[Bug binutils/26774] New: objcopy : SIGSEGV in srec.c:1130

[zodf0055980 at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26774

            Bug ID: 26774
           Summary: objcopy : SIGSEGV in srec.c:1130
           Product: binutils
           Version: 2.36 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: zodf0055980 at gmail dot com
  Target Milestone: ---

Created attachment 12916
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12916&action=edit
file that reproduces this problem

OS : ubuntu 18.04.3
kernel : gnu/linux 5.4.0-52-generic
CPU :　Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
compiler : gcc version 7.5.0

Steps to Reproduce :
download the sample from attachment

~/binutils-gdb/binutils/objcopy  -O symbolsrec --add-symbol
function_name=.text:0x900,function,global./sample

gdb backtrace :
gdb-peda$ bt
#0  0x00005555555b11f8 in sprintf (__fmt=0x55555565cd7b "%016lx",
__s=0x7fffffffdab2 "") at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
#1  srec_write_symbols (abfd=0x5555558b35f0) at srec.c:1099
#2  internal_srec_write_object_contents (abfd=0x5555558b35f0,
symbols=<optimized out>) at srec.c:1130
#3  0x00005555555ab56a in bfd_close (abfd=0x5555558b35f0) at opncls.c:775
#4  0x000055555558ed56 in copy_file (input_filename=0x7fffffffe1d9
"/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/id:000000,sig:06,src:000000,op:arg1,pos:0",
 
    output_filename=0x5555558b2440
"/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/stUTQ9Kk",
input_target=<optimized out>, output_target=<optimized out>, input_arch=0x0) at
objcopy.c:3845
#5  0x0000555555587458 in copy_main (argv=<optimized out>, argc=<optimized
out>) at objcopy.c:5899
#6  main (argc=<optimized out>, argc@entry=0x6, argv=<optimized out>,
argv@entry=0x7fffffffddd8) at objcopy.c:6025
#7  0x00007ffff7801b97 in __libc_start_main (main=0x555555587030 <main>,
argc=0x6, argv=0x7fffffffddd8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffddc8)
    at ../csu/libc-start.c:310
#8  0x0000555555589b2a in _start ()

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555558b3970 --> 0x5555558b9920 --> 0x5555558b35f0 --> 0x5555558b9430
("/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/stUTQ9Kk")
RCX: 0x55555565cd7b --> 0x4c00786c36313025 ('%016lx')
RDX: 0x29 (')')
RSI: 0x1 
RDI: 0x7fffffffdab0 --> 0x0 
RBP: 0x5555558b3978 --> 0x0 
RSP: 0x7fffffffdaa0 --> 0xd ('\r')
RIP: 0x5555555b11f8 (<internal_srec_write_object_contents+712>: add    r8,QWORD
PTR [rax+0x38])
R8 : 0x900 ('')
R9 : 0x0 
R10: 0x5555558b0010 --> 0x1010101010101 
R11: 0x1 
R12: 0x5555558b35f0 --> 0x5555558b9430
("/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/stUTQ9Kk")
R13: 0x5555558b9470 --> 0x5555558b9950 --> 0x5555558b9990 --> 0x5555558b99d0
--> 0x5555558b9a18 --> 0x5555558b9a70 (--> ...)
R14: 0x7fffffffdab2 --> 0x8982000000000000 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x5555555b11ec <internal_srec_write_object_contents+700>:    mov   
rax,QWORD PTR [rax+0x70]
   0x5555555b11f0 <internal_srec_write_object_contents+704>:    add    r8,QWORD
PTR [r14+0x10]
   0x5555555b11f4 <internal_srec_write_object_contents+708>:    lea   
r14,[rdi+0x2]
=> 0x5555555b11f8 <internal_srec_write_object_contents+712>:    add    r8,QWORD
PTR [rax+0x38]
   0x5555555b11fc <internal_srec_write_object_contents+716>:    mov    rdi,r14
   0x5555555b11ff <internal_srec_write_object_contents+719>:    xor    eax,eax
   0x5555555b1201 <internal_srec_write_object_contents+721>:    call  
0x555555585150 <__sprintf_chk@plt>
   0x5555555b1206 <internal_srec_write_object_contents+726>:    cmp    BYTE PTR
[rsp+0x12],0x30
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdaa0 --> 0xd ('\r')
0008| 0x7fffffffdaa8 --> 0x7fffffffdab0 --> 0x0 
0016| 0x7fffffffdab0 --> 0x0 
0024| 0x7fffffffdab8 --> 0x5f918982 
0032| 0x7fffffffdac0 --> 0x15ac54a8 
0040| 0x7fffffffdac8 --> 0x5f918982 
0048| 0x7fffffffdad0 --> 0x15ac54a8 
0056| 0x7fffffffdad8 --> 0x5f918982 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555b11f8 in sprintf (__fmt=0x55555565cd7b "%016lx",
__s=0x7fffffffdab2 "") at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
33        return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,

-- 
You are receiving this mail because:
You are on the CC list for the bug.