https://sourceware.org/bugzilla/show_bug.cgi?id=20913
Bug ID: 20913
Summary: LD crashes when exporting dynamic symbols and
generating relocatable output
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
Dear all,
The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.
The linker crashes with an invalid read of size 8 for the following execution
on Ubuntu 16.04 x86_64 in Binutils trunk and for preinstalled version v2.26.1
and on Ubuntu 14.04 x86_64 for Binutils in trunk and preinstalled version
v2.24.
$ printf "\x08\x01\x000\x08\x00\x00\x00\x04\x00\x00\x000000
\x00\x00\x000000\x00\x00\x00\x00\x00\x00\x00\x00000000000000\x0d
\x00\x00\x000000000000000000000000000000" > test
$ ld -E -r test
ld: i386 architecture of input file `test' is incompatible with i386:x86-64
output
Segmentation fault
It actually crashes here: elf_x86_64_common_section_index
(elf64-x86-64.c:6621).
GDB says:
Program received signal SIGSEGV, Segmentation fault.
0x00000000005caf53 in elf_x86_64_common_section_index (sec=0xcc0d30) at
elf64-x86-64.c:6621
6621 if ((elf_section_flags (sec) & SHF_X86_64_LARGE) == 0)
(gdb) bt
#0 0x00000000005caf53 in elf_x86_64_common_section_index (sec=0xcc0d30) at
elf64-x86-64.c:6621
#1 0x000000000069a527 in elf_link_output_extsym (bh=<optimized out>,
data=0x7fffffffe120) at elflink.c:9462
#2 0x00000000005697b5 in bfd_hash_traverse (table=0xcb0120,
func=func@entry=0x699a10 <elf_link_output_extsym>,
info=info@entry=0x7fffffffe120) at hash.c:656
#3 0x00000000006e3706 in bfd_elf_final_link (abfd=<optimized out>,
info=<optimized out>) at elflink.c:11896
#4 0x0000000000484b7d in ldwrite () at ldwrite.c:577
#5 0x0000000000408335 in main (argc=<optimized out>, argv=<optimized out>) at
./ldmain.c:444
VALGRIND says:
==21262== Memcheck, a memory error detector
==21262== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21262== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21262== Command: /binutils-gdb/obj-norm/ld/ld-new -E -r test
==21262==
==21262== Conditional jump or move depends on uninitialised value(s)
==21262== at 0x43D7E6: bfd_hash_hash (hash.c:441)
==21262== by 0x43D7E6: bfd_hash_lookup (hash.c:467)
==21262== by 0x43EF28: bfd_link_hash_lookup (linker.c:507)
==21262== by 0x44027E: _bfd_generic_link_add_one_symbol (linker.c:1494)
==21262== by 0x495F6F: linux_add_one_symbol (i386linux.c:357)
==21262== by 0x49672F: aout_link_add_symbols (aoutx.h:3163)
==21262== by 0x49B7DB: aout_link_add_object_symbols (aoutx.h:3228)
==21262== by 0x49B7DB: aout_32_link_add_symbols (aoutx.h:3489)
==21262== by 0x411CCF: load_symbols (ldlang.c:2897)
==21262== by 0x41287E: open_input_bfds (ldlang.c:3346)
==21262== by 0x414E79: lang_process (ldlang.c:6871)
==21262== by 0x403B73: main (ldmain.c:428)
==21262==
/binutils-gdb/obj-norm/ld/ld-new: i386 architecture of input file `test' is
incompatible with i386:x86-64 output
==21262== Conditional jump or move depends on uninitialised value(s)
==21262== at 0x43D7E6: bfd_hash_hash (hash.c:441)
==21262== by 0x43D7E6: bfd_hash_lookup (hash.c:467)
==21262== by 0x43EF28: bfd_link_hash_lookup (linker.c:507)
==21262== by 0x43F44D: default_indirect_link_order (linker.c:2662)
==21262== by 0x4797DC: bfd_elf_final_link (elflink.c:11728)
==21262== by 0x419766: ldwrite (ldwrite.c:577)
==21262== by 0x403BCE: main (ldmain.c:444)
==21262==
==21262== Conditional jump or move depends on uninitialised value(s)
==21262== at 0x4C31FEC: __GI_strcmp (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21262== by 0x43D869: bfd_hash_lookup (hash.c:474)
==21262== by 0x43EF28: bfd_link_hash_lookup (linker.c:507)
==21262== by 0x43F44D: default_indirect_link_order (linker.c:2662)
==21262== by 0x4797DC: bfd_elf_final_link (elflink.c:11728)
==21262== by 0x419766: ldwrite (ldwrite.c:577)
==21262== by 0x403BCE: main (ldmain.c:444)
==21262==
==21262== Conditional jump or move depends on uninitialised value(s)
==21262== at 0x4C31FF0: __GI_strcmp (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21262== by 0x43D869: bfd_hash_lookup (hash.c:474)
==21262== by 0x43EF28: bfd_link_hash_lookup (linker.c:507)
==21262== by 0x43F44D: default_indirect_link_order (linker.c:2662)
==21262== by 0x4797DC: bfd_elf_final_link (elflink.c:11728)
==21262== by 0x419766: ldwrite (ldwrite.c:577)
==21262== by 0x403BCE: main (ldmain.c:444)
==21262==
==21262== Invalid read of size 8
==21262== at 0x44B407: elf_x86_64_common_section_index (elf64-x86-64.c:6621)
==21262== by 0x46C81D: elf_link_output_extsym (elflink.c:9462)
==21262== by 0x43DBB0: bfd_hash_traverse (hash.c:656)
==21262== by 0x479F3C: bfd_elf_final_link (elflink.c:11896)
==21262== by 0x419766: ldwrite (ldwrite.c:577)
==21262== by 0x403BCE: main (ldmain.c:444)
==21262== Address 0x8 is not stack'd, malloc'd or (recently) free'd
==21262==
==21262==
==21262== Process terminating with default action of signal 11 (SIGSEGV)
==21262== Access not within mapped region at address 0x8
==21262== at 0x44B407: elf_x86_64_common_section_index (elf64-x86-64.c:6621)
==21262== by 0x46C81D: elf_link_output_extsym (elflink.c:9462)
==21262== by 0x43DBB0: bfd_hash_traverse (hash.c:656)
==21262== by 0x479F3C: bfd_elf_final_link (elflink.c:11896)
==21262== by 0x419766: ldwrite (ldwrite.c:577)
==21262== by 0x403BCE: main (ldmain.c:444)
Best regards,
- Marcel
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
