[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512
--- Comment #11 from Nick Clifton ---
(In reply to Hanno Boeck from comment #10)
> With all patches attached objdump-pe-crasher still causes objdump to crash
> (attachment 7854 [details] on this bug). To reproduce run
> objdump -x objdump-pe-crasher
Are you sure ? In my tests objdump works and does not crash. The second patch
("More fixes for parsing corrupt binaries") should have taken care of this
problem.
Cheers
Nick
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #12 from Hanno Boeck --- It's a bit confusing. When I patch binutils 2.24 with attachment 7855 (and a bunch of other crash fixes for the other issues) then I can still reproduce the crash with objdump-pe-crasher (please note that this only appears with objdump -x). However if I take binutils git head code I can't reproduce it any more. So it seems there's some other change in the git code that prevents this crash. (please also note that the stackoverflow sample from bug #17510 still crashes strings/objdump/nm on git head code) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 --- Comment #9 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 708d7d0d11f0f2d776171979aa3479e8e12a38a0 (commit) from 6fb9c0f83252a79b2f1a3f8e75fa117ca7a4d589 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=708d7d0d11f0f2d776171979aa3479e8e12a38a0 commit 708d7d0d11f0f2d776171979aa3479e8e12a38a0 Author: Nick Clifton Date: Tue Oct 28 10:48:14 2014 + This patch fixes a flaw in the SREC parser which could cause a stack overflow and potential secuiryt breach. PR binutils/17510 * srec.c (srec_bad_byte): Increase size of buf to allow for negative values. (srec_scan): Use an unsigned char buffer to hold header bytes. --- Summary of changes: bfd/ChangeLog |8 bfd/elf.c |2 +- bfd/peXXigen.c |1 - bfd/srec.c |4 ++-- 4 files changed, 11 insertions(+), 4 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17510] strings: crash when given a truncated ELF
https://sourceware.org/bugzilla/show_bug.cgi?id=17510 --- Comment #10 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, binutils-2_25-branch has been updated via b2f93c5011cab00f31669363577b938697752e43 (commit) from a809b386e59dfcb3f4dedd8465975dabc55db5db (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b2f93c5011cab00f31669363577b938697752e43 commit b2f93c5011cab00f31669363577b938697752e43 Author: Nick Clifton Date: Tue Oct 28 10:50:17 2014 + Import patches from the master branch which prevent seg-faults when parsing corrupt binaries. 2014-10-28 Andreas Schwab Nick Clifton PR binutils/17510 * srec.c (srec_bad_byte): Increase size of buf to allow for negative values. (srec_scan): Use an unsigned char buffer to hold header bytes. 2014-10-27 Nick Clifton PR binutils/17512 * elf.c (bfd_section_from_shdr): Detect and warn about ELF binaries with a group of sections linked by the string table indicies. * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries with an invalid value for NumberOfRvaAndSizes. (pe_print_edata): Detect out of range rvas and entry counts for the Export Address table, Name Pointer table and Ordinal table. PR binutils/17510 * elf.c (setup_group): Improve handling of corrupt group sections. --- Summary of changes: bfd/ChangeLog | 25 ++ bfd/elf.c | 226 +++- bfd/peXXigen.c | 29 +++- bfd/srec.c |4 +- 4 files changed, 212 insertions(+), 72 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #13 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, binutils-2_25-branch has been updated via b2f93c5011cab00f31669363577b938697752e43 (commit) from a809b386e59dfcb3f4dedd8465975dabc55db5db (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b2f93c5011cab00f31669363577b938697752e43 commit b2f93c5011cab00f31669363577b938697752e43 Author: Nick Clifton Date: Tue Oct 28 10:50:17 2014 + Import patches from the master branch which prevent seg-faults when parsing corrupt binaries. 2014-10-28 Andreas Schwab Nick Clifton PR binutils/17510 * srec.c (srec_bad_byte): Increase size of buf to allow for negative values. (srec_scan): Use an unsigned char buffer to hold header bytes. 2014-10-27 Nick Clifton PR binutils/17512 * elf.c (bfd_section_from_shdr): Detect and warn about ELF binaries with a group of sections linked by the string table indicies. * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries with an invalid value for NumberOfRvaAndSizes. (pe_print_edata): Detect out of range rvas and entry counts for the Export Address table, Name Pointer table and Ordinal table. PR binutils/17510 * elf.c (setup_group): Improve handling of corrupt group sections. --- Summary of changes: bfd/ChangeLog | 25 ++ bfd/elf.c | 226 +++- bfd/peXXigen.c | 29 +++- bfd/srec.c |4 +- 4 files changed, 212 insertions(+), 72 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #14 from Nick Clifton --- Hi Mike, > for each of the crash fixes, could you post them to the 2.25 branch ? Done. :-) Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #15 from Nick Clifton --- Hi Hanno, > It's a bit confusing. When I patch binutils 2.24 with attachment 7855 > [details] (and a bunch of other crash fixes for the other issues) then I can > still reproduce the crash with objdump-pe-crasher (please note that this > only appears with objdump -x). > > However if I take binutils git head code I can't reproduce it any more. Ah - my bad then - I must have fixed something else and forgotten to include it in the uploaded patch. Silly me. Still at least the mainline code works now. Cheers Nick > (please also note that the stackoverflow sample from bug #17510 still > crashes strings/objdump/nm on git head code) This should be fixed now... -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/16825] bfd/versados.c: Multiple failures to validate user input
https://sourceware.org/bugzilla/show_bug.cgi?id=16825 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com --- Comment #1 from Nick Clifton --- Created attachment 7856 --> https://sourceware.org/bugzilla/attachment.cgi?id=7856&action=edit Proposed patch -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/16825] bfd/versados.c: Multiple failures to validate user input
https://sourceware.org/bugzilla/show_bug.cgi?id=16825 Nick Clifton changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #2 from Nick Clifton --- Hi Klemensbaum, Please could you try out the uploaded patch and let me know if it resolves the issues for you ? Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 Alexander Cherepanov changed: What|Removed |Added CC||cherepan at mccme dot ru --- Comment #16 from Alexander Cherepanov --- Created attachment 7857 --> https://sourceware.org/bugzilla/attachment.cgi?id=7857&action=edit another crasher for objdump -x Seems to be different from the previous crasher. Sorry, I cannot test git head right now so I cannot be sure it's not yet fixed. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #17 from Hanno Boeck --- okay, things are getting a little bit compilcated, but here are my test results: objdump-pe-crasher2 gives a heap overflow on latest git head with address sanitizer enabled (will attach symbolized output / trace). For the other samples individually they all are now fine. However if I pass both objdump-elf-crasher and strings-bfd-badfree to objdump -x asan reports a use-after-free: objdump -x objdump-elf-crasher strings-bfd-badfree -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #18 from Hanno Boeck --- Created attachment 7858 --> https://sourceware.org/bugzilla/attachment.cgi?id=7858&action=edit address sanitizer trace on objdump-pe-crasher2 -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #19 from Hanno Boeck --- Created attachment 7859 --> https://sourceware.org/bugzilla/attachment.cgi?id=7859&action=edit address sanitizer trace on objdump-elf-crasher AND strings-bfd-badfree -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #20 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 (commit) from 1df4399f27f8ee817d8eb4c73bba42bb65844303 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 commit 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 Author: Nick Clifton Date: Tue Oct 28 15:42:56 2014 + More fixes for corrupt binaries crashing the binutils. PR binutils/17512 * elf.c (bfd_section_from_shdr): Allocate and free the recursion detection table on a per-bfd basis. * peXXigen.c (pe_print_edata): Handle binaries with a truncated export table. --- Summary of changes: bfd/ChangeLog |8 bfd/elf.c | 16 +--- bfd/peXXigen.c |9 + 3 files changed, 30 insertions(+), 3 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #21 from Nick Clifton --- Hi Hanno, Please try the latest git head, which should address both of the problems detected by the address sanitizer. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #22 from cvs-commit at gcc dot gnu.org --- This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, binutils-2_25-branch has been updated via acafeb6056bec47d7211cf462a7c211a8c95cf42 (commit) from cc8536de0fb8f40587cf99dad9460237ce9af7a7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=acafeb6056bec47d7211cf462a7c211a8c95cf42 commit acafeb6056bec47d7211cf462a7c211a8c95cf42 Author: Nick Clifton Date: Tue Oct 28 15:47:13 2014 + Fixes another couple of memory errors reading corrupt binaries. This time detected by the address sanitizer. PR binutils/17512 * elf.c (bfd_section_from_shdr): Allocate and free the recursion detection table on a per-bfd basis. * peXXigen.c (pe_print_edata): Handle binaries with a truncated export table. --- Summary of changes: bfd/ChangeLog |7 +++ bfd/elf.c | 16 +--- bfd/peXXigen.c |9 + 3 files changed, 29 insertions(+), 3 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in
https://sourceware.org/bugzilla/show_bug.cgi?id=17512 --- Comment #23 from Hanno Boeck --- The objdump-pe-crasher2 issue is fixed, the use-after-free (when running strings or objdump -x on objdump-elf-crasher and strings-bfd-badfree at the same time) is stillt there. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
Broken message (extraction) in binutils 2.24.90
In readelf.c, in the macro CHECK_ENTSIZE_VALUES, there is this code
error (_("Section %d has invalid sh_entsize of %" BFD_VMA_FMT "x\n"), \
i, section->sh_entsize); \
When extracting message strings from this code, only the first part
will be extracted:
msgid "Section %d has invalid sh_entsize of %"
Obviously, that isn't the string that will be sent to the function,
and thus, any translations of this message will be ignored.
A similar problem reappears later in the same file in
dynamic_sction_mips_val:
printf (_(""), entry->d_un.d_ptr);
msgid "https://lists.gnu.org/mailman/listinfo/bug-binutils
