[Bug] Heap-buffer-overflow & SEGV in mold #1548
Description
Dear mold Maintainers,
I would like to report some Heap-buffer-overflow and SEGV issues discovered in mold.
Heap-buffer-overflow in mold::ObjectFile::initialize_sections at src/input-files.cc:496
Description
The crash occurs within mold::ObjectFilemold::X86_64::initialize_sections at src/input-files.cc:496. The AddressSanitizer report indicates a READ of size 8 occurring significantly past the end of an allocated region (1376 bytes after a 112-byte region). This likely happens when processing a crafted object file.
Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
Reproduce
- Build mold with Release optimization and ASAN enabled.
- Run with the crashing file:
./build/mold -r repro
ASAN report
==1931536==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50b000000820 at pc 0x6474de7c7289 bp 0x7fff8b310990 sp 0x7fff8b310988
READ of size 8 at 0x50b000000820 thread T0
#0 0x6474de7c7288 in std::__uniq_ptr_impl<mold::InputSection<mold::X86_64>, std::default_delete<mold::InputSection<mold::X86_64>>>::_M_ptr() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:199:51
#1 0x6474de7c7288 in std::unique_ptr<mold::InputSection<mold::X86_64>, std::default_delete<mold::InputSection<mold::X86_64>>>::get() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:470:21
#2 0x6474de7c7288 in std::unique_ptr<mold::InputSection<mold::X86_64>, std::default_delete<mold::InputSection<mold::X86_64>>>::operator bool() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:487:16
#3 0x6474de7c7288 in mold::ObjectFile<mold::X86_64>::initialize_sections(mold::Context<mold::X86_64>&) /home/cobot001/src/mold/src/input-files.cc:496:45
#4 0x6474de7c2646 in mold::ObjectFile<mold::X86_64>::parse(mold::Context<mold::X86_64>&) /home/cobot001/src/mold/src/input-files.cc:897:3
#5 0x6474df26b7f4 in mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()::operator()() const /home/cobot001/src/mold/src/main.cc:42:37
#6 0x6474df26b7f4 in tbb::detail::d1::task* tbb::detail::d2::(anonymous namespace)::task_ptr_or_nullptr<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'() const&>(mold::X86_64&&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:131:9
#7 0x6474df26b7f4 in tbb::detail::d2::function_task<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()>::execute(tbb::detail::d1::execution_data&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:89:21
#8 0x6474e35777f5 in tbb::detail::d1::task* tbb::detail::r1::task_dispatcher::local_wait_for_all<false, tbb::detail::r1::external_waiter>(tbb::detail::d1::task*, tbb::detail::r1::external_waiter&) build-afl/third-party/tbb/src/tbb/third-party/tbb/src/tbb/task_dispatcher.h
0x50b000000820 is located 1376 bytes after 112-byte region [0x50b000000250,0x50b0000002c0)
allocated by thread T0 here:
#0 0x6474dd08f4b1 in operator new(unsigned long) (/home/cobot001/src/mold/build-afl/mold+0x52b4b1) (BuildId: f4d038dc2023d54efeb40ed56fcfbdda57d599be)
#1 0x6474de7f2fe9 in std::__new_allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:151:27
#2 0x6474de7f2fe9 in std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>::allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/allocator.h:198:32
#3 0x6474de7f2fe9 in std::allocator_traits<std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>>::allocate(std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:482:20
#4 0x6474de7f2fe9 in std::_Vector_base<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>, std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>>::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_vector.h:381:20
#5 0x6474de7f2fe9 in std::vector<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>, std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>>::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/vector.tcc:663:34
#6 0x6474de7c2007 in mold::ObjectFile<mold::X86_64>::parse(mold::Context<mold::X86_64>&) /home/cobot001/src/mold/src/input-files.cc:882:22
#7 0x6474df26b7f4 in mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()::operator()() const /home/cobot001/src/mold/src/main.cc:42:37
#8 0x6474df26b7f4 in tbb::detail::d1::task* tbb::detail::d2::(anonymous namespace)::task_ptr_or_nullptr<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'() const&>(mold::X86_64&&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:131:9
#9 0x6474df26b7f4 in tbb::detail::d2::function_task<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()>::execute(tbb::detail::d1::execution_data&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:89:21
#10 0x6474e35777f5 in tbb::detail::d1::task* tbb::detail::r1::task_dispatcher::local_wait_for_all<false, tbb::detail::r1::external_waiter>(tbb::detail::d1::task*, tbb::detail::r1::external_waiter&) build-afl/third-party/tbb/src/tbb/third-party/tbb/src/tbb/task_dispatcher.h
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/cobot001/src/mold/src/input-files.cc:496:45 in mold::ObjectFile<mold::X86_64>::initialize_sections(mold::Context<mold::X86_64>&)
Shadow bytes around the buggy address:
0x50b000000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x50b000000800: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x50b000000880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1931536==ABORTING
Heap-buffer-overflow in mold::ObjectFile::get_section at src/mold.h:3148
Description
The crash occurs within mold::ObjectFilemold::X86_64::get_section at src/mold.h:3148:36, which is called from mold::ObjectFilemold::X86_64::resolve_symbols at src/input-files.cc:995.
The AddressSanitizer report indicates a READ of size 8 occurring significantly past the end of an allocated 112-byte region (1784 bytes after). This appears to happen during parallel symbol resolution.
Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
Reproduce
- Build mold with Release optimization and ASAN enabled.
- Run with the crashing file:
./build/mold -r repro
ASAN report
==2012617==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50b0000009b8 at pc 0x5e2a8f7d28d7 bp 0x7ffc394a6800 sp 0x7ffc394a67f8
READ of size 8 at 0x50b0000009b8 thread T0
#0 0x5e2a8f7d28d6 in std::__uniq_ptr_impl<mold::InputSection<mold::X86_64>, std::default_delete<mold::InputSection<mold::X86_64>>>::_M_ptr() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:199:51
#1 0x5e2a8f7d28d6 in std::unique_ptr<mold::InputSection<mold::X86_64>, std::default_delete<mold::InputSection<mold::X86_64>>>::get() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:470:21
#2 0x5e2a8f7d28d6 in mold::ObjectFile<mold::X86_64>::get_section(mold::ElfSym<mold::X86_64> const&) /home/cobot001/src/mold/src/mold.h:3148:36
#3 0x5e2a8f7d28d6 in mold::ObjectFile<mold::X86_64>::resolve_symbols(mold::Context<mold::X86_64>&) /home/cobot001/src/mold/src/input-files.cc:995:14
#4 0x5e2a91adc13a in void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*)::operator()(mold::InputFile<mold::X86_64>*) const /home/cobot001/src/mold/src/passes.cc:318:13
#5 0x5e2a91adc13a in mold::X86_64 std::__invoke_impl<void, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*) const&, mold::InputFile<mold::X86_64>*&>(std::__invoke_other, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*) const&, mold::InputFile<mold::X86_64>*&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
#6 0x5e2a91adc13a in std::__invoke_result<mold::X86_64, mold::InputFile<mold::X86_64>*&>::type std::__invoke<void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*) const&, mold::InputFile<mold::X86_64>*&>(mold::X86_64&&, mold::InputFile<mold::X86_64>*&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14
#7 0x5e2a91adc13a in std::invoke_result<mold::X86_64, mold::InputFile<mold::X86_64>*&>::type std::invoke<void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*) const&, mold::InputFile<mold::X86_64>*&>(mold::X86_64&&, mold::InputFile<mold::X86_64>*&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/functional:113:14
#8 0x5e2a91adc13a in std::invoke_result<mold::X86_64, mold::InputFile<mold::X86_64>*&>::type tbb::detail::d0::invoke<void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*) const&, mold::InputFile<mold::X86_64>*&>(mold::X86_64&&, mold::InputFile<mold::X86_64>*&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/detail/_utils.h:356:12
#9 0x5e2a91adc13a in decltype(tbb::detail::invoke(fp, std::forward<mold::X86_64>(fp0)), (void)()) tbb::detail::d2::parallel_for_each_operator_selector<void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*)>::call<mold::InputFile<mold::X86_64>*&, tbb::detail::d2::feeder_impl<void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*>>(void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*) const&, mold::X86_64&&, tbb::detail::d2::feeder_impl<void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*>*) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/parallel_for_each.h:91:9
#10 0x5e2a91adc13a in tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*>::operator()(tbb::detail::d1::blocked_range<unsigned long>) const /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/parallel_for_each.h:400:13
#11 0x5e2a91adb3cc in mold::X86_64 std::__invoke_impl<void, tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*> const&, tbb::detail::d1::blocked_range<unsigned long>&>(std::__invoke_other, tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*> const&, tbb::detail::d1::blocked_range<unsigned long>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
#12 0x5e2a91adb3cc in std::__invoke_result<mold::X86_64, tbb::detail::d1::blocked_range<unsigned long>&>::type std::__invoke<tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*> const&, tbb::detail::d1::blocked_range<unsigned long>&>(mold::X86_64&&, tbb::detail::d1::blocked_range<unsigned long>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14
#13 0x5e2a91adb3cc in std::invoke_result<mold::X86_64, tbb::detail::d1::blocked_range<unsigned long>&>::type std::invoke<tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*> const&, tbb::detail::d1::blocked_range<unsigned long>&>(mold::X86_64&&, tbb::detail::d1::blocked_range<unsigned long>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/functional:113:14
#14 0x5e2a91adb3cc in std::invoke_result<mold::X86_64, tbb::detail::d1::blocked_range<unsigned long>&>::type tbb::detail::d0::invoke<tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*> const&, tbb::detail::d1::blocked_range<unsigned long>&>(mold::X86_64&&, tbb::detail::d1::blocked_range<unsigned long>&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/detail/_utils.h:356:12
#15 0x5e2a91adb3cc in tbb::detail::d1::start_for<tbb::detail::d1::blocked_range<unsigned long>, tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*>, tbb::detail::d1::auto_partitioner const>::run_body(tbb::detail::d1::blocked_range<unsigned long>&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/parallel_for.h:117:9
#16 0x5e2a91adb3cc in void tbb::detail::d1::dynamic_grainsize_mode<tbb::detail::d1::adaptive_mode<tbb::detail::d1::auto_partition_type>>::work_balance<tbb::detail::d1::start_for<tbb::detail::d1::blocked_range<unsigned long>, tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*>, tbb::detail::d1::auto_partitioner const>, tbb::detail::d1::blocked_range<unsigned long>>(mold::X86_64&, tbb::detail::d1::blocked_range<unsigned long>&, tbb::detail::d1::execution_data&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/partitioner.h:435:19
#17 0x5e2a91ada967 in void tbb::detail::d1::partition_type_base<tbb::detail::d1::auto_partition_type>::execute<tbb::detail::d1::start_for<tbb::detail::d1::blocked_range<unsigned long>, tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*>, tbb::detail::d1::auto_partitioner const>, tbb::detail::d1::blocked_range<unsigned long>>(mold::X86_64&, tbb::detail::d1::blocked_range<unsigned long>&, tbb::detail::d1::execution_data&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/partitioner.h:289:16
#18 0x5e2a91ad9fa8 in tbb::detail::d1::start_for<tbb::detail::d1::blocked_range<unsigned long>, tbb::detail::d2::parallel_for_body_wrapper<__gnu_cxx::__normal_iterator<mold::InputFile<mold::X86_64>**, std::vector<mold::InputFile<mold::X86_64>*, std::allocator<mold::InputFile<mold::X86_64>*>>>, void mold::resolve_symbols<mold::X86_64>(mold::Context<mold::X86_64>&)::'lambda'(mold::InputFile<mold::X86_64>*), mold::InputFile<mold::X86_64>*>, tbb::detail::d1::auto_partitioner const>::execute(tbb::detail::d1::execution_data&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/parallel_for.h:170:18
#19 0x5e2a945757f5 in tbb::detail::d1::task* tbb::detail::r1::task_dispatcher::local_wait_for_all<false, tbb::detail::r1::external_waiter>(tbb::detail::d1::task*, tbb::detail::r1::external_waiter&) build-afl/third-party/tbb/src/tbb/third-party/tbb/src/tbb/task_dispatcher.h
0x50b0000009b8 is located 1784 bytes after 112-byte region [0x50b000000250,0x50b0000002c0)
allocated by thread T0 here:
#0 0x5e2a8e08d4b1 in operator new(unsigned long) (/home/cobot001/src/mold/build-afl/mold+0x52b4b1) (BuildId: f4d038dc2023d54efeb40ed56fcfbdda57d599be)
#1 0x5e2a8f7f0fe9 in std::__new_allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:151:27
#2 0x5e2a8f7f0fe9 in std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>::allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/allocator.h:198:32
#3 0x5e2a8f7f0fe9 in std::allocator_traits<std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>>::allocate(std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:482:20
#4 0x5e2a8f7f0fe9 in std::_Vector_base<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>, std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>>::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_vector.h:381:20
#5 0x5e2a8f7f0fe9 in std::vector<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>, std::allocator<std::unique_ptr<mold::MergeableSection<mold::X86_64>, std::default_delete<mold::MergeableSection<mold::X86_64>>>>>::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/vector.tcc:663:34
#6 0x5e2a8f7c0007 in mold::ObjectFile<mold::X86_64>::parse(mold::Context<mold::X86_64>&) /home/cobot001/src/mold/src/input-files.cc:882:22
#7 0x5e2a902697f4 in mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()::operator()() const /home/cobot001/src/mold/src/main.cc:42:37
#8 0x5e2a902697f4 in tbb::detail::d1::task* tbb::detail::d2::(anonymous namespace)::task_ptr_or_nullptr<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'() const&>(mold::X86_64&&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:131:9
#9 0x5e2a902697f4 in tbb::detail::d2::function_task<mold::ObjectFile<mold::X86_64>* mold::new_object_file<mold::X86_64>(mold::Context<mold::X86_64>&, mold::ReaderContext&, mold::MappedFile*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>)::'lambda'()>::execute(tbb::detail::d1::execution_data&) /home/cobot001/src/mold/third-party/tbb/src/tbb/../../include/tbb/../oneapi/tbb/task_group.h:89:21
#10 0x5e2a945757f5 in tbb::detail::d1::task* tbb::detail::r1::task_dispatcher::local_wait_for_all<false, tbb::detail::r1::external_waiter>(tbb::detail::d1::task*, tbb::detail::r1::external_waiter&) build-afl/third-party/tbb/src/tbb/third-party/tbb/src/tbb/task_dispatcher.h
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/cobot001/src/mold/src/mold.h:3148:36 in mold::ObjectFile<mold::X86_64>::get_section(mold::ElfSym<mold::X86_64> const&)
Shadow bytes around the buggy address:
0x50b000000700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x50b000000980: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
0x50b000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50b000000c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzon
Segmentation Fault in mold::is_gcc_lto_obj at src/filetype.cc:39
Description
The crash occurs within mold::is_gcc_lto_obj at src/filetype.cc:39, which is called during the file type detection phase (mold::get_file_type). The AddressSanitizer report indicates an invalid READ memory access when attempting to read integer data, likely when processing a crafted input file.
Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
Reproduce
- Build mold with Release optimization and ASAN enabled.
- Run with the crashing file:
./build/mold -r repro
ASAN report
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2056105==ERROR: AddressSanitizer: SEGV on unknown address 0x2e8983c48600 (pc 0x5fc0825255b6 bp 0x7ffcf6f5fed0 sp 0x7ffcf6f5fde0 T0)
==2056105==The signal is caused by a READ memory access.
#0 0x5fc0825255b6 in mold::Integer<unsigned int, false, 4>::operator unsigned int() const /home/cobot001/src/mold/src/../lib/integers.h:69:5
#1 0x5fc0825255b6 in bool mold::is_gcc_lto_obj<mold::SPARC64>(mold::MappedFile*, bool) /home/cobot001/src/mold/src/filetype.cc:39:9
#2 0x5fc0825255b6 in mold::FileType mold::get_file_type<mold::X86_64>(mold::Context<mold::X86_64>&, mold::MappedFile*) /home/cobot001/src/mold/src/filetype.cc:103:15
#3 0x5fc083e8dac8 in std::basic_string_view<char, std::char_traits<char>> mold::detect_machine_type<mold::X86_64>(mold::Context<mold::X86_64>&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>) /home/cobot001/src/mold/src/main.cc:137:13
#4 0x5fc083e8dac8 in int mold::mold_main<mold::X86_64>(int, char**) /home/cobot001/src/mold/src/main.cc:295:25
#5 0x74481dc2a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
#6 0x74481dc2a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
#7 0x5fc081c04044 in _start (/home/cobot001/src/mold/build-afl/mold+0x452044) (BuildId: f4d038dc2023d54efeb40ed56fcfbdda57d599be)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/cobot001/src/mold/src/../lib/integers.h:69:5 in mold::Integer<unsigned int, false, 4>::operator unsigned int() const
==2056105==ABORTING
Please let me know if you need any further information.
Best regards.