[Bug binutils/25070] New: SEGV in function _bfd_dwarf2_find_nearest_line

Mon, 07 Oct 2019 09:39:02 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=25070

            Bug ID: 25070
           Summary: SEGV in function _bfd_dwarf2_find_nearest_line
           Product: binutils
           Version: 2.34 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: bugzilla.sourceware at qiushi dot ac.cn
  Target Milestone: ---

Created attachment 12025
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12025&action=edit
poc file

I'm using latest binutils-gdb to fuzz, and find some crashes.

git version: 816228ed09dc867fa16dc5458277d649885d98fe

```
# ./nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D
poc1_segv__bfd_dwarf2_find_nearest_line
/d/p/aflasan/binutils-latest/nm-new: warning:
poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size
(1e0000000008) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning:
poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size
(2aaaabac4ec1) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning:
poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size
(ffffd5555453b140) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
unknown type [0xff000001] section `.debug_aranges'
/d/p/aflasan/binutils-latest/nm-new: warning:
poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size
(1e0000000008) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning:
poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size
(2aaaabac4ec1) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: warning:
poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size
(ffffd5555453b140) larger than the file size
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
warning: sh_link not set for section `.debug_aranges'
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
version count (11) does not match symbol count (16)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
/d/p/aflasan/binutils-latest/nm-new: poc1_segv__bfd_dwarf2_find_nearest_line:
attempt to load strings from a non-string section (number 0)
ASAN:SIGSEGV
=================================================================
==45359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000007200 (pc
0x0000006aa438 bp 0x0ffffffffb7e sp 0x7fffffffdb50 T0)
    #0 0x6aa437 in _bfd_dwarf2_find_nearest_line dwarf2.c:4724
    #1 0x5862a1 in _bfd_elf_find_nearest_line
/d/prog/binutils-gdb/bfd/elf.c:9005
    #2 0x40da6e in print_symbol /d/prog/binutils-gdb/binutils/nm.c:1008
    #3 0x40ed78 in print_symbols /d/prog/binutils-gdb/binutils/nm.c:1088
    #4 0x40ed78 in display_rel_file /d/prog/binutils-gdb/binutils/nm.c:1210
    #5 0x4119f5 in display_file /d/prog/binutils-gdb/binutils/nm.c:1377
    #6 0x407bc7 in main /d/prog/binutils-gdb/binutils/nm.c:1858
    #7 0x7ffff6679b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x409958 in _start (/d/p/aflasan/binutils-latest/nm-new+0x409958)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV dwarf2.c:4724 _bfd_dwarf2_find_nearest_line
==45359==ABORTING
```

Reproducible docker image has been pushed to
`zjuchenyuan/dockerized_poc:binutils-pocs`

Dockerfile:

```
FROM zjuchenyuan/afl
ENV AFL_USE_ASAN=1
RUN git clone git://sourceware.org/git/binutils-gdb.git --depth 50 &&\
    cd binutils-gdb &&\
    git checkout 816228ed09dc867fa16dc5458277d649885d98fe &&\
    ./configure --disable-shared &&\
    for i in bfd libiberty opcodes libctf; do cd $i; ./configure
--disable-shared && make -j; cd ..; done  &&\
    cd binutils  &&\
    ./configure --disable-shared &&\
    make objdump nm-new size readelf cxxfilt

RUN apt install -y gdb &&\
    echo -e "set pagination off\nset confirm off" > /root/.gdbinit

ADD . /
RUN ./binutils-gdb/binutils/nm-new -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line || exit 0
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to