ELF Tool Chain / Tickets / #548 second generation elfcopy/strip --strip-debug of FreeBSD libc.a segfaults

#548 second generation elfcopy/strip --strip-debug of FreeBSD libc.a segfaults

Milestone: RELEASE_1_0

Status: closed

Owner: Kai Wang

Labels: None

Resolution:

Component:

Priority:

Version:

Type:

Updated: 2017-04-17

Created: 2017-03-30

Creator: Ed Maste

Private: No

As initially reported on the FreeBSD-security mailing list by Andre Albsmeier
https://lists.freebsd.org/pipermail/freebsd-security/2017-March/009257.html

strip (objcopy) does more curious things:

$ cd /tmp
$ cp /usr/lib/libc.a .
$ strip --strip-debug libc.a
$ strip --strip-debug libc.a

[1]    960 segmentation fault  strip --strip-debug libc.a

This is also reproducible as:

% objcopy --strip-debug /usr/lib/libc.a libc.1.a
% objcopy --strip-debug libc.1.a libc.2.a
zsh: bus error (core dumped)  objcopy --strip-debug libc.1.a libc.2.a

It wasn't reproducible in some trivial cases I tried though (e.g. .a archive with two trivial .o objects), or with some other .a archives:

% objcopy --strip-debug /usr/lib/libm.a libm.1.a
% objcopy --strip-debug libm.1.a libm.2.a      
%

Crash happens here:

% lldb /usr/bin/objcopy -- --strip-debug libc.1.a libc.2.a
(lldb) target create "/usr/bin/objcopy"
Current executable set to '/usr/bin/objcopy' (x86_64).
(lldb) settings set -- target.run-args  "--strip-debug" "libc.1.a" "libc.2.a"
(lldb) run
Process 41855 launching
Process 41855 launched: '/usr/bin/objcopy' (x86_64)
Process 41855 stopped
* thread #1, stop reason = signal SIGBUS: hardware error
    frame #0: libelf.so.2`elf_ndxscn(s=0x5a5a5a5a5a5a5a5a) at elf_scn.c:166
   163                  LIBELF_SET_ERROR(ARGUMENT, 0);
   164                  return (SHN_UNDEF);
   165          }
-> 166          return (s->s_ndx);
   167  }
   168
   169  Elf_Scn *
(lldb) bt
* thread #1, stop reason = signal SIGBUS: hardware error
  * frame #0: libelf.so.2`elf_ndxscn(s=0x5a5a5a5a5a5a5a5a) at elf_scn.c:166
    frame #1: objcopy`create_symtab(ecp=0x000000080241c000) at symbols.c:697
    frame #2: objcopy`create_elf(ecp=0x000000080241c000) at main.c:371
    frame #3: objcopy`ac_create_ar [inlined] process_ar_obj(ecp=0x000000080241c000) at archive.c:76
    frame #4: objcopy`ac_create_ar [inlined] ac_read_objs(ecp=<unavailable>, ifd=<unavailable>) at archive.c:430
    frame #5: objcopy`ac_create_ar(ecp=0x000000080241c000, ifd=<unavailable>, ofd=<unavailable>) at archive.c:364
    frame #6: objcopy`create_file(ecp=0x000000080241c000, src="libc.1.a", dst="libc.1.a") at main.c:632
    frame #7: objcopy`main [inlined] elfcopy_main(argc=<unavailable>, argv=<unavailable>) at main.c:1021
    frame #8: objcopy`main(argc=4, argv=0x00007fffffffe740) at main.c:1589
    frame #9: 0x000000000040343f objcopy`_start + 383
(lldb)

Discussion

Kai Wang - 2017-04-09

status: new --> accepted

assigned_to: Kai Wang
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kai Wang - 2017-04-17

status: accepted --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kai Wang - 2017-04-17

Should be fixed by [r3520].

Related

Commit: [r3520]

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kai Wang - 2017-04-17

Just want to add that it's really great we can hunt down bugs like this one. it would remain hidden for a long while otherwise. Many thanks to the devs finding this issue.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

second generation elfcopy/strip --strip-debug of FreeBSD libc.a segfaults

BSD licensed ELF toolchain

Milestone

Searches

Help

#548 second generation elfcopy/strip --strip-debug of FreeBSD libc.a segfaults

Discussion

Related