[Bug binutils/4110] Broken object file crashes nm

sliedes at cc dot hut dot fi Sat, 17 Mar 2007 05:48:25 -0800

------- Additional Comments From sliedes at cc dot hut dot fi  2007-03-17 13:48 
-------
Created an attachment (id=1626)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=1626&action=view)
One more test case


With patch.3 it's starting to look quite robust, I had to try a lot of things
to break it :) Here's one that breaks it only in some very obscure cases, so
I'll attach Valgrind output from a case where it does not crash and a backtrace
from a crash in case you are unable to reproduce. (It just happens that the
uninitialized idx->shr is usually NULL, and under some obscure conditions I got
it to be 0x100 in the backtrace).

---------- Valgrind output ----------
$ valgrind ~/rec/binutils/binutils/nm-new broken.o
==9440== Memcheck, a memory error detector.
==9440== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==9440== Using LibVEX rev 1732, a library for dynamic binary translation.
==9440== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==9440== Using valgrind-3.2.3-Debian, a dynamic binary instrumentation
framework.
==9440== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==9440== For more details, rerun with: -v
==9440==
BFD: broken.o: invalid string offset 798 >= 8 for section `.group'
==9440== Conditional jump or move depends on uninitialised value(s)
==9440==    at 0x42BC4A: bfd_section_from_shdr (elf.c:2171)
==9440==    by 0x41EE4B: bfd_elf64_object_p (elfcode.h:850)
==9440==    by 0x40CAEC: bfd_check_format_matches (format.c:240)
==9440==    by 0x4039F4: display_file (nm.c:1179)
==9440==    by 0x403F3A: main (nm.c:1622)
BFD: broken.o: invalid string offset 814 >= 8 for section `.group'
BFD: broken.o: invalid string offset 836 >= 8 for section `.group'
BFD: broken.o: invalid string offset 1068 >= 8 for section `.group'
BFD: broken.o: invalid string offset 2524 >= 8 for section `.group'
BFD: broken.o: invalid string offset 65838 >= 309 for section `.shstrtab'
BFD: broken.o: invalid string offset 2511 >= 8 for section `.group'
/home/sliedes/rec/binutils/binutils/nm-new: broken.o: File truncated
==9440==
==9440== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 1)
==9440== malloc/free: in use at exit: 0 bytes in 0 blocks.
==9440== malloc/free: 15 allocs, 15 frees, 52,954 bytes allocated.
==9440== For counts of detected errors, rerun with: -v
==9440== All heap blocks were freed -- no leaks are possible.
----------

---------- Backtrace ----------
(gdb) r
Starting program: /home/sliedes/rec/binutils/binutils/nm-new smodels.o
BFD: smodels.o: invalid string offset 798 >= 520 for section `*group'

Program received signal SIGSEGV, Segmentation fault.
0x000000000042bc4c in bfd_section_from_shdr (abfd=0x5ac400, shindex=1) at
elf.c:2171
2171                  if (idx->shdr != NULL
(gdb) l
2166              idx += n_elt;
2167              while (--n_elt != 0)
2168                {
2169                  --idx;
2170
2171                  if (idx->shdr != NULL
2172                      && (s = idx->shdr->bfd_section) != NULL
2173                      && elf_next_in_group (s) != NULL)
2174                    {
2175                      elf_next_in_group (hdr->bfd_section) = s;
(gdb) print *idx
$2 = {shdr = 0x100, flags = 256}
(gdb) bt
#0  0x000000000042bc4c in bfd_section_from_shdr (abfd=0x5ac400, shindex=1) at
elf.c:2171
#1  0x000000000041ee4c in bfd_elf64_object_p (abfd=0x5ac400) at elfcode.h:850
#2  0x000000000040caed in bfd_check_format_matches (abfd=0x5ac400,
format=<value optimized out>, matching=0x7fff07a2cac8) at format.c:240
#3  0x00000000004039f5 in display_file (filename=0x7fff07a2d4bc "smodels.o") at
nm.c:1179
#4  0x0000000000403f3b in main (argc=2, argv=0x7fff07a2cc08) at nm.c:1622
(gdb) bt full
#0  0x000000000042bc4c in bfd_section_from_shdr (abfd=0x5ac400, shindex=1) at
elf.c:2171
        idx = (Elf_Internal_Group *) 0x5add50
        n_elt = 104
        s = (asection *) 0x0
        hdr = (Elf_Internal_Shdr *) 0x5bce18
        name = <value optimized out>
#1  0x000000000041ee4c in bfd_elf64_object_p (abfd=0x5ac400) at elfcode.h:850
        num_sec = 34
        x_ehdr = {e_ident =
"\177ELF\002\001\001\000\000\000\000\000\000\000\000", e_type = "\001",
e_machine = ">", e_version = "\001\000\000",
  e_entry = "\000\000\000\000\000\000\000", e_phoff =
"\000\000\000\000\000\000\000", e_shoff = "\220K\000\000\000\000\000", e_flags
= "\000\000\000",
  e_ehsize = "@", e_phentsize = "\000", e_phnum = "\000", e_shentsize = "@",
e_shnum = "\"", e_shstrndx = "\037"}
        i_ehdrp = <value optimized out>
        x_shdr = {sh_name = "\t\000\000", sh_type = "\003\000\000", sh_flags =
"\000\000\000\000\000\000\000", sh_addr = "\000\000\000\000\000\000\000",
  sh_offset = " `\000\000\000\000\000", sh_size = "\017\n\000\000\000\000\000",
sh_link = "\000\000\000", sh_info = "\000\000\000",
  sh_addralign = "\001\000\000\000\000\000\000", sh_entsize =
"\000\000\000\000\000\000\000"}
        i_shdr = {sh_name = 0, sh_type = 0, sh_flags = 0, sh_addr = 0, sh_size
= 0, sh_entsize = 0, sh_link = 0, sh_info = 0, sh_offset = 0,
  sh_addralign = 0, bfd_section = 0x0, contents = 0x0}
        i_shdrp = <value optimized out>
        shindex = 1
        ebd = (const struct elf_backend_data *) 0x5a6220
        preserve = {marker = 0x5ad300, tdata = 0x0, flags = 0, arch_info =
0x47acc0, sections = 0x0, section_last = 0x0, section_count = 0, section_htab =
{
    table = 0x5ae2f0, newfunc = 0x40f490 <bfd_section_hash_newfunc>, memory =
0x5ac560, size = 251, count = 0, entsize = 280, frozen = 0}}
        s = <value optimized out>
        target = (const bfd_target *) 0x47eb40
        target_ptr = <value optimized out>
#2  0x000000000040caed in bfd_check_format_matches (abfd=0x5ac400,
format=<value optimized out>, matching=0x7fff07a2cac8) at format.c:240
        temp = <value optimized out>
        err = <value optimized out>
        target = <value optimized out>
        matching_vector = (const bfd_target **) 0x5b3e10
        save_targ = (const bfd_target *) 0x47eb40
        right_targ = (const bfd_target *) 0x0
        ar_right_targ = <value optimized out>
        match_count = 0
        ar_match_index = 15
#3  0x00000000004039f5 in display_file (filename=0x7fff07a2d4bc "smodels.o") at
nm.c:1179
        retval = 0
        file = (bfd *) 0x5ac400
        matching = <value optimized out>
#4  0x0000000000403f3b in main (argc=2, argv=0x7fff07a2cc08) at nm.c:1622
        style = <value optimized out>
        c = <value optimized out>
        retval = 0
----------


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=4110

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/4110] Broken object file crashes nm

Reply via email to