https://sourceware.org/bugzilla/show_bug.cgi?id=20304
Bug ID: 20304
Summary: Invalid read in _bfd_elf_get_symbol_version_string
Product: binutils
Version: 2.27 (HEAD)
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: hjl.tools at gmail dot com
Target Milestone: ---
On x86-64, I got
[hjl@gnu-6 binutils]$ cat x.c
#include <stdio.h>
int
main ()
{
printf ("hello\n");
return 0;
}
[hjl@gnu-6 binutils]$ gcc -g x.c
[hjl@gnu-6 binutils]$ valgrind ./objdump -S a.out
==10472== Memcheck, a memory error detector
==10472== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==10472== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==10472== Command: ./objdump -S a.out
==10472==
a.out: file format elf64-x86-64
Disassembly of section .init:
00000000004003c8 <_init>:
4003c8: 48 83 ec 08 sub $0x8,%rsp
4003cc: 48 8b 05 25 0c 20 00 mov 0x200c25(%rip),%rax #
600ff8 <_DYNAMIC+0x1d8>
4003d3: 48 85 c0 test %rax,%rax
4003d6: 74 02 je 4003da <_init+0x12>
4003d8: ff d0 callq *%rax
4003da: 48 83 c4 08 add $0x8,%rsp
4003de: c3 retq
Disassembly of section .plt:
==10472== Invalid read of size 2
==10472== at 0x468729: _bfd_elf_get_symbol_version_string (elf.c:1769)
==10472== by 0x40519A: objdump_print_symname (objdump.c:826)
==10472== by 0x4059A7: objdump_print_addr_with_sym (objdump.c:1032)
==10472== by 0x407E5C: disassemble_section (objdump.c:2107)
==10472== by 0x44BA9B: bfd_map_over_sections (section.c:1395)
==10472== by 0x4086A9: disassemble_data (objdump.c:2301)
==10472== by 0x40AD14: dump_bfd (objdump.c:3395)
==10472== by 0x40AE9B: display_object_bfd (objdump.c:3452)
==10472== by 0x40B0D5: display_any_bfd (objdump.c:3541)
==10472== by 0x40B147: display_file (objdump.c:3562)
==10472== by 0x40B9D2: main (objdump.c:3845)
==10472== Address 0x561e6d8 is 24 bytes after a block of size 64 in arena
"client"
==10472==
00000000004003e0 <puts@plt-0x10>:
4003e0: ff 35 22 0c 20 00 pushq 0x200c22(%rip) # 601008
<_GLOBAL_OFFSET_TABLE_+0x8>
4003e6: ff 25 24 0c 20 00 jmpq *0x200c24(%rip) # 601010
<_GLOBAL_OFFSET_TABLE_+0x10>
4003ec: 0f 1f 40 00 nopl 0x0(%rax)
00000000004003f0 <puts@plt>:
4003f0: ff 25 22 0c 20 00 jmpq *0x200c22(%rip) # 601018
<_GLOBAL_OFFSET_TABLE_+0x18>
4003f6: 68 00 00 00 00 pushq $0x0
4003fb: e9 e0 ff ff ff jmpq 4003e0 <_init+0x18>
Disassembly of section .text:
0000000000400400 <_start>:
400400: 31 ed xor %ebp,%ebp
400402: 49 89 d1 mov %rdx,%r9
400405: 5e pop %rsi
400406: 48 89 e2 mov %rsp,%rdx
400409: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
40040d: 50 push %rax
40040e: 54 push %rsp
40040f: 49 c7 c0 80 05 40 00 mov $0x400580,%r8
400416: 48 c7 c1 10 05 40 00 mov $0x400510,%rcx
40041d: 48 c7 c7 f6 04 40 00 mov $0x4004f6,%rdi
400424: ff 15 c6 0b 20 00 callq *0x200bc6(%rip) # 600ff0
<_DYNAMIC+0x1d0>
40042a: f4 hlt
40042b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0000000000400430 <deregister_tm_clones>:
400430: b8 2f 10 60 00 mov $0x60102f,%eax
400435: 55 push %rbp
400436: 48 2d 28 10 60 00 sub $0x601028,%rax
40043c: 48 83 f8 0e cmp $0xe,%rax
400440: 48 89 e5 mov %rsp,%rbp
400443: 76 1b jbe 400460
<deregister_tm_clones+0x30>
400445: b8 00 00 00 00 mov $0x0,%eax
40044a: 48 85 c0 test %rax,%rax
40044d: 74 11 je 400460
<deregister_tm_clones+0x30>
40044f: 5d pop %rbp
400450: bf 28 10 60 00 mov $0x601028,%edi
400455: ff e0 jmpq *%rax
400457: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
40045e: 00 00
400460: 5d pop %rbp
400461: c3 retq
400462: 0f 1f 40 00 nopl 0x0(%rax)
400466: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
40046d: 00 00 00
0000000000400470 <register_tm_clones>:
400470: be 28 10 60 00 mov $0x601028,%esi
400475: 55 push %rbp
400476: 48 81 ee 28 10 60 00 sub $0x601028,%rsi
40047d: 48 c1 fe 03 sar $0x3,%rsi
400481: 48 89 e5 mov %rsp,%rbp
400484: 48 89 f0 mov %rsi,%rax
400487: 48 c1 e8 3f shr $0x3f,%rax
40048b: 48 01 c6 add %rax,%rsi
40048e: 48 d1 fe sar %rsi
400491: 74 15 je 4004a8 <register_tm_clones+0x38>
400493: b8 00 00 00 00 mov $0x0,%eax
400498: 48 85 c0 test %rax,%rax
40049b: 74 0b je 4004a8 <register_tm_clones+0x38>
40049d: 5d pop %rbp
40049e: bf 28 10 60 00 mov $0x601028,%edi
4004a3: ff e0 jmpq *%rax
4004a5: 0f 1f 00 nopl (%rax)
4004a8: 5d pop %rbp
4004a9: c3 retq
4004aa: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
00000000004004b0 <__do_global_dtors_aux>:
4004b0: 80 3d 6d 0b 20 00 00 cmpb $0x0,0x200b6d(%rip) #
601024 <_edata>
4004b7: 75 11 jne 4004ca
<__do_global_dtors_aux+0x1a>
4004b9: 55 push %rbp
4004ba: 48 89 e5 mov %rsp,%rbp
4004bd: e8 6e ff ff ff callq 400430 <deregister_tm_clones>
4004c2: 5d pop %rbp
4004c3: c6 05 5a 0b 20 00 01 movb $0x1,0x200b5a(%rip) #
601024 <_edata>
4004ca: f3 c3 repz retq
4004cc: 0f 1f 40 00 nopl 0x0(%rax)
00000000004004d0 <frame_dummy>:
4004d0: bf 18 0e 60 00 mov $0x600e18,%edi
4004d5: 48 83 3f 00 cmpq $0x0,(%rdi)
4004d9: 75 05 jne 4004e0 <frame_dummy+0x10>
4004db: eb 93 jmp 400470 <register_tm_clones>
4004dd: 0f 1f 00 nopl (%rax)
4004e0: b8 00 00 00 00 mov $0x0,%eax
4004e5: 48 85 c0 test %rax,%rax
4004e8: 74 f1 je 4004db <frame_dummy+0xb>
4004ea: 55 push %rbp
4004eb: 48 89 e5 mov %rsp,%rbp
4004ee: ff d0 callq *%rax
4004f0: 5d pop %rbp
4004f1: e9 7a ff ff ff jmpq 400470 <register_tm_clones>
00000000004004f6 <main>:
#include <stdio.h>
int
main ()
{
4004f6: 55 push %rbp
4004f7: 48 89 e5 mov %rsp,%rbp
printf ("hello\n");
4004fa: bf a0 05 40 00 mov $0x4005a0,%edi
==10472== Invalid read of size 2
==10472== at 0x468729: _bfd_elf_get_symbol_version_string (elf.c:1769)
==10472== by 0x40519A: objdump_print_symname (objdump.c:826)
==10472== by 0x4059A7: objdump_print_addr_with_sym (objdump.c:1032)
==10472== by 0x405CAC: objdump_print_addr (objdump.c:1092)
==10472== by 0x405CE9: objdump_print_address (objdump.c:1102)
==10472== by 0x43F5D2: print_insn (i386-dis.c:13649)
==10472== by 0x406F1B: disassemble_bytes (objdump.c:1725)
==10472== by 0x408175: disassemble_section (objdump.c:2165)
==10472== by 0x44BA9B: bfd_map_over_sections (section.c:1395)
==10472== by 0x4086A9: disassemble_data (objdump.c:2301)
==10472== by 0x40AD14: dump_bfd (objdump.c:3395)
==10472== by 0x40AE9B: display_object_bfd (objdump.c:3452)
==10472== Address 0x561e6d8 is 24 bytes after a block of size 64 in arena
"client"
==10472==
4004ff: e8 ec fe ff ff callq 4003f0 <puts@plt>
return 0;
400504: b8 00 00 00 00 mov $0x0,%eax
}
400509: 5d pop %rbp
40050a: c3 retq
40050b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0000000000400510 <__libc_csu_init>:
400510: 41 57 push %r15
400512: 41 56 push %r14
400514: 41 89 ff mov %edi,%r15d
400517: 41 55 push %r13
400519: 41 54 push %r12
40051b: 4c 8d 25 e6 08 20 00 lea 0x2008e6(%rip),%r12 #
600e08 <__frame_dummy_init_array_entry>
400522: 55 push %rbp
400523: 48 8d 2d e6 08 20 00 lea 0x2008e6(%rip),%rbp #
600e10 <__init_array_end>
40052a: 53 push %rbx
40052b: 49 89 f6 mov %rsi,%r14
40052e: 49 89 d5 mov %rdx,%r13
400531: 4c 29 e5 sub %r12,%rbp
400534: 48 83 ec 08 sub $0x8,%rsp
400538: 48 c1 fd 03 sar $0x3,%rbp
40053c: e8 87 fe ff ff callq 4003c8 <_init>
400541: 48 85 ed test %rbp,%rbp
400544: 74 20 je 400566 <__libc_csu_init+0x56>
400546: 31 db xor %ebx,%ebx
400548: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
40054f: 00
400550: 4c 89 ea mov %r13,%rdx
400553: 4c 89 f6 mov %r14,%rsi
400556: 44 89 ff mov %r15d,%edi
400559: 41 ff 14 dc callq *(%r12,%rbx,8)
40055d: 48 83 c3 01 add $0x1,%rbx
400561: 48 39 dd cmp %rbx,%rbp
400564: 75 ea jne 400550 <__libc_csu_init+0x40>
400566: 48 83 c4 08 add $0x8,%rsp
40056a: 5b pop %rbx
40056b: 5d pop %rbp
40056c: 41 5c pop %r12
40056e: 41 5d pop %r13
400570: 41 5e pop %r14
400572: 41 5f pop %r15
400574: c3 retq
400575: 90 nop
400576: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
40057d: 00 00 00
0000000000400580 <__libc_csu_fini>:
400580: f3 c3 repz retq
Disassembly of section .fini:
0000000000400584 <_fini>:
400584: 48 83 ec 08 sub $0x8,%rsp
400588: 48 83 c4 08 add $0x8,%rsp
40058c: c3 retq
==10472==
==10472== HEAP SUMMARY:
==10472== in use at exit: 204 bytes in 4 blocks
==10472== total heap usage: 179 allocs, 175 frees, 77,468 bytes allocated
==10472==
==10472== LEAK SUMMARY:
==10472== definitely lost: 0 bytes in 0 blocks
==10472== indirectly lost: 0 bytes in 0 blocks
==10472== possibly lost: 0 bytes in 0 blocks
==10472== still reachable: 204 bytes in 4 blocks
==10472== suppressed: 0 bytes in 0 blocks
==10472== Rerun with --leak-check=full to see details of leaked memory
==10472==
==10472== For counts of detected and suppressed errors, rerun with: -v
==10472== ERROR SUMMARY: 3 errors from 2 contexts (suppressed: 0 from 0)
[hjl@gnu-6 binutils]$
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
