date:20180313

[Bug ld/22831] ld causes massive thrashing if object files are not fully memory-resident: new algorithm needed

2018-03-13 Thread lkcl at lkcl dot net

https://sourceware.org/bugzilla/show_bug.cgi?id=22831

--- Comment #7 from Luke Kenneth Casson Leighton  ---
hi hjl,

so how are you getting on with analysing this problem? is there anything
that is unclear that i can assist you with understanding?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/22962] New: [RISCV] add abi subdirectories support to ld

2018-03-13 Thread belyshev at depni dot sinp.msu.ru

https://sourceware.org/bugzilla/show_bug.cgi?id=22962

Bug ID: 22962
   Summary: [RISCV] add abi subdirectories support to ld
   Product: binutils
   Version: 2.31 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: ld
  Assignee: unassigned at sourceware dot org
  Reporter: belyshev at depni dot sinp.msu.ru
  Target Milestone: ---

ld/emulparams/elf64lriscv-defs.sh and friends were not updated after a change
in glibc that placed libraries with different ABIs in subdirectories of lib64. 
This causes linker failure to find shared libraries in the standard locations.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

2018-03-13 Thread hjl.tools at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=20882

H.J. Lu  changed:

   What|Removed |Added

 Status|WAITING |NEW

--- Comment #18 from H.J. Lu  ---
A patch is posted at

https://sourceware.org/ml/binutils/2018-03/msg00175.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

2018-03-13 Thread dmalcolm at redhat dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=20882

Dave Malcolm  changed:

   What|Removed |Added

 CC||dmalcolm at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

2018-03-13 Thread hjl.tools at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=20882

--- Comment #17 from H.J. Lu  ---
Created attachment 10892
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10892=edit
A patch

I got

[hjl@gnu-cfl-1 rhbz-1543912]$ make
mkdir build
/usr/gcc-8.0.1-x32/bin/gcc -I ./src -flto -B./ -O2 -g -c src/bootchart.c -o
build/bootchart.o
/usr/gcc-8.0.1-x32/bin/gcc -I ./src -flto -B./ -O2 -g -c src/log.c -o
build/log.o
/usr/gcc-8.0.1-x32/bin/gcc -flto -B./ -g -Wl,--gc-sections
-Wl,--print-gc-sections \
  build/bootchart.o build/log.o \
  -o build/systemd-bootchart
./ld: removing unused section '.rodata.cst4' in file '/lib/../lib64/crt1.o'
./ld: removing unused section '.data' in file '/lib/../lib64/crt1.o'
./ld: removing unused section '.data' in file
'/usr/gcc-8.0.1-x32/lib/gcc/x86_64-pc-linux-gnu/8.0.1/crtbegin.o'
/usr/lib/rpm/debugedit build/systemd-bootchart
[hjl@gnu-cfl-1 rhbz-1543912]$ 

I am trying to find a small test.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22957] Heap out of bounds read in pop_bincl()

2018-03-13 Thread nickc at redhat dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22957

Nick Clifton  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 CC||nickc at redhat dot com
 Resolution|--- |FIXED

--- Comment #2 from Nick Clifton  ---
Hi Kamil,

  Thanks for reporting this problem.  I have added a small patch to check
  for the STABS file stack being unwound incorrectly, so hopefully this
  bug should now be fixed.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22957] Heap out of bounds read in pop_bincl()

2018-03-13 Thread cvs-commit at gcc dot gnu.org

https://sourceware.org/bugzilla/show_bug.cgi?id=22957

--- Comment #1 from cvs-commit at gcc dot gnu.org  ---
The master branch has been updated by Nick Clifton :

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e45ad1239d7d8591d5e80d8cbba7d404c6c3640f

commit e45ad1239d7d8591d5e80d8cbba7d404c6c3640f
Author: Nick Clifton 
Date:   Tue Mar 13 17:03:04 2018 +

Prevent a buffer overrun when parsing corrupt STABS debug information.

PR 22957
* stabs.c (pop_binincl): Fail if the file index is off the end of
the stack.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22955] Heap out of bounds read in parse_stab_array_type()

2018-03-13 Thread nickc at redhat dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22955

Nick Clifton  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 CC||nickc at redhat dot com
 Resolution|--- |FIXED

--- Comment #2 from Nick Clifton  ---
Hi Kamil,

  Thanks for reporting this problem.  I have now checked in a patch to add
  some more range checking to cover this area of the code.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22956] Heap out of bounds read in pex64_get_unwind_info()

2018-03-13 Thread nickc at redhat dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22956

Nick Clifton  changed:

   What|Removed |Added

 Status|UNCONFIRMED |WAITING
   Last reconfirmed||2018-03-13
 CC||nickc at redhat dot com
 Ever confirmed|0   |1

--- Comment #1 from Nick Clifton  ---
Hi Kamil,

  I could not reproduce this bug, but I think that might be because of the
  recent fix for PR 22113.  Please could you recheck and see if the problem
  still exists for you.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22955] Heap out of bounds read in parse_stab_array_type()

2018-03-13 Thread cvs-commit at gcc dot gnu.org

https://sourceware.org/bugzilla/show_bug.cgi?id=22955

--- Comment #1 from cvs-commit at gcc dot gnu.org  ---
The master branch has been updated by Nick Clifton :

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=81db3241f2c888c4fae188953085be224815

commit 81db3241f2c888c4fae188953085be224815
Author: Nick Clifton 
Date:   Tue Mar 13 16:10:45 2018 +

Add range changing to STABS parsing functions, in order to prevent buffer
overruns.

PR 22955
* stabs.c (parse_number): Add p_end parameter and use it to check
the validity of the pp parameter.  Add checks to prevent walking
off the end of the string buffer.
(parse_stab_string): Likewise.
(parse_stab_type): Likewise.
(parse_stab_type_number): Likewise.
(parse_stab_range_type): Likewise.
(parse_stab_sun_builtin_type): Likewise.
(parse_stab_sun_floating_type): Likewise.
(parse_stab_enum_type): Likewise.
(parse_stab_struct_type): Likewise.
(parse_stab_baseclasses): Likewise.
(parse_stab_struct_fields): Likewise.
(parse_stab_cpp_abbrev): Likewise.
(parse_stab_one_struct_field): Likewise.
(parse_stab_members): Likewise.
(parse_stab_tilde_field): Likewise.
(parse_stab_array_type): Likewise.
* parse_stab: Compute the end of the string and then pass it on to
individual parser functions.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

2018-03-13 Thread hjl.tools at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=20882

H.J. Lu  changed:

   What|Removed |Added

 Status|REOPENED|WAITING

--- Comment #16 from H.J. Lu  ---
(In reply to Richard Biener from comment #15)
> The original testcase is fixed tho.

For

https://github.com/davidmalcolm/rhbz-1543912

with binutils master branch, I got

mkdir build
gcc -I ./src -flto -O2 -g -c src/bootchart.c -o build/bootchart.o
gcc -I ./src -flto -O2 -g -c src/log.c -o build/log.o
gcc -flto -g -Wl,--gc-sections -Wl,--print-gc-sections \
  build/bootchart.o build/log.o \
  -o build/systemd-bootchart
/usr/local/bin/ld: removing unused section '.rodata.cst4' in file
'/usr/lib/gcc/x86_64-redhat-linux/7/../../../../lib64/crt1.o'
/usr/local/bin/ld: removing unused section '.data' in file
'/usr/lib/gcc/x86_64-redhat-linux/7/../../../../lib64/crt1.o'
/usr/local/bin/ld: removing unused section '.rodata' in file
'/usr/lib/gcc/x86_64-redhat-linux/7/crtbegin.o'
/usr/lib/rpm/debugedit build/systemd-bootchart

It looks normal to me.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

2018-03-13 Thread rguenth at gcc dot gnu.org

https://sourceware.org/bugzilla/show_bug.cgi?id=20882

Richard Biener  changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|FIXED   |---

--- Comment #14 from Richard Biener  ---
The issue persists in 2.29.1 at least.

Index: libstdc++-v3/testsuite/libstdc++-prettyprinters/prettyprinters.exp
===
--- libstdc++-v3/testsuite/libstdc++-prettyprinters/prettyprinters.exp 
(revision 258481)
+++ libstdc++-v3/testsuite/libstdc++-prettyprinters/prettyprinters.exp 
(working copy)
@@ -50,7 +50,7 @@ gdb-dg-runtest [lsort [glob $srcdir/$sub
 if { [check_effective_target_lto] } {
   append cxxflags " -flto"
   # work around sourceware.org 20882
-  regsub {^(.*)-Wl,--gc-sections(.*)$} $cxxldflags {\1\2} cxxldflags
+  #regsub {^(.*)-Wl,--gc-sections(.*)$} $cxxldflags {\1\2} cxxldflags
   gdb-dg-runtest [lsort [glob $srcdir/$subdir/*.cc]] \
 "" "$DEFAULT_CXXFLAGS -flto $PCH_CXXFLAGS"
 }

shows the issue in a gcc tree with

> make check-target-libstdc++-v3 RUNTESTFLAGS="prettyprinters.exp"

you then get UNSUPPORTED tests with complaints like

spawn gdb -nx -nw -quiet -batch -x cxx11.gdb^M
Dwarf Error: could not find abbrev number 151 [in module
/tmp/obj/x86_64-pc-linux-gnu/libstdc++-v3/testsuite/cxx11.exe]^M
skipping: Dwarf Error: could not find abbrev number 151 [in module
/tmp/obj/x86_64-pc-linux-gnu/libstdc++-v3/testsuite/cxx11.exe]^M
cxx11.gdb:5: Error in sourced command file:^M
No symbol table is loaded.  Use the "file" command.^M
skipping: cxx11.gdb:5: Error in sourced command file:^M
skipping: No symbol table is loaded.  Use the "file" command.^M
UNSUPPORTED: libstdc++-prettyprinters/cxx11.cc

See also https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84847

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

2018-03-13 Thread rguenth at gcc dot gnu.org

https://sourceware.org/bugzilla/show_bug.cgi?id=20882

--- Comment #15 from Richard Biener  ---
The original testcase is fixed tho.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22113] Heap out of bounds read in bfd_getl16()

2018-03-13 Thread nickc at redhat dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22113

--- Comment #7 from Nick Clifton  ---
Hi Kamil,

  Thanks for reporting this problem.  It is actually a differnt bug, 
  albeit one in a similar area of code.

  I have checked in a patch that adds the necessary bounds checking,
  so this problem should now be resolved.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22113] Heap out of bounds read in bfd_getl16()

2018-03-13 Thread cvs-commit at gcc dot gnu.org

https://sourceware.org/bugzilla/show_bug.cgi?id=22113

--- Comment #6 from cvs-commit at gcc dot gnu.org  ---
The master branch has been updated by Nick Clifton :

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3e33b239450771394fa6c83b67b9de80169f35e8

commit 3e33b239450771394fa6c83b67b9de80169f35e8
Author: Nick Clifton 
Date:   Tue Mar 13 14:02:52 2018 +

Prevent memory access violations when attempting to parse an x86_64 PE
binary containing corrupt unwind information.

PR 22113
incldue * coff/pe.h (struct pex64_unwind_info): Add a rawUnwindCodesEnd
field.

bfd * pei-x86_64.c (pex64_get_unwind_info): Change to a boolean
function.  Add an end address parameter.  Check access of the data
pointer to make sure that they do not extend beyond the end
address.  Return FALSE if any check fails.  Add the end address
pointer to the ui structure.
(pex64_xdata_print_uwd_codes): Check accesses of the raw unwind
codes to make sure that they do not extend beyond the end address
pointer.  Print an error message and return immediately if any
check fails.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22957] New: Heap out of bounds read in pop_bincl()

2018-03-13 Thread fumfi.255 at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22957

Bug ID: 22957
   Summary: Heap out of bounds read in pop_bincl()
   Product: binutils
   Version: 2.30
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: fumfi.255 at gmail dot com
  Target Milestone: ---

Created attachment 10891
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10891=edit
Crashing test case (objdump)

After some fuzz testing I found a crashing test case.

Version: 2.30

Command: objdump -x -D -S -s -G -g -e -t -T -r -R objdump_hoobr_pop_bincl

ASAN Context:

==2062==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020db70
at pc 0x00535b77 bp 0x7ffeaf342190 sp 0x7ffeaf342180
READ of size 8 at 0x6020db70 thread T0
#0 0x535b76 in pop_bincl XYZ/binutils-2.30.0/binutils/stabs.c:3213
#1 0x535b76 in parse_stab XYZ/binutils-2.30.0/binutils/stabs.c:565
#2 0x4ebd89 in read_section_stabs_debugging_info
XYZ/binutils-2.30.0/binutils/rddbg.c:239
#3 0x4ebd89 in read_debugging_info XYZ/binutils-2.30.0/binutils/rddbg.c:56
#4 0x41f654 in dump_bfd objdump.c:3607
#5 0x421a77 in display_object_bfd objdump.c:3658
#6 0x421a77 in display_any_bfd objdump.c:3747
#7 0x40ea81 in display_file objdump.c:3768
#8 0x40ea81 in main objdump.c:4070
#9 0x7f36620ed82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x411ca8 in _start (/usr/local/bin/objdump+0x411ca8)

0x6020db71 is located 0 bytes to the right of 1-byte region
[0x6020db70,0x6020db71)
allocated by thread T0 here:
#0 0x7f3662733602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0xb57fec in xmalloc xmalloc.c:147

SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/binutils-2.30.0/binutils/stabs.c:3213 pop_bincl
Shadow bytes around the buggy address:
  0x0c047fff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9b60: fa fa fa fa fa fa 00 fa fa fa 01 fa fa fa[01]fa
  0x0c047fff9b70: fa fa 00 00 fa fa 00 00 fa fa 07 fa fa fa 01 fa
  0x0c047fff9b80: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff9b90: fa fa 00 07 fa fa 01 fa fa fa 01 fa fa fa 00 00
  0x0c047fff9ba0: fa fa 00 00 fa fa 00 01 fa fa 05 fa fa fa 04 fa
  0x0c047fff9bb0: fa fa 00 01 fa fa 01 fa fa fa 01 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
==2062==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/22954] Conditional jump or move depends on uninitialised value(s) in at 0x519BD27: __wmemchr_avx2 (memchr-avx2.S:260)

2018-03-13 Thread hjl.tools at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22954

H.J. Lu  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |INVALID

--- Comment #1 from H.J. Lu  ---
(In reply to Martin Liska from comment #0)
> Maybe it's an issue of glibc, maybe valgrind can't handle that properly?
> Thanks

__wmemchr_avx2 uses vector compare and checks the elements of a vector
within boundary:

L(first_vec_x1_check):
tzcntl  %eax, %eax
/* Check the end of data.  */
cmpq%rax, %rdx
jbe L(zero)
addq$VEC_SIZE, %rax
addq%rdi, %rax
VZEROUPPER
ret

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22956] New: Heap out of bounds read in pex64_get_unwind_info()

2018-03-13 Thread fumfi.255 at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22956

Bug ID: 22956
   Summary: Heap out of bounds read in pex64_get_unwind_info()
   Product: binutils
   Version: 2.30
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: fumfi.255 at gmail dot com
  Target Milestone: ---

Created attachment 10890
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10890=edit
Crashing test case (objdump)

After some fuzz testing I found a crashing test case.

Version: 2.30

Command: objdump -x -D -S -s -G -g -e -t -T -r -R
objdump_hoobr_pex64_get_unwind_info

ASAN Context:
==20442==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60e0dff7 at pc 0x00977e90 bp 0x7fffdace5b80 sp 0x7fffdace5b70
READ of size 1 at 0x60e0dff7 thread T0
#0 0x977e8f in pex64_get_unwind_info
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:113
#1 0x977e8f in pex64_dump_xdata XYZ/binutils-2.30.0/bfd/pei-x86_64.c:348
#2 0x977e8f in pex64_bfd_print_pdata_section
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:720
#3 0x97887d in pex64_print_all_pdata_sections
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:745
#4 0x61c56b in bfd_map_over_sections XYZ/binutils-2.30.0/bfd/section.c:1397
#5 0x9787e9 in pex64_bfd_print_pdata
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:759
#6 0x99abcd in _bfd_pex64_print_private_bfd_data_common
XYZ/binutils-2.30.0/bfd/pex64igen.c:2908
#7 0x963640 in pe_print_private_bfd_data
XYZ/binutils-2.30.0/bfd/peicode.h:336
#8 0x42009c in dump_bfd_private_header objdump.c:2966
#9 0x42009c in dump_bfd objdump.c:3559
#10 0x421a77 in display_object_bfd objdump.c:3658
#11 0x421a77 in display_any_bfd objdump.c:3747
#12 0x40ea81 in display_file objdump.c:3768
#13 0x40ea81 in main objdump.c:4070
#14 0x7fd3b68ca82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#15 0x411ca8 in _start (/usr/local/bin/objdump+0x411ca8)

0x60e0dff7 is located 0 bytes to the right of 151-byte region
[0x60e0df60,0x60e0dff7)
allocated by thread T0 here:
#0 0x7fd3b6f10602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x601d1a in bfd_malloc XYZ/binutils-2.30.0/bfd/libbfd.c:193
#2 0x6120bfb7  ()

SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:113 pex64_get_unwind_info
Shadow bytes around the buggy address:
  0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]fa
  0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
==20442==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22955] New: Heap out of bounds read in parse_stab_array_type()

2018-03-13 Thread fumfi.255 at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22955

Bug ID: 22955
   Summary: Heap out of bounds read in parse_stab_array_type()
   Product: binutils
   Version: 2.30
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: fumfi.255 at gmail dot com
  Target Milestone: ---

Created attachment 10889
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10889=edit
Crashing test case (objdump)

After some fuzz testing I found a crashing test case.

Version: 2.30

Command: objdump -x -D -S -s -G -g -e -t -T -r -R
objdump_hoobr_parse_stab_array_type

ASAN Context:

==2449==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62112b1d
at pc 0x00524449 bp 0x7ffeef745850 sp 0x7ffeef745840
READ of size 1 at 0x62112b1d thread T0
#0 0x524448 in parse_stab_array_type
XYZ/binutils-2.30.0/binutils/stabs.c:3127
#1 0x524448 in parse_stab_type XYZ/binutils-2.30.0/binutils/stabs.c:1577
#2 0x5318b0 in parse_stab_string XYZ/binutils-2.30.0/binutils/stabs.c:968
#3 0x5318b0 in parse_stab XYZ/binutils-2.30.0/binutils/stabs.c:655
#4 0x4ebd89 in read_section_stabs_debugging_info
XYZ/binutils-2.30.0/binutils/rddbg.c:239
#5 0x4ebd89 in read_debugging_info XYZ/binutils-2.30.0/binutils/rddbg.c:56
#6 0x41f654 in dump_bfd objdump.c:3607
#7 0x421a77 in display_object_bfd objdump.c:3658
#8 0x421a77 in display_any_bfd objdump.c:3747
#9 0x40ea81 in display_file objdump.c:3768
#10 0x40ea81 in main objdump.c:4070
#11 0x7f2bbf8db82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x411ca8 in _start (/usr/local/bin/objdump+0x411ca8)

0x62112b1d is located 0 bytes to the right of 4637-byte region
[0x62111900,0x62112b1d)
allocated by thread T0 here:
#0 0x7f2bbff21602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0xb57fec in xmalloc xmalloc.c:147

SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/binutils-2.30.0/binutils/stabs.c:3127 parse_stab_array_type
Shadow bytes around the buggy address:
  0x0c427fffa510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffa560: 00 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa5a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c427fffa5b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
==2449==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/22113] Heap out of bounds read in bfd_getl16()

2018-03-13 Thread fumfi.255 at gmail dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22113

--- Comment #4 from Kamil Frankowicz  ---
Hi,

Problem still exists in 2.30:

==3183==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f0ec41
at pc 0x00602aa5 bp 0x7ffe6cea6600 sp 0x7ffe6cea65f0
READ of size 1 at 0x60f0ec41 thread T0
#0 0x602aa4 in bfd_getl16 XYZ/binutils-2.30.0/bfd/libbfd.c:505
#1 0x9777c8 in pex64_xdata_print_uwd_codes
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:241
#2 0x9777c8 in pex64_dump_xdata XYZ/binutils-2.30.0/bfd/pei-x86_64.c:403
#3 0x9777c8 in pex64_bfd_print_pdata_section
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:720
#4 0x97887d in pex64_print_all_pdata_sections
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:745
#5 0x61c56b in bfd_map_over_sections XYZ/binutils-2.30.0/bfd/section.c:1397
#6 0x9787e9 in pex64_bfd_print_pdata
XYZ/binutils-2.30.0/bfd/pei-x86_64.c:759
#7 0x99abcd in _bfd_pex64_print_private_bfd_data_common
XYZ/binutils-2.30.0/bfd/pex64igen.c:2908
#8 0x963640 in pe_print_private_bfd_data
XYZ/binutils-2.30.0/bfd/peicode.h:336
#9 0x42009c in dump_bfd_private_header objdump.c:2966
#10 0x42009c in dump_bfd objdump.c:3559
#11 0x421a77 in display_object_bfd objdump.c:3658
#12 0x421a77 in display_any_bfd objdump.c:3747
#13 0x40ea81 in display_file objdump.c:3768
#14 0x40ea81 in main objdump.c:4070
#15 0x7fe1da1f782f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x411ca8 in _start (/usr/local/bin/objdump+0x411ca8)

0x60f0ec41 is located 1 bytes to the right of 176-byte region
[0x60f0eb90,0x60f0ec40)
allocated by thread T0 here:
#0 0x7fe1da83d602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x601d1a in bfd_malloc XYZ/binutils-2.30.0/bfd/libbfd.c:193
#2 0x6120bfb7  ()

SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/binutils-2.30.0/bfd/libbfd.c:505 bfd_getl16
Shadow bytes around the buggy address:
  0x0c1e7fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9d70: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff9d80: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c1e7fff9d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9da0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa 00 00
  0x0c1e7fff9db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9dc0: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1e7fff9dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/22954] New: Conditional jump or move depends on uninitialised value(s) in at 0x519BD27: __wmemchr_avx2 (memchr-avx2.S:260)

2018-03-13 Thread mliska at suse dot cz

https://sourceware.org/bugzilla/show_bug.cgi?id=22954

Bug ID: 22954
   Summary: Conditional jump or move depends on uninitialised
value(s) in at 0x519BD27: __wmemchr_avx2
(memchr-avx2.S:260)
   Product: binutils
   Version: 2.31 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: ld
  Assignee: unassigned at sourceware dot org
  Reporter: mliska at suse dot cz
  Target Milestone: ---

Hello.

With current thunk I see:

$ valgrind --leak-check=yes --trace-children=yes ~/bin/binutils/bin/ld
--eh-frame-hdr -m elf_x86_64
...
==21255== Conditional jump or move depends on uninitialised value(s)
==21255==at 0x519BD27: __wmemchr_avx2 (memchr-avx2.S:260)
==21255==by 0x510A579: internal_fnwmatch (fnmatch_loop.c:168)
==21255==by 0x510D5D7: fnmatch@@GLIBC_2.2.5 (fnmatch.c:433)
==21255==by 0x447DC8: find_target (targets.c:1590)
==21255==by 0x447EB8: bfd_set_default_target (targets.c:1624)
==21255==by 0x40348E: main (ldmain.c:246)
...

When I put there a printf:

diff --git a/bfd/targets.c b/bfd/targets.c
index 43102d428b..7765c9ec53 100644
--- a/bfd/targets.c
+++ b/bfd/targets.c
@@ -1586,6 +1586,7 @@ find_target (const char *name)
  config.sub first, but that is hard.  */
   for (match = _target_match[0]; match->triplet != NULL; match++)
 {
+  fprintf (stderr, "pattern: %s, name: %s\n", match->triplet, name);
   if (fnmatch (match->triplet, name, 0) == 0)
{
  while (match->vector == NULL)

I see:
...
pattern: i[3-7]86-*-linux-*, name: x86_64-pc-linux-gnu
pattern: i[3-7]86-*-redox*, name: x86_64-pc-linux-gnu
pattern: x86_64-*-dicos*, name: x86_64-pc-linux-gnu
==21255== Conditional jump or move depends on uninitialised value(s)
==21255==at 0x519BD27: __wmemchr_avx2 (memchr-avx2.S:260)
==21255==by 0x510A579: internal_fnwmatch (fnmatch_loop.c:168)
==21255==by 0x510D5D7: fnmatch@@GLIBC_2.2.5 (fnmatch.c:433)
==21255==by 0x447DC8: find_target (targets.c:1590)
==21255==by 0x447EB8: bfd_set_default_target (targets.c:1624)
==21255==by 0x40348E: main (ldmain.c:246)
==21255== 
pattern: x86_64-*-elf*, name: x86_64-pc-linux-gnu
pattern: x86_64-*-rtems*, name: x86_64-pc-linux-gnu
pattern: x86_64-*-fuchsia, name: x86_64-pc-linux-gnu
pattern: x86_64-*-dragonfly*, name: x86_64-pc-linux-gnu
...

Maybe it's an issue of glibc, maybe valgrind can't handle that properly?
Thanks

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/22831] ld causes massive thrashing if object files are not fully memory-resident: new algorithm needed

[Bug ld/22962] New: [RISCV] add abi subdirectories support to ld

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

[Bug binutils/22957] Heap out of bounds read in pop_bincl()

[Bug binutils/22957] Heap out of bounds read in pop_bincl()

[Bug binutils/22955] Heap out of bounds read in parse_stab_array_type()

[Bug binutils/22956] Heap out of bounds read in pex64_get_unwind_info()

[Bug binutils/22955] Heap out of bounds read in parse_stab_array_type()

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

[Bug ld/20882] GNU ld discards sections required by relocations in .debug_info with --gc-sections

[Bug binutils/22113] Heap out of bounds read in bfd_getl16()

[Bug binutils/22113] Heap out of bounds read in bfd_getl16()

[Bug binutils/22957] New: Heap out of bounds read in pop_bincl()

[Bug ld/22954] Conditional jump or move depends on uninitialised value(s) in at 0x519BD27: __wmemchr_avx2 (memchr-avx2.S:260)

[Bug binutils/22956] New: Heap out of bounds read in pex64_get_unwind_info()

[Bug binutils/22955] New: Heap out of bounds read in parse_stab_array_type()

[Bug binutils/22113] Heap out of bounds read in bfd_getl16()

[Bug ld/22954] New: Conditional jump or move depends on uninitialised value(s) in at 0x519BD27: __wmemchr_avx2 (memchr-avx2.S:260)

21 matches

Site Navigation

Mail list logo

Footer information