[Bug binutils/26774] New: objcopy : SIGSEGV in srec.c:1130
https://sourceware.org/bugzilla/show_bug.cgi?id=26774
Bug ID: 26774
Summary: objcopy : SIGSEGV in srec.c:1130
Product: binutils
Version: 2.36 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: zodf0055980 at gmail dot com
Target Milestone: ---
Created attachment 12916
--> https://sourceware.org/bugzilla/attachment.cgi?id=12916&action=edit
file that reproduces this problem
OS : ubuntu 18.04.3
kernel : gnu/linux 5.4.0-52-generic
CPU : Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
compiler : gcc version 7.5.0
Steps to Reproduce :
download the sample from attachment
~/binutils-gdb/binutils/objcopy -O symbolsrec --add-symbol
function_name=.text:0x900,function,global./sample
gdb backtrace :
gdb-peda$ bt
#0 0x555b11f8 in sprintf (__fmt=0x5565cd7b "%016lx",
__s=0x7fffdab2 "") at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
#1 srec_write_symbols (abfd=0x558b35f0) at srec.c:1099
#2 internal_srec_write_object_contents (abfd=0x558b35f0,
symbols=) at srec.c:1130
#3 0x555ab56a in bfd_close (abfd=0x558b35f0) at opncls.c:775
#4 0x5558ed56 in copy_file (input_filename=0x7fffe1d9
"/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/id:00,sig:06,src:00,op:arg1,pos:0",
output_filename=0x558b2440
"/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/stUTQ9Kk",
input_target=, output_target=, input_arch=0x0) at
objcopy.c:3845
#5 0x55587458 in copy_main (argv=, argc=) at objcopy.c:5899
#6 main (argc=, argc@entry=0x6, argv=,
argv@entry=0x7fffddd8) at objcopy.c:6025
#7 0x77801b97 in __libc_start_main (main=0x55587030 ,
argc=0x6, argv=0x7fffddd8, init=, fini=,
rtld_fini=, stack_end=0x7fffddc8)
at ../csu/libc-start.c:310
#8 0x55589b2a in _start ()
[--registers---]
RAX: 0x0
RBX: 0x558b3970 --> 0x558b9920 --> 0x558b35f0 --> 0x558b9430
("/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/stUTQ9Kk")
RCX: 0x5565cd7b --> 0x4c00786c36313025 ('%016lx')
RDX: 0x29 (')')
RSI: 0x1
RDI: 0x7fffdab0 --> 0x0
RBP: 0x558b3978 --> 0x0
RSP: 0x7fffdaa0 --> 0xd ('\r')
RIP: 0x555b11f8 (: addr8,QWORD
PTR [rax+0x38])
R8 : 0x900 ('')
R9 : 0x0
R10: 0x558b0010 --> 0x1010101010101
R11: 0x1
R12: 0x558b35f0 --> 0x558b9430
("/home/yuan/Yuan-fuzz/objcopy-randominit/crashes/stUTQ9Kk")
R13: 0x558b9470 --> 0x558b9950 --> 0x558b9990 --> 0x558b99d0
--> 0x558b9a18 --> 0x558b9a70 (--> ...)
R14: 0x7fffdab2 --> 0x8982
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-code-]
0x555b11ec :mov
rax,QWORD PTR [rax+0x70]
0x555b11f0 :addr8,QWORD
PTR [r14+0x10]
0x555b11f4 :lea
r14,[rdi+0x2]
=> 0x555b11f8 :addr8,QWORD
PTR [rax+0x38]
0x555b11fc :movrdi,r14
0x555b11ff :xoreax,eax
0x555b1201 :call
0x55585150 <__sprintf_chk@plt>
0x555b1206 :cmpBYTE PTR
[rsp+0x12],0x30
[stack-]
| 0x7fffdaa0 --> 0xd ('\r')
0008| 0x7fffdaa8 --> 0x7fffdab0 --> 0x0
0016| 0x7fffdab0 --> 0x0
0024| 0x7fffdab8 --> 0x5f918982
0032| 0x7fffdac0 --> 0x15ac54a8
0040| 0x7fffdac8 --> 0x5f918982
0048| 0x7fffdad0 --> 0x15ac54a8
0056| 0x7fffdad8 --> 0x5f918982
[--]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x555b11f8 in sprintf (__fmt=0x5565cd7b "%016lx",
__s=0x7fffdab2 "") at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
33return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
--
You are receiving this mail because:
You are on the CC list for the bug.
[Bug binutils/26774] objcopy : SIGSEGV in srec.c:1099
https://sourceware.org/bugzilla/show_bug.cgi?id=26774 WU,ZONG-YUAN changed: What|Removed |Added Summary|objcopy : SIGSEGV in|objcopy : SIGSEGV in |srec.c:1199 |srec.c:1099 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/26774] objcopy : SIGSEGV in srec.c:1199
https://sourceware.org/bugzilla/show_bug.cgi?id=26774 WU,ZONG-YUAN changed: What|Removed |Added Summary|objcopy : SIGSEGV in|objcopy : SIGSEGV in |srec.c:1130 |srec.c:1199 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/26774] objcopy : SIGSEGV in srec.c:1099
https://sourceware.org/bugzilla/show_bug.cgi?id=26774 --- Comment #1 from WU,ZONG-YUAN --- I forget to add one space Steps to Reproduce is : ~/binutils-gdb/binutils/objcopy -O symbolsrec --add-symbol function_name=.text:0x900,function,global ./sample -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/26805] New: objcopy : global-buffer-overflow in objcopy.c:1274
https://sourceware.org/bugzilla/show_bug.cgi?id=26805 Bug ID: 26805 Summary: objcopy : global-buffer-overflow in objcopy.c:1274 Product: binutils Version: 2.36 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: zodf0055980 at gmail dot com Target Milestone: --- Created attachment 12926 --> https://sourceware.org/bugzilla/attachment.cgi?id=12926&action=edit file that reproduces this problem OS : ubuntu 18.04.3 kernel : gnu/linux 5.4.0-52-generic CPU : Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz compiler : gcc version 7.5.0 Steps to Reproduce : download the sample from attachment ~/binutils-ASAN/binutils/objcopy -I elf32-i386 --extract-dwo ./sample /dev/null ASan trace: = ==13087==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5606d020369c at pc 0x7f30d2c91a69 bp 0x7ffc6df9eba0 sp 0x7ffc6df9e348 READ of size 1 at 0x5606d020369c thread T0 #0 0x7f30d2c91a68 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68) #1 0x5606cfb81813 in is_dwo_section /home/yuan/binutils-ASAN/binutils/objcopy.c:1274 #2 0x5606cfb81813 in is_strip_section_1 /home/yuan/binutils-ASAN/binutils/objcopy.c:1371 #3 0x5606cfb81813 in is_strip_section /home/yuan/binutils-ASAN/binutils/objcopy.c:1381 #4 0x5606cfb86b5c in setup_section /home/yuan/binutils-ASAN/binutils/objcopy.c:3985 #5 0x5606cfc8d1cb in bfd_map_over_sections /home/yuan/binutils-ASAN/bfd/section.c:1379 #6 0x5606cfb8ae5d in copy_object /home/yuan/binutils-ASAN/binutils/objcopy.c:2826 #7 0x5606cfb9b51b in copy_file /home/yuan/binutils-ASAN/binutils/objcopy.c:3838 #8 0x5606cfb6fd84 in copy_main /home/yuan/binutils-ASAN/binutils/objcopy.c:5899 #9 0x5606cfb6fd84 in main /home/yuan/binutils-ASAN/binutils/objcopy.c:6025 #10 0x7f30d2663b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #11 0x5606cfb7b4d9 in _start (/home/yuan/binutils-ASAN/binutils/objcopy+0xc14d9) 0x5606d020369c is located 54 bytes to the right of global variable '*.LC24' defined in 'elf.c' (0x5606d0203660) of size 6 '*.LC24' is ascii string '.rela' 0x5606d020369c is located 4 bytes to the left of global variable '*.LC26' defined in 'elf.c' (0x5606d02036a0) of size 1 '*.LC26' is ascii string '' SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68) Shadow bytes around the buggy address: 0x0ac15a038680: 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0ac15a038690: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 05 f9 0x0ac15a0386a0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 0x0ac15a0386b0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 0x0ac15a0386c0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 =>0x0ac15a0386d0: f9 f9 f9[f9]01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0ac15a0386e0: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0ac15a0386f0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 0x0ac15a038700: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0ac15a038710: f9 f9 f9 f9 00 00 00 00 00 00 00 03 f9 f9 f9 f9 0x0ac15a038720: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 02 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==13087==ABORTING len in is_dwo_section() is 0, so name + len - 4 is overflow. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/26809] New: nm-new : heap-buffer-overflow in bfd_getl_signed_64
https://sourceware.org/bugzilla/show_bug.cgi?id=26809 Bug ID: 26809 Summary: nm-new : heap-buffer-overflow in bfd_getl_signed_64 Product: binutils Version: 2.36 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: zodf0055980 at gmail dot com Target Milestone: --- Created attachment 12928 --> https://sourceware.org/bugzilla/attachment.cgi?id=12928&action=edit file that reproduces this problem OS : ubuntu 18.04.3 kernel : gnu/linux 5.4.0-52-generic CPU : Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz compiler : gcc version 7.5.0 Steps to Reproduce : download the sample from attachment ~/binutils-ASAN/binutils/nm-new -D --synthetic ./sample /home/yuan/binutils-ASAN/binutils/nm-new: ./sample(.rela.plt): relocation 0 has invalid symbol index 6 /home/yuan/binutils-ASAN/binutils/nm-new: ./sample: unsupported relocation type 0xf8 = ==1587==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400247 at pc 0x5635ebbcfbd8 bp 0x7ffeb201d870 sp 0x7ffeb201d860 READ of size 1 at 0x60400247 thread T0 #0 0x5635ebbcfbd7 in bfd_getl_signed_64 /home/yuan/binutils-ASAN/bfd/libbfd.c:752 #1 0x5635ebc82b61 in bfd_elf64_swap_reloca_in /home/yuan/binutils-ASAN/bfd/elfcode.h:432 #2 0x5635ebd3597a in _bfd_elf_slurp_secondary_reloc_section /home/yuan/binutils-ASAN/bfd/elf.c:12635 #3 0x5635ebc8c95f in bfd_elf64_slurp_reloc_table /home/yuan/binutils-ASAN/bfd/elfcode.h:1606 #4 0x5635ebd08299 in _bfd_elf_canonicalize_dynamic_reloc /home/yuan/binutils-ASAN/bfd/elf.c:8654 #5 0x5635ebc72dbc in _bfd_x86_elf_get_synthetic_symtab /home/yuan/binutils-ASAN/bfd/elfxx-x86.c:2111 #6 0x5635ebc2fa6b in elf_x86_64_get_synthetic_symtab /home/yuan/binutils-ASAN/bfd/elf64-x86-64.c:4918 #7 0x5635ebb7b0e3 in display_rel_file /home/yuan/binutils-ASAN/binutils/nm.c:1161 #8 0x5635ebb7db8b in display_file /home/yuan/binutils-ASAN/binutils/nm.c:1381 #9 0x5635ebb72d73 in main /home/yuan/binutils-ASAN/binutils/nm.c:1865 #10 0x7f7846ed8b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #11 0x5635ebb74ed9 in _start (/home/yuan/binutils-ASAN/binutils/nm-new+0xaced9) 0x60400247 is located 7 bytes to the right of 48-byte region [0x60400210,0x60400240) allocated by thread T0 here: #0 0x7f784758ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x5635ebbcc9a7 in bfd_malloc /home/yuan/binutils-ASAN/bfd/libbfd.c:275 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yuan/binutils-ASAN/bfd/libbfd.c:752 in bfd_getl_signed_64 Shadow bytes around the buggy address: 0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff8000: fa fa 00 00 00 00 01 fa fa fa fd fd fd fd fd fd 0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c087fff8020: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c087fff8030: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00 =>0x0c087fff8040: fa fa 00 00 00 00 00 00[fa]fa fd fd fd fd fd fd 0x0c087fff8050: fa fa 00 00 00 00 00 03 fa fa 00 00 00 00 00 fa 0x0c087fff8060: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c087fff8070: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==1587==ABORTING -- You are receiving this mail because: You are on the CC list for the bug.
