[Bug gas/24538] GAS crashes caused by corrupted input files

[mtest1 at testlt dot pl]

https://sourceware.org/bugzilla/show_bug.cgi?id=24538

--- Comment #3 from mtest1 at testlt dot pl ---
(In reply to Nick Clifton from comment #2)
> Hi mtest1,
> 
>   Thank you very much for reporting these bugs.
> 
>   I have applied a patch to address most of the problems, but I
>   was unable to reproduce one of them: 
> 
>     ini386_intel_simplify_registerconfig_tc-i386-intel.c:289
> 
>   Please could you check to see if it is still causing you problems ?
> 
> Cheers
>   Nick

Hi Nick!

 We've just tried this testcase and it's still causing problems:

 Starting program: /home/shm/src/binutils-gdb/bin/bin/as-i386 <
avx512f_vaes-wig.s_401709.out.min
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
{standard input}: Assembler messages:
{standard input}:3: Error: bignum invalid
=================================================================
==1619==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000001363f98 at pc 0x0000004a8868 bp 0x7fffffffdfc0 sp 0x7fffffffdfb0
READ of size 8 at 0x000001363f98 thread T0
    #0 0x4a8867 in i386_intel_simplify_register config/tc-i386-intel.c:289
    #1 0x4a9864 in i386_intel_simplify config/tc-i386-intel.c:500
    #2 0x4a8b98 in i386_intel_simplify_symbol config/tc-i386-intel.c:322
    #3 0x4a8e04 in i386_intel_simplify config/tc-i386-intel.c:355
    #4 0x4a8b98 in i386_intel_simplify_symbol config/tc-i386-intel.c:322
    #5 0x4a90fc in i386_intel_simplify config/tc-i386-intel.c:398
    #6 0x4a9e87 in i386_intel_operand config/tc-i386-intel.c:577
    #7 0x4876f1 in parse_operands config/tc-i386.c:4760
    #8 0x484d42 in md_assemble config/tc-i386.c:4089
    #9 0x445c21 in assemble_one /home/shm/src/binutils-gdb/gas/read.c:711
    #10 0x447357 in read_a_source_file
/home/shm/src/binutils-gdb/gas/read.c:1179
    #11 0x409f94 in perform_an_assembly_pass
/home/shm/src/binutils-gdb/gas/as.c:1197
    #12 0x40a4d0 in main /home/shm/src/binutils-gdb/gas/as.c:1350
    #13 0x7ffff68bc82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x4034a8 in _start
(/home/shm/src/binutils-gdb/bin/bin/as-i386+0x4034a8)

 Likely the problem is here:

 #7  0x00000000004a8868 in i386_intel_simplify_register (e=0x621000015960) at
config/tc-i386-intel.c:289
289                && (i386_regtab[reg_num].reg_type.bitfield.xmmword
(gdb) print reg_num
$1 = 65534

 Somehow X_md egt 65535 value:

(gdb) print *e
$2 = {X_add_symbol = 0x0, X_op_symbol = 0x0, X_add_number = 0, X_op =
O_constant, X_unsigned = 0, X_extrabit = 0, X_md = 65535}

 thus i386_regtab[reg_num] is accessing table far after its end:

 (gdb) print i386_regtab_size 
 $3 = 281

 Let us know if you need more assistance.

 Good luck!

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils