https://sourceware.org/bugzilla/show_bug.cgi?id=33086
Bug ID: 33086
Summary: objcopy: out-of-memory in
bfd_init_section_compress_status
Product: binutils
Version: 2.44
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: jaehoon.jang at kaist dot ac.kr
Target Milestone: ---
Created attachment 16137
--> https://sourceware.org/bugzilla/attachment.cgi?id=16137&action=edit
objcopy-oom-poc, objcopy-poc-2
Hello, I found some undefined behavior that out-of-memory error in the
elf_map_symbols function, objcopy.
Environment: Ubuntu 22.04
Source code (GitHub): https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git
Commit version (latest):
```
$ git log
commit c0de9d68116d592aaf00d5a6bba177c9499f0949 (HEAD -> master, origin/master,
origin/HEAD)
Author: Jeremy Bryant <j...@jeremybryant.net>
Date: Fri May 2 21:56:35 2025 +0100
* gdb/doc/gdb.texinfo (Emacs): Refer to Emacs manual
The manual section on using GDB under Emacs is out-of-date and
duplicates existing and comprehensive documentation in the Emacs
manual.
Replace the section by a short introduction and reference.
Approved-By: Eli Zaretskii <e...@gnu.org>
```
Reproduction (ASAN Build)
```sh
$ CONFIG_OPTIONS="--disable-shared --disable-gdb \
--disable-libdecnumber --disable-readline \
--disable-sim --disable-ld"
$ CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address"
./configure $CONFIG_OPTIONS
$ CC="clang -g -fsanitize=address" CXX="clang++ -g -fsanitize=address" make
```
objcopy version
```
$ ./binutils/objcopy --version
GNU objcopy (GNU Binutils) 2.44.50.20250614
Copyright (C) 2025 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
```
ASAN log
```
./binutils/objcopy --compress-debug-sections /root/objcopy-oom-poc
./binutils/objcopy: /root/objcopy-oom-poc( ): Unable to recognise the
format of file: file format not recognized
=================================================================
==606012==ERROR: AddressSanitizer: allocator is out of memory trying to
allocate 0x6400000000 bytes
#0 0x49c41d in __interceptor_malloc
(/root/realworld-triage/real-binutils-gdb/binutils/objcopy+0x49c41d)
#1 0x532173 in bfd_malloc
/root/realworld-triage/real-binutils-gdb/bfd/libbfd.c:291:9
#2 0x5281e7 in bfd_init_section_compress_status
/root/realworld-triage/real-binutils-gdb/bfd/compress.c:1078:7
==606012==HINT: if you don't care about these errors you may set
allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory
(/root/realworld-triage/real-binutils-gdb/binutils/objcopy+0x49c41d) in
__interceptor_malloc
==606012==ABORTING
```
Also, when I executed the `objcopy-poc-2` file, I noticed that the memory usage
increased and the program temporarily froze.
```
./binutils/objcopy --compress-debug-sections /root/objcopy-poc-2
(Increased memory usage and pauses)
./binutils/objcopy: /root/objcopy-poc-2(main2.o): Unable to recognise the
format of file: file format not recognized
./binutils/objcopy: warning: /root/stsslJZS/main2.o has a section extending
past end of file
```
Upon simple analysis, it seems that the error occurs when the value of the
`uncompressed_size` variable in the `bfd_compress_section_contents` function
can be set to a very large value, such as 429496729600. I hope this information
helps you debug.
```
Breakpoint 3, bfd_compress_section_contents (abfd=<optimized out>,
sec=<optimized out>) at compress.c:548
548 {
(gdb)
550 uLong compressed_size;
(gdb)
554 int orig_header_size;
(gdb)
555 bfd_size_type uncompressed_size;
(gdb)
556 unsigned int uncompressed_alignment_pow;
(gdb)
557 enum compression_type ch_type = ch_none;
(gdb)
558 int new_header_size = bfd_get_compression_header_size (abfd, NULL);
(gdb)
560 = bfd_is_section_compressed_info (abfd, sec,
(gdb)
568 if (compressed && orig_header_size < 0)
(gdb)
572 if (uncompressed_size == (bfd_size_type) -1)
(gdb)
577 if (!new_header_size)
(gdb) p uncompressed_size
$10 = 429496729600
```
--
You are receiving this mail because:
You are on the CC list for the bug.
