https://sourceware.org/bugzilla/show_bug.cgi?id=25745
Bug ID: 25745
Summary: powerpc64-unknown-linux-gnu-ld overflows string buffer
in --stats mode
Product: binutils
Version: 2.34
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: slyfox at inbox dot ru
Target Milestone: ---
Initially observed the crash when building ncurses-6.2 on powerpc64 using
ru_RU.UTF-8 locale.
$ locale
LANG=ru_RU.UTF-8
...
"""
$ powerpc64-unknown-linux-gnu-ld ... -stats -lc ...
GNU ld (Gentoo 2.34 p1) 2.34.0
...
powerpc64-unknown-linux-gnu-ld: заглушки компоновщика в 2 группах
...
Ошибка сегментирования (стек памяти сброшен на диск)
"""
It's a SIGSEGV. valgrind points it to heap buffer overflow at:
==3864715== Invalid write of size 1
==3864715== at 0x483F046: mempcpy (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3864715== by 0x4AB5707: _IO_default_xsputn (genops.c:386)
==3864715== by 0x4AB5707: _IO_default_xsputn (genops.c:370)
==3864715== by 0x4A9D1EC: __vfprintf_internal (vfprintf-internal.c:1719)
==3864715== by 0x4AA9C0F: __vsprintf_internal (iovsprintf.c:96)
==3864715== by 0x4B3D992: __sprintf_chk (sprintf_chk.c:40)
==3864715== by 0x48B3CCB: sprintf (stdio2.h:36)
==3864715== by 0x48B3CCB: ppc64_elf_build_stubs (elf64-ppc.c:14129)
==3864715== by 0x137988: gldelf64ppc_finish (eelf64ppc.c:618)
==3864715== by 0x12959A: lang_process (ldlang.c:7916)
==3864715== by 0x11561C: main (ldmain.c:452)
An overflow happens on locales where most letters are multibyte (like Russian).
Here is a modern binutils-bfd snippet from
https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=bfd/elf64-ppc.c;h=7f7e190ce2b656d31ba1f163010adcccc924c645;hb=HEAD#l14561
which looks suspicious:
14558 if (stats != NULL)
14559 {
14560 size_t len;
14561 *stats = bfd_malloc (500);
14562 if (*stats == NULL)
14563 return FALSE;
14564
14565 len = sprintf (*stats,
14566 ngettext ("linker stubs in %u group\n",
14567 "linker stubs in %u groups\n",
14568 stub_sec_count),
14569 stub_sec_count);
14570 sprintf (*stats + len, _(" branch %lu\n"
14571 " branch toc adj %lu\n"
14572 " branch notoc %lu\n"
14573 " branch both %lu\n"
14574 " long branch %lu\n"
14575 " long toc adj %lu\n"
14576 " long notoc %lu\n"
14577 " long both %lu\n"
14578 " plt call %lu\n"
14579 " plt call save %lu\n"
14580 " plt call notoc %lu\n"
14581 " plt call both %lu\n"
14582 " global entry %lu"),
14583 htab->stub_count[ppc_stub_long_branch - 1],
14584 htab->stub_count[ppc_stub_long_branch_r2off - 1],
14585 htab->stub_count[ppc_stub_long_branch_notoc - 1],
14586 htab->stub_count[ppc_stub_long_branch_both - 1],
14587 htab->stub_count[ppc_stub_plt_branch - 1],
14588 htab->stub_count[ppc_stub_plt_branch_r2off - 1],
14589 htab->stub_count[ppc_stub_plt_branch_notoc - 1],
14590 htab->stub_count[ppc_stub_plt_branch_both - 1],
14591 htab->stub_count[ppc_stub_plt_call - 1],
14592 htab->stub_count[ppc_stub_plt_call_r2save - 1],
14593 htab->stub_count[ppc_stub_plt_call_notoc - 1],
14594 htab->stub_count[ppc_stub_plt_call_both - 1],
14595 htab->stub_count[ppc_stub_global_entry - 1]);
14596 }
14597 return TRUE;
14598 }
--
You are receiving this mail because:
You are on the CC list for the bug.
