https://sourceware.org/bugzilla/show_bug.cgi?id=23063
Bug ID: 23063
Summary: Crash in readelf (assertion failure)
Product: binutils
Version: 2.31 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: thuanpv at comp dot nus.edu.sg
Target Milestone: ---
Created attachment 10950
--> https://sourceware.org/bugzilla/attachment.cgi?id=10950&action=edit
crash-inducing sample file
Dear all,
This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel
Böhme, Andrew Santosa and Alexandru Razvan Caciulescu.
This bug was found on Ubuntu 16.04 64-bit & binutils was checked out from main
repository at git://sourceware.org/git/binutils-gdb.git. Its commit is
68e91e42492551e165b103d819c021c4953da10b (April 14 2018)
To reproduce:
Download the attached file - crash2
readelf -aW crash2
Error message:
readelf: Warning: section 30: sh_link value of 234 is larger than the number of
sections
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x02420 0x00120 R E 0x4
readelf: Error: the PHDR segment is not covered by a LOAD segment
INTERP 0x000054 0x08048000 0x08048000 0x005c4 0x005c4 R E 0x10f9
[Requesting program interpreter: ]
LOAD 0x000f08 0x08049f08 0x08049f08 0x0018d 0x00118 RW 0
readelf: Error: the segment's file size is larger than its memory size
DYNAMIC 0x000f0a 0x00009f14 0x00170000 0x00000 0x00d00 0x45000009
readelf: Error: no .dynamic section in the dynamic segment
NOTE 0x000168 0x08048168 0x20008168 0x00054 0x0fa44 W 0x4
LOPROC+0x374e5 0x0004cc 0x1c041000 0x080484cc 0x0ec2c 0xe600002c R 0x4
GNU_MBIND+0x2f 0xfc0000 0x00000062 0x00000000 0x00000 0x00000 RW 0xbcbcbcbc
<unknown>: bcb 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc R
0xbcbcbcbc
<unknown>: bcb 0xbcbcbcbc 0xbcbcbcbc 0x6f732e78 0x0002e 0x00000 R
0xd4110004
There is no dynamic section in this file.
There are no relocations in this file.
The decoding of unwind sections for machine type None is not currently
supported.
Symbol table '<no-strings>' contains 0 entries:
Num: Value Size Type Bind Vis Ndx Name
Symbol table '<no-strings>' contains 1 entry:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0x20003400 NOTYPE LOCAL INTERNAL [<other>: 8] bad section
index[10240] <corrupt>
No version information found in this file.
Displaying notes found at file offset 0x00000168 with length 0x00000054:
Owner Data size Description
readelf: readelf.c:516: print_symbol: Assertion `width != 0' failed.
!N�������������������������:Aborted
Valgrind says:
readelf: Error: the segment's file size is larger than its memory size
DYNAMIC 0x000f0a 0x00009f14 0x00170000 0x00000 0x00d00 0x45000009
readelf: Error: no .dynamic section in the dynamic segment
NOTE 0x000168 0x08048168 0x20008168 0x00054 0x0fa44 W 0x4
LOPROC+0x374e5 0x0004cc 0x1c041000 0x080484cc 0x0ec2c 0xe600002c R 0x4
GNU_MBIND+0x2f 0xfc0000 0x00000062 0x00000000 0x00000 0x00000 RW 0xbcbcbcbc
<unknown>: bcb 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc 0xbcbcbcbc R
0xbcbcbcbc
<unknown>: bcb 0xbcbcbcbc 0xbcbcbcbc 0x6f732e78 0x0002e 0x00000 R
0xd4110004
There is no dynamic section in this file.
There are no relocations in this file.
The decoding of unwind sections for machine type None is not currently
supported.
Symbol table '<no-strings>' contains 0 entries:
Num: Value Size Type Bind Vis Ndx Name
Symbol table '<no-strings>' contains 1 entry:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0x20003400 NOTYPE LOCAL INTERNAL [<other>: 8] bad section
index[10240] <corrupt>
No version information found in this file.
Displaying notes found at file offset 0x00000168 with length 0x00000054:
Owner Data size Description
readelf: readelf.c:516: print_symbol: Assertion `width != 0' failed.
!N�������������������������:==14623==
==14623== Process terminating with default action of signal 6 (SIGABRT)
==14623== at 0x4E6F428: raise (raise.c:54)
==14623== by 0x4E71029: abort (abort.c:89)
==14623== by 0x4E67BD6: __assert_fail_base (assert.c:92)
==14623== by 0x4E67C81: __assert_fail (assert.c:101)
==14623== by 0x419C90: print_symbol (readelf.c:516)
==14623== by 0x46B9F3: print_gnu_build_attribute_name (readelf.c:17896)
==14623== by 0x46B9F3: process_note (readelf.c:17966)
==14623== by 0x46B9F3: process_notes_at.part.58 (readelf.c:18166)
==14623== by 0x4C728D: process_notes_at (readelf.c:18200)
==14623== by 0x4C728D: process_corefile_note_segments (readelf.c:18196)
==14623== by 0x4C728D: process_note_sections (readelf.c:18324)
==14623== by 0x4C728D: process_notes (readelf.c:18337)
==14623== by 0x4C728D: process_object (readelf.c:18695)
==14623== by 0x404841: process_file (readelf.c:19104)
==14623== by 0x404841: main (readelf.c:19163)
Thanks,
Thuan
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
