[Bug binutils/22887] New: null pointer dereference in aout_32_swap_std_reloc_out

[luanjunchao at 163 dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=22887

            Bug ID: 22887
           Summary: null pointer dereference in aout_32_swap_std_reloc_out
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: luanjunchao at 163 dot com
  Target Milestone: ---

The test command is objcopy with specific elf file.
Below is part of gdb debugging output.

Program received signal SIGSEGV, Segmentation fault.
0x084cf65c in aout_32_swap_std_reloc_out (natptr=0xf590528c, g=0xf4b03fe8,
abfd=<optimized out>) at /work/binutils-gdb/bfd/aoutx.h:1971
1971      asection *output_section = sym->section->output_section;
(gdb) bt
#0  0x084cf65c in aout_32_swap_std_reloc_out (natptr=0xf590528c, g=0xf4b03fe8,
abfd=<optimized out>) at /work/binutils-gdb/bfd/aoutx.h:1971
#1  aout_32_squirt_out_relocs (abfd=0xf5b03970, section=0xf5903d48) at
/work/binutils-gdb/bfd/aoutx.h:2444
#2  0x0849ae05 in i386linux_write_object_contents (abfd=0xf5b03970) at
/work/binutils-gdb/bfd/i386linux.c:77
#3  0x081a9940 in bfd_close (abfd=0xf5b03970) at
/work/binutils-gdb/bfd/opncls.c:731
#4  0x08080bbe in copy_file (input_filename=input_filename@entry=0xffffd8ef
"out/slave/crashes/id:000125,sig:06,src:003346+002348,op:splice,rep:8",
output_filename=output_filename@entry=0xf6500b80 "out/slave/crashes/stv31c0r",
input_target=<optimized out>, 
    output_target=0x87f6320 "a.out-i386-linux", input_arch=0x0) at
/work/binutils-gdb/binutils/objcopy.c:3530
#5  0x0805b429 in copy_main (argv=<optimized out>, argc=<optimized out>) at
/work/binutils-gdb/binutils/objcopy.c:5478
#6  main (argc=2, argv=0xffffd7c4) at
/work/binutils-gdb/binutils/objcopy.c:5582
(gdb) list
1966      asymbol *sym = *(g->sym_ptr_ptr);
1967      int r_extern;
1968      unsigned int r_length;
1969      int r_pcrel;
1970      int r_baserel, r_jmptable, r_relative;
1971      asection *output_section = sym->section->output_section;
1972
1973      PUT_WORD (abfd, g->address, natptr->r_address);
1974
1975      BFD_ASSERT (g->howto != NULL);
(gdb) p sym
$1 = (asymbol *) 0x0

It seems that there is lack of check if sym is null.
The test elf file is
https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils