bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22881] New: null pointer dereference in assign_file_positi

From: luanjunchao at 163 dot com
Subject: [Bug binutils/22881] New: null pointer dereference in assign_file_positions_for_non_load_sections
Date: Fri, 23 Feb 2018 08:43:35 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=22881

            Bug ID: 22881
           Summary: null pointer dereference in
                    assign_file_positions_for_non_load_sections
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: luanjunchao at 163 dot com
  Target Milestone: ---

When I test latest objcopy with elf file, there is null pointer dereference
problem.
Here is part of output.

==23042==ERROR: AddressSanitizer: SEGV on unknown address 0x00000038 (pc
0x082cd8d8 bp 0x1ea219a1 sp 0xffa84c10 T0)                    
    #0 0x82cd8d7 in assign_file_positions_for_non_load_sections
/work/binutils-gdb/bfd/elf.c:5908                                      
    #1 0x82cd8d7 in assign_file_positions_except_relocs
/work/binutils-gdb/bfd/elf.c:6093                                              
    #2 0x82cd8d7 in _bfd_elf_compute_section_file_positions
/work/binutils-gdb/bfd/elf.c:4260                                          
    #3 0x82ffe3a in _bfd_elf_set_section_contents
/work/binutils-gdb/bfd/elf.c:8839                                               
    #4 0x81ba6ee in bfd_set_section_contents
/work/binutils-gdb/bfd/section.c:1532                                           
    #5 0x806a3be in copy_section /work/binutils-gdb/binutils/objcopy.c:4099     
    #6 0x81b9f44 in bfd_map_over_sections /work/binutils-gdb/bfd/section.c:1394 
    #7 0x80743ac in copy_object /work/binutils-gdb/binutils/objcopy.c:3048      
    #8 0x808087b in copy_object /work/binutils-gdb/binutils/objcopy.c:2432      
    #9 0x808087b in copy_file /work/binutils-gdb/binutils/objcopy.c:3523        
    #10 0x805596c in copy_main /work/binutils-gdb/binutils/objcopy.c:5478       
    #11 0x805596c in main /work/binutils-gdb/binutils/objcopy.c:5582            
    #12 0xf70af636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) 
    #13 0x8060dc5  (/work/build/binutils/objcopy+0x8060dc5)   

The snippt of function assign_file_positions_for_non_load_sections.
(gdb) list
5903                        break;
5904                    }
5905                  BFD_ASSERT (lm != NULL);
5906
5907                  /* Find the section starting the RELRO segment.  */
5908                  for (i = 0; i < lm->count; i++)
5909                    {
5910                      asection *s = lm->sections[i];
5911                      if (s->vma >= start
5912                          && s->vma < end

It seems that BFD_ASSERT(lm != NULL) doesn't end the execution which leads to
null pointer dereference.
The test command is `objcopy test.elf` and the test elf file is
https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]