bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/29846] New: NULL pointer segmentation fault when accessing


From: r3tr0spect2019 at gmail dot com
Subject: [Bug binutils/29846] New: NULL pointer segmentation fault when accessing field `the_bfd` in function `compare_symbols`
Date: Sun, 04 Dec 2022 03:34:03 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=29846

            Bug ID: 29846
           Summary: NULL pointer segmentation fault when accessing field
                    `the_bfd` in function `compare_symbols`
           Product: binutils
           Version: 2.40 (HEAD)
            Status: UNCONFIRMED
          Severity: minor
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: r3tr0spect2019 at gmail dot com
  Target Milestone: ---

Created attachment 14478
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14478&action=edit
PoC

# Reproduce

cd binutils-gdb
git reset --hard aaa8dbc1b31233f66131476e03ab8635805e515d
mkdir build && cd build
../configure --disable-gdb --disable-gdbserver --disable-gdbsupport
--disable-libdecnumber --disable-readline --disable-sim --disable-libbacktrace
--disable-gas --disable-ld --disable-werror --enable-targets=all
CPPFLAGS=-DDEBUG CFLAGS="-g -O0 -fsanitize=address"
make all-binutils MAKEINFO=true && true
binutils/objdump -d the_bfd_null.elf

# Output

../the_bfd_null.elf:     file format elf32-sparc

binutils/objdump: ../the_bfd_null.elf: invalid string offset 626704 >= 3037 for
section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 557220 >= 3037 for
section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 896064 >= 3037 for
section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 1232935 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536969381 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536990215 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536903819 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 2684360832 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 447495 >= 3037 for
section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536990727 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 2686440967 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 1073709872 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 2684396036 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf: invalid string offset 536903844 >= 3037
for section `.dynstr'
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 50 has invalid
symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 51 has invalid
symbol index 1041
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 52 has invalid
symbol index 7044096
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 53 has invalid
symbol index 495360
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 55 has invalid
symbol index 1041
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 56 has invalid
symbol index 16342016
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 57 has invalid
symbol index 507904
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 59 has invalid
symbol index 1041
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 60 has invalid
symbol index 16596992
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 61 has invalid
symbol index 518656
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 62 has invalid
symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 64 has invalid
symbol index 6054912
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 65 has invalid
symbol index 526336
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 66 has invalid
symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 68 has invalid
symbol index 16527360
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 69 has invalid
symbol index 534784
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 70 has invalid
symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 71 has invalid
symbol index 32786
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 72 has invalid
symbol index 3463168
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 73 has invalid
symbol index 545536
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 74 has invalid
symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 75 has invalid
symbol index 20498
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 76 has invalid
symbol index 16640000
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 77 has invalid
symbol index 557312
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 78 has invalid
symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 80 has invalid
symbol index 5585920
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 81 has invalid
symbol index 562432
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 84 has invalid
symbol index 3666944
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 85 has invalid
symbol index 569856
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 86 has invalid
symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 87 has invalid
symbol index 29714
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 88 has invalid
symbol index 16486400
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 89 has invalid
symbol index 577536
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 90 has invalid
symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 91 has invalid
symbol index 20498
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 92 has invalid
symbol index 11744256
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 93 has invalid
symbol index 584448
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 94 has invalid
symbol index 2304
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 95 has invalid
symbol index 8210
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 96 has invalid
symbol index 11737088
binutils/objdump: ../the_bfd_null.elf(.rela.plt): relocation 97 has invalid
symbol index 595200
AddressSanitizer:DEADLYSIGNAL
=================================================================
==47678==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc
0x5624374ad9ff bp 0x7ffd6e78ffc0 sp 0x7ffd6e78ffb0 T0)
==47678==The signal is caused by a READ memory access.
==47678==Hint: address points to the zero page.
    #0 0x5624374ad9ff in bfd_get_flavour ../bfd/bfd.h:7805
    #1 0x5624374b1b77 in compare_symbols ../../binutils/objdump.c:1225
    #2 0x7f66174f840e in msort_with_tmp stdlib/msort.c:82
    #3 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:44
    #4 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:53
    #5 0x7f66174f83a4 in msort_with_tmp stdlib/msort.c:44
    #6 0x7f66174f83a4 in msort_with_tmp stdlib/msort.c:52
    #7 0x7f66174f83a4 in msort_with_tmp stdlib/msort.c:44
    #8 0x7f66174f83a4 in msort_with_tmp stdlib/msort.c:52
    #9 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:44
    #10 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:53
    #11 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:44
    #12 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:53
    #13 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:44
    #14 0x7f66174f83c1 in msort_with_tmp stdlib/msort.c:53
    #15 0x7f66174f8a55 in msort_with_tmp stdlib/msort.c:44
    #16 0x7f66174f8a55 in __GI___qsort_r stdlib/msort.c:296
    #17 0x7f661772f934 in __interceptor_qsort
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:9917
    #18 0x5624374bd547 in disassemble_section ../../binutils/objdump.c:3803
    #19 0x5624379b869d in bfd_map_over_sections ../../bfd/section.c:1374
    #20 0x5624374bf8a1 in disassemble_data ../../binutils/objdump.c:4175
    #21 0x5624374c769d in dump_bfd ../../binutils/objdump.c:5649
    #22 0x5624374c7977 in display_object_bfd ../../binutils/objdump.c:5712
    #23 0x5624374c7cb1 in display_any_bfd ../../binutils/objdump.c:5798
    #24 0x5624374c7d2a in display_file ../../binutils/objdump.c:5819
    #25 0x5624374c96e8 in main ../../binutils/objdump.c:6227
    #26 0x7f66174ddd8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #27 0x7f66174dde3f in __libc_start_main_impl ../csu/libc-start.c:392
    #28 0x5624374ad584 in _start
(/binutils-gdb/build/binutils/objdump+0xdfc584)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../bfd/bfd.h:7805 in bfd_get_flavour
==47678==ABORTING


# Analysis

This bug is a little bit similar to a previous one[1]. At function
`_bfd_elf_get_synthetic_symtab`, field `the_bfd` is indeed properly initialized
by copying the whole `asymbol` from `**p->sym_ptr_ptr`[2]. However, `p` is an
iterator of array `relplt->relocation`, which is initialized by
`asect->relocation = relents` at `elfcode.h`[3]. The `relents` variable is an
array of `arelent` structure, which is initialized at function
`elf_slurp_reloc_table_from_section`[4]. For the element that causes the NULL
pointer problem, which is index `54` for PoC provided, it is initialized by
`relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr`[5], which copies a
pointer to a pointer to a global `asymbol` structure whose `the_bfd` is NULL to
`sym_ptr_ptr` field. Later on this field is used to initialize `*s`[2], so it
causes the NULL pointer exception.


[1] https://sourceware.org/bugzilla/show_bug.cgi?id=29677
[2]
https://github.com/bminor/binutils-gdb/blob/aaa8dbc1b31233f66131476e03ab8635805e515d/bfd/elf.c#L13088
[3]
https://github.com/bminor/binutils-gdb/blob/aaa8dbc1b31233f66131476e03ab8635805e515d/bfd/elfcode.h#L1640
[4]
https://github.com/bminor/binutils-gdb/blob/aaa8dbc1b31233f66131476e03ab8635805e515d/bfd/elfcode.h#L1464
[5]
https://github.com/bminor/binutils-gdb/blob/aaa8dbc1b31233f66131476e03ab8635805e515d/bfd/elfcode.h#L1521

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]