[Bug binutils/22306] Invalid free() in slurp_symtab() [Heap corruption]

2017-10-16 Thread amodra at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=22306

Alan Modra  changed:

   What|Removed |Added

 Status|UNCONFIRMED |ASSIGNED
   Last reconfirmed||2017-10-17
   Assignee|unassigned at sourceware dot org   |amodra at gmail dot com
 Ever confirmed|0   |1

--- Comment #1 from Alan Modra  ---
Reproduces on x86_64 with a CC="gcc -m32" build, and likely on 32-bit hosts.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22306] New: Invalid free() in slurp_symtab() [Heap corruption]

2017-10-16 Thread mgcho.minic at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=22306

Bug ID: 22306
   Summary: Invalid free() in slurp_symtab() [Heap corruption]
   Product: binutils
   Version: 2.30 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: mgcho.minic at gmail dot com
  Target Milestone: ---

Created attachment 10533
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10533=edit
poc for heap corruption

Triggered by "./objdump -x $POC"


The GDB debugging information is as follows:

(gdb) r -x $POC

(gdb) bt
#0  0xb7fd9ce5 in __kernel_vsyscall ()
#1  0xb7e2bea9 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2  0xb7e2d407 in __GI_abort () at abort.c:89
#3  0xb7e6737c in __libc_message (do_abort=2, fmt=0xb7f5fdf4 "*** Error in
`%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#4  0xb7e6d2f7 in malloc_printerr (action=, 
str=0xb7f5fef0 "free(): invalid next size (fast)", ptr=, 
ar_ptr=0xb7fb2780 ) at malloc.c:5006
#5  0xb7e6dc31 in _int_free (av=0xb7fb2780 , p=,
have_lock=0)
at malloc.c:3867
#6  0x080f3f55 in aout_get_external_symbols (abfd=0x81e9a08) at ./aoutx.h:1370
#7  0x080f3d15 in aout_32_slurp_symbol_table (abfd=0x81e9a08) at ./aoutx.h:1757
#8  0x080f4e30 in aout_32_get_symtab_upper_bound (abfd=0x81e9a08) at
./aoutx.h:2522
#9  0x0804aea7 in slurp_symtab (abfd=0x81e9a08) at ./objdump.c:615
#10 dump_bfd (abfd=0x81e9a08) at ./objdump.c:3523
#11 0x0804aa6e in display_object_bfd (abfd=0x81e9a08) at ./objdump.c:3611
#12 display_any_bfd (file=0x81e9a08, level=) at ./objdump.c:3700
#13 0x0804a4ea in display_file (filename=0xb30f "/tmp/heap-corruption", 
target=, last_file=) at ./objdump.c:3721
#14 main (argc=, argv=) at ./objdump.c:4023


Credits:

This vulnerability was discovered by Mingi Cho and Taekyoung Kwon of the
Information Security Lab, Yonsei University. Please contact
mgcho.mi...@gmail.com and taekyo...@yonsei.ac.kr if you need more information
about the vulnerability and the lab.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/22300] Abort in elf32_hppa_relocate_section at elf32-hppa.c:4055 building debian polyml

2017-10-16 Thread dave.anglin at bell dot net 
https://sourceware.org/bugzilla/show_bug.cgi?id=22300

--- Comment #3 from dave.anglin at bell dot net ---
On 2017-10-15, at 7:57 PM, amodra at gmail dot com wrote:

> Have you tried with current HEAD?

Same error occurs with current head.

Starting program: /home/dave/gnu/binutils/objdir/ld/.libs/ld-new -plugin
/usr/lib/gcc/hppa-linux-gnu/7/liblto_plugin.so
-plugin-opt=/usr/lib/gcc/hppa-linux-gnu/7/lto-wrapper
-plugin-opt=-fresolution=-debug.res -plugin-opt=-pass-through=-lgcc
-plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc
-plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --sysroot=/
--build-id --eh-frame-hdr -dynamic-linker /lib/ld.so.1 -o .libs/poly
/usr/lib/gcc/hppa-linux-gnu/7/../../../hppa-linux-gnu/crt1.o
/usr/lib/gcc/hppa-linux-gnu/7/../../../hppa-linux-gnu/crti.o
/usr/lib/gcc/hppa-linux-gnu/7/crtbegin.o -L/usr/lib/gcc/hppa-linux-gnu/7
-L/usr/lib/gcc/hppa-linux-gnu/7/../../../hppa-linux-gnu
-L/usr/lib/gcc/hppa-linux-gnu/7/../../.. -L/lib/hppa-linux-gnu
-L/usr/lib/hppa-linux-gnu --as-needed polyexport.o
libpolymain/.libs/libpolymain.a libpolyml/.libs/libpolyml.so -lpthread -lffi
-lm -ldl -lstdc++ -lgcc_s -lgcc -v -lgcc --as-needed -lgcc_s --no-as-needed -lc
-lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/hppa-linux-gnu/7/crtend.o
/usr/lib/gcc/hppa-linux-gnu/7/../../../hppa-linux-gnu/crtn.o
GNU ld (GNU Binutils) 2.29.51.20171016
/home/dave/gnu/binutils/objdir/ld/.libs/ld-new: BFD (GNU Binutils)
2.29.51.20171016 internal error, aborting at ../../src/bfd/elf32-hppa.c:3937 in
elf32_hppa_relocate_section

--
John David Anglin   dave.ang...@bell.net

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/22300] Abort in elf32_hppa_relocate_section at elf32-hppa.c:4055 building debian polyml

2017-10-16 Thread dave.anglin at bell dot net 
https://sourceware.org/bugzilla/show_bug.cgi?id=22300

--- Comment #2 from dave.anglin at bell dot net ---
Will check.  I thought the debug info that I posted was for the trunk but
I see it was for "GNU ld (GNU Binutils) 2.29.51.20170819".

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gas/22304] New: XPASS tests in gas and unknown successes in ld

2017-10-16 Thread hjl.tools at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=22304

Bug ID: 22304
   Summary: XPASS tests in gas and unknown successes in ld
   Product: binutils
   Version: 2.30 (HEAD)
Status: NEW
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: hjl.tools at gmail dot com
  Target Milestone: ---
Target: cris

On x86-64, cross binutils to cris-linux gave

XPASS: gas/cris/shexpr-1
XPASS: gas/cris/range-err-1.s  (test for errors, line 29)
XPASS: gas/cris/range-err-1.s  (test for errors, line 38)
XPASS: gas/cris/range-err-1.s  (test for errors, line 50)

These should be removed.  Similar check can be used to detect 64-bit AS:

commit 7ed1dab994fa1c0cf49d10608b8e77271c9804b4
Author: H.J. Lu 
Date:   Wed Aug 9 16:32:30 2017 -0700

LD_CLASS: Check .libs/ld-new for linker first

When --enable-shared is used, ./ld-new may be a shell script and the
real linker is .libs/ld-new.  We should check .libs/ld-new first.

* testsuite/config/default.exp (LD_CLASS): Check .libs/ld-new
for linker first.

commit 978c05401b0f0ac7a94cca7db19b1dec0c5bd698
Author: H.J. Lu 
Date:   Wed Aug 9 15:04:05 2017 -0700

Run PR ld/17618 test only with 64-bit ELF linker

PR ld/17618 test requires 64-bit linker to run.  Set LD_CLASS to "64bit"
for 64-bit ELF linker and run PR ld/17618 test only if $LD_CLASS is
"64bit".  More checks can be added to support 64-bit linkers in non-ELF
format.

On both i686 and x86-64, there are

=== ld Summary ===

# of expected passes644
# of expected failures  3
# of unknown successes  3
# of untested testcases 26
# of unsupported tests  42

These unknown successes should be removed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gas/22304] XPASS tests in gas and unknown successes in ld

2017-10-16 Thread hjl.tools at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=22304

H.J. Lu  changed:

   What|Removed |Added

 CC||hp at bitrange dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22303] New: readelf - Heap out of bounds read in byte_get_little_endian()

2017-10-16 Thread fumfi.255 at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=22303

Bug ID: 22303
   Summary: readelf - Heap out of bounds read in
byte_get_little_endian()
   Product: binutils
   Version: 2.29
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: fumfi.255 at gmail dot com
  Target Milestone: ---

Created attachment 10532
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10532=edit
PoC to trigger heap out of bounds read (readelf)

After some fuzz testing I found a crashing test case.

Version: 2.29

Command: readelf -a binutils_hoobr_byte_get_little_endian

ASAN:

==29757==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61e016b1 at pc 0x005aa3cb bp 0x7ffed905ac30 sp 0x7ffed905ac28
READ of size 1 at 0x61e016b1 thread T0
#0 0x5aa3ca in byte_get_little_endian
XYZ/binutils-2.29/binutils/elfcomm.c:214:22
#1 0x54d723 in print_core_note
XYZ/binutils-2.29/binutils/readelf.c:16281:18
#2 0x54d723 in process_note XYZ/binutils-2.29/binutils/readelf.c:17486
#3 0x54d723 in process_notes_at XYZ/binutils-2.29/binutils/readelf.c:17643
#4 0x515fee in process_corefile_note_segments
XYZ/binutils-2.29/binutils/readelf.c:17673:8
#5 0x515fee in process_note_sections
XYZ/binutils-2.29/binutils/readelf.c:17799
#6 0x515fee in process_notes XYZ/binutils-2.29/binutils/readelf.c:17812
#7 0x515fee in process_object XYZ/binutils-2.29/binutils/readelf.c:18083
#8 0x4efe7d in process_file XYZ/binutils-2.29/binutils/readelf.c:18472:13
#9 0x4efe7d in main XYZ/binutils-2.29/binutils/readelf.c:18544
#10 0x7fa36537882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x419f78 in _start (XYZ/binutils-2.29/binutils/readelf+0x419f78)

0x61e016b1 is located 0 bytes to the right of 2609-byte region
[0x61e00c80,0x61e016b1)
allocated by thread T0 here:
#0 0x4c0c7c in __interceptor_malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
#1 0x4f0e36 in get_data XYZ/binutils-2.29/binutils/readelf.c:392:9

SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/binutils-2.29/binutils/elfcomm.c:214:22 in byte_get_little_endian
Shadow bytes around the buggy address:
  0x0c3c7fff8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff82d0: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
  0x0c3c7fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==29757==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils