[Bug binutils/25073] New: invalide free in function _bfd_dwarf2_cleanup

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/25073] New: invalide free in function _bfd_dwarf2_cleanup_

From:	bugzilla.sourceware at qiushi dot ac.cn
Subject:	[Bug binutils/25073] New: invalide free in function _bfd_dwarf2_cleanup_debug_info
Date:	Mon, 07 Oct 2019 16:54:45 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=25073

            Bug ID: 25073
           Summary: invalide free in function
                    _bfd_dwarf2_cleanup_debug_info
           Product: binutils
           Version: 2.34 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: bugzilla.sourceware at qiushi dot ac.cn
  Target Milestone: ---

Created attachment 12028
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12028&action=edit
poc4

poc4:

```
# gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms
--synthetic --with-symbol-versions -D
poc4_invalid-free__bfd_dwarf2_cleanup_debug_info' -ex bt -ex quit

free(): invalid next size (normal)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7603801 in __GI_abort () at abort.c:79
#2  0x00007ffff764c897 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7779b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff765390a in malloc_printerr (str=str@entry=0x7ffff777b8b8
"free(): invalid next size (normal)") at malloc.c:5350
#4  0x00007ffff765b0ad in _int_free (have_lock=0, p=0xa18a40, av=0x7ffff79aec40
<main_arena>) at malloc.c:4286
#5  __GI___libc_free (mem=0xa18a50) at malloc.c:3124
#6  0x00000000006133b1 in _bfd_dwarf2_cleanup_debug_info
(abfd=abfd@entry=0xa0d6b0, pinfo=pinfo@entry=0xa0db30) at ./dwarf2.c:5010
#7  0x00000000006138ab in _bfd_dwarf2_slurp_debug_info
(abfd=abfd@entry=0xa0d6b0, debug_bfd=debug_bfd@entry=0x0,
debug_sections=0x7c6e20 <dwarf_debug_sections>, symbols=symbols@entry=0xa181f0,
    pinfo=pinfo@entry=0xa0db30, do_place=1) at ./dwarf2.c:4354
#8  0x0000000000617ecb in _bfd_dwarf2_find_nearest_line
(abfd=abfd@entry=0xa0d6b0, symbols=symbols@entry=0xa181f0,
symbol=symbol@entry=0x0, section=section@entry=0xa0e890, offset=offset@entry=0,
    filename_ptr=filename_ptr@entry=0x7fffffffe198,
functionname_ptr=0x7fffffffe1c0, linenumber_ptr=0x7fffffffe194,
discriminator_ptr=0x0, debug_sections=0x7c6e20 <dwarf_debug_sections>,
pinfo=0xa0db30)
    at ./dwarf2.c:4687
#9  0x0000000000539f6d in _bfd_elf_find_nearest_line (abfd=0xa0d6b0,
symbols=0xa181f0, section=0xa0e890, offset=0, filename_ptr=0x7fffffffe198,
functionname_ptr=0x7fffffffe1c0, line_ptr=0x7fffffffe194,
    discriminator_ptr=0x0) at elf.c:9005
#10 0x000000000040969b in print_symbol (abfd=abfd@entry=0xa0d6b0,
sym=<optimized out>, ssize=ssize@entry=0, archive_bfd=archive_bfd@entry=0x0) at
nm.c:1008
#11 0x000000000040a59d in print_symbols (archive_bfd=0x0, size=8,
symcount=<optimized out>, minisyms=<optimized out>, is_dynamic=1,
abfd=0xa0d6b0) at nm.c:1088
#12 display_rel_file (abfd=abfd@entry=0xa0d6b0,
archive_bfd=archive_bfd@entry=0x0) at nm.c:1210
#13 0x000000000040d6de in display_file (filename=0x7fffffffe732
"poc4_invalid-free__bfd_dwarf2_cleanup_debug_info") at nm.c:1377
#14 0x0000000000405882 in main (argc=11, argv=0x7fffffffe438) at nm.c:1858
```
poc5:

```
Step 10/10 : RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms
--synthetic --with-symbol-versions -D
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info || exit 0
 ---> Running in 7107b71ec7d3
./binutils-gdb/binutils/nm-new: warning:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a
size (1e0000000008) larger than the file size
./binutils-gdb/binutils/nm-new: warning:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a
size (fffffffffffffec0) larger than the file size
./binutils-gdb/binutils/nm-new:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info: unknown type [0xff000001]
section `.debug_aranges'
./binutils-gdb/binutils/nm-new: warning:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a
size (1e0000000008) larger than the file size
./binutils-gdb/binutils/nm-new: warning:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info has a corrupt section with a
size (fffffffffffffec0) larger than the file size
./binutils-gdb/binutils/nm-new:
poc5_invalid-free__bfd_dwarf2_cleanup_debug_info: warning: sh_link not set for
section `.debug_aranges'
=================================================================
==7==ERROR: AddressSanitizer: attempting free on address which was not
malloc()-ed: 0x61200000b5c0 in thread T0
    #0 0x7ffff6f022ca in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x6a2c70 in _bfd_dwarf2_cleanup_debug_info dwarf2.c:5018
    #2 0x6a3332 in _bfd_dwarf2_slurp_debug_info dwarf2.c:4354
    #3 0x6a7a8e in _bfd_dwarf2_find_nearest_line dwarf2.c:4687
    #4 0x587f99 in _bfd_elf_find_nearest_line /binutils-gdb/bfd/elf.c:9005
    #5 0x40d9be in print_symbol /binutils-gdb/binutils/nm.c:1008
    #6 0x40ec98 in print_symbols /binutils-gdb/binutils/nm.c:1088
    #7 0x40ec98 in display_rel_file /binutils-gdb/binutils/nm.c:1210
    #8 0x411b5d in display_file /binutils-gdb/binutils/nm.c:1377
    #9 0x4077a7 in main /binutils-gdb/binutils/nm.c:1858
    #10 0x7ffff66a282f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4094b8 in _start (/binutils-gdb/binutils/nm-new+0x4094b8)

0x61200000b5c0 is located 48 bytes inside of 253629440-byte region
[0x61200000b590,0x61200f1ec990)
==7==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/asan/asan_allocator2.cc:186 "((res.trace)) != (0)"
(0x0, 0x0)
    #0 0x7ffff6f0a631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7ffff6f0f5e3 in __sanitizer::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
    #2 0x7ffff6e8776c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d76c)
    #3 0x7ffff6e8861e  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1e61e)
    #4 0x7ffff6f07380  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9d380)
    #5 0x7ffff6f08727  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9e727)
    #6 0x7ffff6e8b617  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x21617)
    #7 0x7ffff6f0229d in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
    #8 0x6a2c70 in _bfd_dwarf2_cleanup_debug_info dwarf2.c:5018
    #9 0x6a3332 in _bfd_dwarf2_slurp_debug_info dwarf2.c:4354
    #10 0x6a7a8e in _bfd_dwarf2_find_nearest_line dwarf2.c:4687
    #11 0x587f99 in _bfd_elf_find_nearest_line /binutils-gdb/bfd/elf.c:9005
    #12 0x40d9be in print_symbol /binutils-gdb/binutils/nm.c:1008
    #13 0x40ec98 in print_symbols /binutils-gdb/binutils/nm.c:1088
    #14 0x40ec98 in display_rel_file /binutils-gdb/binutils/nm.c:1210
    #15 0x411b5d in display_file /binutils-gdb/binutils/nm.c:1377
    #16 0x4077a7 in main /binutils-gdb/binutils/nm.c:1858
    #17 0x7ffff66a282f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x4094b8 in _start (/binutils-gdb/binutils/nm-new+0x4094b8)

```


Reproducible docker image has been pushed to
`zjuchenyuan/dockerized_poc:binutils-pocs`, but ASAN build seems cannot giving
backtrace information.

Dockerfile: (I would suggest removing AFL_USE_ASAN environment if you want get
poc4 backtrace information)

```
FROM zjuchenyuan/afl
ENV AFL_USE_ASAN=1
RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\
    cd binutils-gdb &&\
    git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\
    ./configure --disable-shared &&\
    for i in bfd libiberty opcodes libctf; do cd $i; ./configure
--disable-shared && make -j; cd ..; done  &&\
    cd binutils  &&\
    ./configure --disable-shared &&\
    make objdump nm-new size readelf cxxfilt

RUN apt install -y gdb &&\
    echo -e "set pagination off\nset confirm off" > /root/.gdbinit

ADD . /

# we may need to compile again without ASAN to use gdb

RUN gdb ./binutils-gdb/binutils/nm-new -ex 'r -A -a -l -S -s --special-syms
--synthetic --with-symbol-versions -D
poc4_invalid-free__bfd_dwarf2_cleanup_debug_info' -ex bt -ex quit

RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D poc5_invalid-free__bfd_dwarf2_cleanup_debug_info ||
exit 0


```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/25073] New: invalide free in function _bfd_dwarf2_cleanup_debug_info, bugzilla.sourceware at qiushi dot ac.cn <=
- [Bug binutils/25073] invalide free in function _bfd_dwarf2_cleanup_debug_info, bugzilla.sourceware at qiushi dot ac.cn, 2019/10/07
- [Bug binutils/25073] invalide free in function _bfd_dwarf2_cleanup_debug_info, amodra at gmail dot com, 2019/10/08

Prev by Date: [Bug binutils/25072] New: malloc(): memory corruption in function print_symbol
Next by Date: [Bug binutils/25073] invalide free in function _bfd_dwarf2_cleanup_debug_info
Previous by thread: [Bug binutils/25072] New: malloc(): memory corruption in function print_symbol
Next by thread: [Bug binutils/25073] invalide free in function _bfd_dwarf2_cleanup_debug_info
Index(es):
- Date
- Thread