https://sourceware.org/bugzilla/show_bug.cgi?id=32646
Bug ID: 32646
Summary: ld SEGV (illegal read access) in load_symbols
(ld/ldlang.c:3061:7) with -w --defsym options
Product: binutils
Version: 2.43
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: swj22 at mails dot tsinghua.edu.cn
Target Milestone: ---
Created attachment 15921
--> https://sourceware.org/bugzilla/attachment.cgi?id=15921&action=edit
poc
**Description**
A segv can occur in ld when using the -w and --defsym options with a
specially crafted input file. This issue leads to memory corruption (illegal
memory read access) and crashes.
**Affected Version**
GNU ld (GNU Binutils) 2.43
**Steps to Reproduce**
Build binutils 2.43 with AddressSanitizer (e.g., CFLAGS="-g -fsanitize=address"
./configure && make -j).
Run the following command:
## Version 2.43
./binutils-2.43/bins/bin/ld --version
GNU ld (GNU Binutils) 2.43
Copyright (C) 2024 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) a later version.
This program has absolutely no warranty.
./binutils-2.43/bins/bin/ld -w --defsym ++ /tmp/poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==769419==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7ff2a429bddb bp 0x000000000000 sp 0x7fff6c1bbb70 T0)
==769419==The signal is caused by a READ memory access.
==769419==Hint: address points to the zero page.
#0 0x7ff2a429bddb in _IO_fclose
/build/glibc-LcI20x/glibc-2.31/libio/iofclose.c:48:9
#1 0x55dfeaccb290 in fclose (./binutils-2.43/bins/bin/ld+0x1af290)
(BuildId: d9731e405748db264b62c84ded760ba4f068cb0a)
#2 0x55dfead66a44 in load_symbols ./binutils-2.43/ld/ldlang.c:3061:7
#3 0x55dfead77304 in open_input_bfds ./binutils-2.43/ld/ldlang.c:3622:13
#4 0x55dfead739f3 in lang_process ./binutils-2.43/ld/ldlang.c:8194:3
#5 0x55dfead9e34c in main ./binutils-2.43/ld/./ldmain.c:529:3
#6 0x7ff2a423e082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x55dfeac766bd in _start (./binutils-2.43/bins/bin/ld+0x15a6bd)
(BuildId: d9731e405748db264b62c84ded760ba4f068cb0a)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/glibc-LcI20x/glibc-2.31/libio/iofclose.c:48:9 in _IO_fclose
## binutils-gdb master branch
./binutils-gdb/bins/bin/ld --version
GNU ld (GNU Binutils) 2.44.50.20250206
Copyright (C) 2025 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) a later version.
This program has absolutely no warranty.
./binutils-gdb/bins/bin/ld -w --defsym ++ /tmp/poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==769486==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f7dc72ffddb bp 0x000000000000 sp 0x7ffe917681b0 T0)
==769486==The signal is caused by a READ memory access.
==769486==Hint: address points to the zero page.
#0 0x7f7dc72ffddb in _IO_fclose
/build/glibc-LcI20x/glibc-2.31/libio/iofclose.c:48:9
#1 0x55c660f70d60 in fclose (./binutils-gdb/bins/bin/ld+0x3dad60) (BuildId:
5e1d51f38e544370)
#2 0x55c66100d244 in load_symbols ./binutils-gdb/ld/ldlang.c:3155:7
#3 0x55c66101e194 in open_input_bfds ./binutils-gdb/ld/ldlang.c:3722:13
#4 0x55c66101a583 in lang_process ./binutils-gdb/ld/ldlang.c:8292:3
#5 0x55c66104943c in main ./binutils-gdb/ld/./ldmain.c:533:3
#6 0x7f7dc72a2082 in __libc_start_main
/build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x55c660f1c18d in _start (./binutils-gdb/bins/bin/ld+0x38618d) (BuildId:
5e1d51f38e544370)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/glibc-LcI20x/glibc-2.31/libio/iofclose.c:48:9 in _IO_fclose
==769486==ABORTING
** Env **
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
--
You are receiving this mail because:
You are on the CC list for the bug.
