[Bug binutils/20096] New: strip-new crash when strip a specified file

Fri, 13 May 2016 20:10:49 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=20096

            Bug ID: 20096
           Summary: strip-new crash when strip a specified file
           Product: binutils
           Version: 2.26
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: ecular at 163 dot com
  Target Milestone: ---

Hi there,

I crashed strip-new with flag -s when strip the attached file.

It is a NULL pointer dereference at line 3225 in  objcopy.c
copy_relocations_in_section (bfd *ibfd, sec_ptr isection, void *obfdarg):

 3221       for (i = 0; i < relcount; i++)
 3222         {
 3223           /* PR 17512: file: 9e907e0c.  */
 3224           if (relpp[i]->sym_ptr_ptr)
 3225         if (is_specified_symbol (bfd_asymbol_name
(*relpp[i]->sym_ptr_ptr),
 3226                      keep_specific_htab))
 3227           temp_relpp [temp_relcount++] = relpp [i];
 3228         }
 3229       relcount = temp_relcount;
 3230       free (relpp);
 3231       relpp = temp_relpp;
 3232     }

There has a NULL pointer check for relpp[i]->sym_ptr_ptr at line 3224, but has
no check for *relpp[i]->sym_ptr_ptr. So it will crash at line 3225:
bfd_asymbol_name (*relpp[i]->sym_ptr_ptr) when *relpp[i]->sym_ptr_ptr = NULL.
Which bfd_asymbol_name is a micro : 
#define bfd_asymbol_name(x) ((x)->name)

the gdb output likes this:

Program received signal SIGSEGV, Segmentation fault.
0x000000000040868f in copy_relocations_in_section (ibfd=0x79ac70,
isection=0x79be30, 
    obfdarg=0x79e020) at objcopy.c:3225
3225                    if (is_specified_symbol (bfd_asymbol_name
(*relpp[i]->sym_ptr_ptr),
(gdb) bt
#0  0x000000000040868f in copy_relocations_in_section (ibfd=0x79ac70,
isection=0x79be30, 
    obfdarg=0x79e020) at objcopy.c:3225
#1  0x0000000000441c9a in bfd_map_over_sections (abfd=0x79ac70, 
    operation=0x4084a7 <copy_relocations_in_section>, user_storage=0x79e020) at
section.c:1392
#2  0x00000000004069fa in copy_object (ibfd=0x79ac70, obfd=0x79e020,
input_arch=0x0)
    at objcopy.c:2368
#3  0x0000000000407b06 in copy_file (
    input_filename=0x7fffffffe730
"output/crashes/id:000007,sig:11,src:001990,op:ext_AO,pos:12", 
    output_filename=0x79ac40 "output/crashes/stfxaeQ4", input_target=0x0, 
    output_target=0x54e4b0 "a.out-i386-linux", input_arch=0x0) at
objcopy.c:2817
#4  0x0000000000409666 in strip_main (argc=3, argv=0x7fffffffe498) at
objcopy.c:3680
#5  0x000000000040bac9 in main (argc=3, argv=0x7fffffffe498) at objcopy.c:4766
(gdb) print *relpp[i]->sym_ptr_ptr
$6 = (struct bfd_symbol *) 0x0
(gdb)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to