[Bug ld/32638] New: ld SEGV in bfd_putl64 (bfd/libbfd.c:989:11)

Wed, 05 Feb 2025 05:26:28 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=32638

            Bug ID: 32638
           Summary: ld SEGV in  bfd_putl64 (bfd/libbfd.c:989:11)
           Product: binutils
           Version: 2.43
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: swj22 at mails dot tsinghua.edu.cn
  Target Milestone: ---

Created attachment 15914
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15914&action=edit
poc

**Description**
A segv can occur in ld (part of binutils 2.43) when using the
--version-exports-section and --shared options with a specially crafted input
file. This issue leads to memory corruption (illegal memory access)and crashes.

**Affected Version**
GNU ld (GNU Binutils) 2.43

**Steps to Reproduce**

Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address"
./configure && make -j).
Run the following command:
./binutils-2.43/bins/bin/ld --version-exports-section symbol --shared  $poc
Observe the AddressSanitizer error indicating a segv.

(base) swj@amax /tmp/crash_tmp $
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld --version-exports-section
symbol --shared  /tmp/poc
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: warning: /tmp/poc has a
section extending past end of file
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: /tmp/poc: warning:
relocation against `' in read-only section `.text'
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: warning: a.out has a
LOAD segment with RWX permissions
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld:
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: DWARF error: found
address size '0', this reader can only handle address sizes '2', '4' and '8'
/tmp/poc: in function `no symbol':
l_fork_pid:(.text+0x2a7): undefined reference to `'
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: /tmp/poc: in function
`���������':
l_fork_pid:(.text+0x327): undefined reference to `'
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld:
l_fork_pid:(.text+0x37c): undefined reference to `�������'
l_fork_pid:(.text+0x37c): relocation truncated to fit: R_X86_64_SIZE32 against
undefined symbol `�������'
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: /tmp/poc: in function
`no symbol':
l_fork_pid:(.text+0x492): undefined reference to `'
/tmp/poc:(.debug_info+0x53): relocation truncated to fit: R_X86_64_32 against
`.debug_str'
/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld: BFD (GNU Binutils) 2.43
assertion fail elflink.c:15630
AddressSanitizer:DEADLYSIGNAL
=================================================================
==484290==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000007 (pc
0x555d44825250 bp 0x7ffedac5fef0 sp 0x7ffedac5fe50 T0)
==484290==The signal is caused by a WRITE memory access.
==484290==Hint: address points to the zero page.
    #0 0x555d44825250 in bfd_putl64
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/libbfd.c:989:11
    #1 0x555d448d0d4d in bfd_elf64_swap_reloca_out
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/./elfcode.h:466:3
    #2 0x555d449ca89f in elf_append_rela
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:15631:3
    #3 0x555d44886c46 in elf_x86_64_finish_dynamic_symbol
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elf64-x86-64.c:4959:4
    #4 0x555d449afdd5 in elf_link_output_extsym
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:10938:14
    #5 0x555d44821703 in bfd_hash_traverse
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/hash.c:814:8
    #6 0x555d4499994c in bfd_elf_final_link
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/elflink.c:13182:3
    #7 0x555d44791d0e in ldwrite
/data/swj/optfuzz/benchmark/binutils-2.43/ld/ldwrite.c:550:8
    #8 0x555d4478c4e9 in main
/data/swj/optfuzz/benchmark/binutils-2.43/ld/./ldmain.c:556:3
    #9 0x7f2c69b92082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x555d446646bd in _start
(/data/swj/optfuzz/benchmark/binutils-2.43/bins/bin/ld+0x15a6bd) (BuildId:
d9731e405748db264b62c84ded760ba4f068cb0a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/data/swj/optfuzz/benchmark/binutils-2.43/bfd/libbfd.c:989:11 in bfd_putl64
==484290==ABORTING

** Env **
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.6 LTS
Release:        20.04
Codename:       focal

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to