (peicode.h:1428)
==3062== by 0x60C587: bfd_check_format_matches (format.c:328)
==3062== by 0x42247F: display_object_bfd (objdump.c:4890)
==3062== by 0x42247F: display_any_bfd (objdump.c:4982)
==3062== by 0x40B51D: display_file (objdump.c:5003)
==3062== by 0x40B51D: main (objdump.c:5349)
==3062==
==3062==
==3062== HEAP SUMMARY:
==3062== in use at exit: 0 bytes in 0 blocks
==3062== total heap usage: 70 allocs, 72 frees, 141,767 bytes allocated
==3062==
==3062== All heap blocks were freed -- no leaks are possible
==3062==
==3062== For counts of detected and suppressed errors, rerun with: -v
==3062== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
```
>From the above analysis, we can see that the memory is allocated in function
`bfd_malloc` of `bfd/libbfd.c` and there is a bad free in function
`_bfd_coff_free_symbols` of `bfd/coffgen.c` which causes a crash.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/25914] New: Bad free in binutils-2.34/bfd/coffgen.c:1782,
xiaoxiong_wang at foxmail dot com <=