[Bug binutils/15135] c++filt: problem demangling _ZN3foocvPT_I3barEEv
https://sourceware.org/bugzilla/show_bug.cgi?id=15135 Marcel Böhme changed: What|Removed |Added CC||boehme.marcel at gmail dot com --- Comment #1 from Marcel Böhme --- Confirmed fixed in trunk. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/11436] c++filt does not support the C++0x lambdas of GCC 4.5
https://sourceware.org/bugzilla/show_bug.cgi?id=11436 Marcel Böhme changed: What|Removed |Added CC||boehme.marcel at gmail dot com --- Comment #3 from Marcel Böhme --- Confirmed fixed in trunk -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/18895] segfault in cxxfilt in d_unqualified_name () at ./cp-demangle.c:1547
https://sourceware.org/bugzilla/show_bug.cgi?id=18895 Marcel Böhme changed: What|Removed |Added CC||boehme.marcel at gmail dot com --- Comment #3 from Marcel Böhme --- Confirmed fixed in trunk. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20891] New: Segfault in addr2line
https://sourceware.org/bugzilla/show_bug.cgi?id=20891 Bug ID: 20891 Summary: Segfault in addr2line Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: thuanpv at comp dot nus.edu.sg Target Milestone: --- Dear all, Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, we found an input causing addr2line to crash. Valgrind says that it is an invalid write. The bug was found on Ubuntu 14.04 & binutils was checked out from https://github.com/bminor/binutils-gdb repository. Its commit is 268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016) To reproduce: printf "\x0b\x01\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x30\x30\x30\x30\x1c\x00\x00\x00\x30\x30\x30\x30\x00\x00\x00\x00\x00\x01\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\ x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x64\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x64\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x1b\x01\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x 30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30" > fd addr2line s -e fd ASAN says: ASAN:DEADLYSIGNAL = ==47318==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x7f7e6ee49029 bp 0x sp 0x7ffe86e5a8b0 T0) #0 0x7f7e6ee49028 in __vsprintf_chk (/lib/x86_64-linux-gnu/libc.so.6+0x109028) #1 0x7f7e6ee48f7c in __sprintf_chk (/lib/x86_64-linux-gnu/libc.so.6+0x108f7c) #2 0x5515c9 in sprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:33 #3 0x5515c9 in aout_32_find_nearest_line ../../bfd/aoutx.h:2814 #4 0x40cb9d in find_address_in_section ../../binutils/addr2line.c:187 #5 0x42186f in bfd_map_over_sections ../../bfd/section.c:1395 #6 0x40b19a in translate_addresses ../../binutils/addr2line.c:265 #7 0x40b19a in process_file ../../binutils/addr2line.c:402 #8 0x40b19a in main ../../binutils/addr2line.c:509 #9 0x7f7e6ed61f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #10 0x40c806 (/home/ubuntu/subjects/binutils-asan/obj-asan/binutils/addr2line+0x40c806) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x109028) in __vsprintf_chk ==47318==ABORTING Valgrind says: ==46463== Invalid write of size 1 ==46463==at 0x5144029: __vsprintf_chk (vsprintf_chk.c:86) ==46463==by 0x5143F7C: __sprintf_chk (sprintf_chk.c:31) ==46463==by 0x638930: sprintf (stdio2.h:33) ==46463==by 0x638930: aout_32_find_nearest_line (aoutx.h:2814) ==46463==by 0x40762C: find_address_in_section (addr2line.c:187) ==46463==by 0x43D55B: bfd_map_over_sections (section.c:1395) ==46463==by 0x405F12: translate_addresses (addr2line.c:265) ==46463==by 0x405F12: process_file (addr2line.c:402) ==46463==by 0x405F12: main (addr2line.c:509) ==46463== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==46463== ==46463==
[Bug binutils/20892] New: Segfault in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=20892 Bug ID: 20892 Summary: Segfault in objdump Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: thuanpv at comp dot nus.edu.sg Target Milestone: --- Dear all, Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, we found an input causing objdump to crash. Valgrind says that it is an invalid write. The bug was found on Ubuntu 14.04 & binutils was checked out from https://github.com/bminor/binutils-gdb repository. Its commit is 268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016) To reproduce: printf "\x07\x01\x00\x30\x04\x00\x00\x00\x1a\x00\x00\x00\x30\x30\x30\x30\x0d\x00\x00\x00\x30\x30\x30\x30\x04\x00\x00\x00\x40\x00\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x24\x30\x30\x30\x30\x30\x30\x30\x30\x04\x00\x00\x00" > fd objdump -x -l fd ASAN says: ../../bfd/aoutx.h:2832:11: runtime error: store to null pointer of type 'char' Valgrind says: ==52909== Invalid write of size 1 ==52909==at 0x7F8349: aout_32_find_nearest_line (aoutx.h:2832) ==52909==by 0x41C8A9: dump_reloc_set (objdump.c:3162) ==52909==by 0x41E502: dump_relocs_in_section (objdump.c:3328) ==52909==by 0x5FB3AB: bfd_map_over_sections (section.c:1395) ==52909==by 0x422A9E: dump_relocs (objdump.c:3337) ==52909==by 0x422A9E: dump_bfd (objdump.c:3463) ==52909==by 0x4234FF: display_object_bfd (objdump.c:3526) ==52909==by 0x4234FF: display_any_bfd (objdump.c:3615) ==52909==by 0x40CFC9: display_file (objdump.c:3636) ==52909==by 0x40CFC9: main (objdump.c:3919) ==52909== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==52909== ==52909== ==52909== Process terminating with default action of signal 11 (SIGSEGV) ==52909== Access not within mapped region at address 0x0 ==52909==at 0x7F8349: aout_32_find_nearest_line (aoutx.h:2832) ==52909==by 0x41C8A9: dump_reloc_set (objdump.c:3162) ==52909==by 0x41E502: dump_relocs_in_section (objdump.c:3328) ==52909==by 0x5FB3AB: bfd_map_over_sections (section.c:1395) ==52909==by 0x422A9E: dump_relocs (objdump.c:3337) ==52909==by 0x422A9E: dump_bfd (objdump.c:3463) ==52909==by 0x4234FF: display_object_bfd (objdump.c:3526) ==52909==by 0x4234FF: display_any_bfd (objdump.c:3615) ==52909==by 0x40CFC9: display_file (objdump.c:3636) ==52909==by 0x40CFC9: main (objdump.c:3919) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20893] New: Sigabrt in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=20893 Bug ID: 20893 Summary: Sigabrt in objdump Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: thuanpv at comp dot nus.edu.sg Target Milestone: --- Dear all, Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, we found an input causing objdump to crash. The bug was found on Ubuntu 14.04 & binutils was checked out from https://github.com/bminor/binutils-gdb repository. Its commit is 268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016) To reproduce: printf "\x0b\x01\x00\x30\x30\x30\x30\x00\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x62\xe3\x65\x30\x20" > fd objdump -D fd OR objdump -d fd ASAN says: ../../binutils/objdump.c:2274:3: runtime error: null pointer passed as argument 2, which is declared to never be null Signal 1 Valgrind says: ==53754== Conditional jump or move depends on uninitialised value(s) [16/1855] ==53754==at 0x5A97AD: get_valid_dis386 (i386-dis.c:12916) ==53754==by 0x5A97AD: print_insn (i386-dis.c:13239) ==53754==by 0x42879D: disassemble_bytes (objdump.c:1801) ==53754==by 0x42879D: disassemble_section (objdump.c:2241) ==53754==by 0x5FB3AB: bfd_map_over_sections (section.c:1395) ==53754==by 0x418307: disassemble_data (objdump.c:2375) ==53754==by 0x4229D7: dump_bfd (objdump.c:3469) ==53754==by 0x4234FF: display_object_bfd (objdump.c:3526) ==53754==by 0x4234FF: display_any_bfd (objdump.c:3615) ==53754==by 0x40CFC9: display_file (objdump.c:3636) ==53754==by 0x40CFC9: main (objdump.c:3919) ==53754== ==53754== Conditional jump or move depends on uninitialised value(s) ==53754==at 0x58E4AF: get_sib (i386-dis.c:12957) ==53754==by 0x5A89F6: print_insn (i386-dis.c:13242) ==53754==by 0x42879D: disassemble_bytes (objdump.c:1801) ==53754==by 0x42879D: disassemble_section (objdump.c:2241) ==53754==by 0x5FB3AB: bfd_map_over_sections (section.c:1395) ==53754==by 0x418307: disassemble_data (objdump.c:2375) ==53754==by 0x4229D7: dump_bfd (objdump.c:3469) ==53754==by 0x4234FF: display_object_bfd (objdump.c:3526) ==53754==by 0x4234FF: display_any_bfd (objdump.c:3615) ==53754==by 0x40CFC9: display_file (objdump.c:3636) ==53754==by 0x40CFC9: main (objdump.c:3919) ==53754== ==53754== Conditional jump or move depends on uninitialised value(s) ==53754==at 0x58E4F7: get_sib (i386-dis.c:12958) ==53754==by 0x5A89F6: print_insn (i386-dis.c:13242) ==53754==by 0x42879D: disassemble_bytes (objdump.c:1801) ==53754==by 0x42879D: disassemble_section (objdump.c:2241) ==53754==by 0x5FB3AB: bfd_map_over_sections (section.c:1395) ==53754==by 0x418307: disassemble_data (objdump.c:2375) ==53754==by 0x4229D7: dump_bfd (objdump.c:3469) ==53754==by 0x4234FF: display_object_bfd (objdump.c:3526) ==53754==by 0x4234FF: display_any_bfd (objdump.c:3615) ==53754==by 0x40CFC9: display_file (objdump.c:3636) ==53754==by 0x40CFC9: main (objdump.c:3919) ==53754== ==53754== Use of uninitialised value of size 8 ==53754==at 0x5858E6: stpcpy (string3.h:111) ==53754==by 0x5858E6: oappend (i386-dis.c:14387) ==53754==by 0x5858E6: OP_XMM (i386-dis.c:16241) ==53754==by 0x5A8A90: print_insn (i386-dis.c:13248) ==53754==by 0x42879D: disassemble_bytes (objdump.c:1801) ==53754==by 0x42879D: disassemble_section (objdump.c:2241) ==53754==by 0x5FB3AB: bfd_map_over_sections (section.c:1395) ==53754==by 0x418307: disassemble_data (objdump.c:2375) ==53754==by 0x4229D7: dump_bfd (objdump.c:3469) ==53754==by 0x4234FF: display_object_bfd (objdump.c:3526) ==53754==by 0x4234FF: display_any_bfd (objdump.c:3615) ==53754==by 0x40CFC9: display_file (objdump.c:3636) ==53754==by 0x40CFC9: main (objdump.c:3919) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20891] Segfault in addr2line
https://sourceware.org/bugzilla/show_bug.cgi?id=20891 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=50455f1ab2935f7321215dfa681745c9b1cb5b19 commit 50455f1ab2935f7321215dfa681745c9b1cb5b19 Author: Nick Clifton Date: Thu Dec 1 10:15:07 2016 + Fix seg-fault running addr2line on a corrupt binary. PR binutils/20891 * aoutx.h (find_nearest_line): Handle the case where the main file name and the directory name are both empty. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20891] Segfault in addr2line
https://sourceware.org/bugzilla/show_bug.cgi?id=20891 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||nickc at redhat dot com Resolution|--- |FIXED --- Comment #2 from Nick Clifton --- Hi Thuan, Thanks for reporting this problem. I have checked in a small patch which fixes the bug. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/20895] New: AS: Assertion violation when resolving symbol data
https://sourceware.org/bugzilla/show_bug.cgi?id=20895 Bug ID: 20895 Summary: AS: Assertion violation when resolving symbol data Product: binutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: boehme.marcel at gmail dot com Target Milestone: --- Dear all, The assembler 'as' in Binutils trunk reports an internal error for the following execution. The bug was found with AFLFast, a fork of AFL. Thanks also to Van-Thuan Pham. How to reproduce: printf "\x82\x30\x30\x30\x30\x30\x30\x30\x30\x00\x4b\x3d\x3d\x4b\x3d\x3d\x55\x00\x00\x80\x30\x20\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\xff\x30\x00\x00\x8f\x00\x00\x00\x00\x00\xbf\x30\x30\x30\x00\x3d\x30\x00\xff\x30\x30\x00\x4b\x3d\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x8f\x00\x00\x00\x00\x00\xbf\x30\x30\x30\x00\x3d\x30\x00\xff\x30\x30\x00\x4b\x30\x3d\xbd\x3d\x00\x00\x4b\x3d\x3d\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x40" > a $ as a ... a: Internal error, aborting at ../../gas/symbols.c:1432 in resolve_symbol_value Please report this bug. The assertion violation was confirmed for trunk, v2.26.1 but not for v2.24. Best regards, - Marcel -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20893] Sigabrt in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=20893 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a37a2806e3289294ed214aed3c8a45db46026b39 commit a37a2806e3289294ed214aed3c8a45db46026b39 Author: Nick Clifton Date: Thu Dec 1 10:26:32 2016 + Fix abort in x86 disassembler. PR binutils/20893 * i386-dis.c (OP_VEX): Replace call to abort with a append of bad opcode designator. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20893] Sigabrt in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=20893 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com --- Comment #2 from Nick Clifton --- Hi Thuan, I am unable to reproduce this problem as you reported it. :-( > binutils was checked out from How were the binutils configured ? > Its commit is 268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e > (Fri Nov 18 14:15:12 2016 Would you mind trying a more recent version ? It is possible that this bug has already been fixed. > To reproduce: For me the reproducer triggers an abort() in the x86 disassembler, but it does not incite any reports from the address sanitizer. I have checked in a patch to replace the call to abort with an error return so, for me at least, your test program disassembles without triggering any faults. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/20895] AS: Assertion violation when resolving symbol data
https://sourceware.org/bugzilla/show_bug.cgi?id=20895 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6d6ad65b43efa17a825702297331fcb290445a18 commit 6d6ad65b43efa17a825702297331fcb290445a18 Author: Nick Clifton Date: Thu Dec 1 10:38:40 2016 + Fix ICE in assembler when passed a corrupt input file. PR gas/20895 * symbols.c (resolve_symbol_value): Gracefully handle erroneous symbolic expressions. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/20878] gold powerpc64 le linux fails to link large Linux kernel
https://sourceware.org/bugzilla/show_bug.cgi?id=20878 --- Comment #3 from npiggin at gmail dot com --- The files are too large to attach here. I've uploaded to: fs.ozlabs.ibm.com/~npiggin/binutils-pr20878.tar.xz (IBM-internal, apologies to others) You'll want to unpack that inside a new directory. Then within that directory run: ld -EL -m elf64lppc -Bstatic --build-id -X -o vmlinux -T ./arch/powerpc/kernel/vmlinux.lds --whole-archive built-in.o .tmp_kallsyms4.o -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/20895] AS: Assertion violation when resolving symbol data
https://sourceware.org/bugzilla/show_bug.cgi?id=20895 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||nickc at redhat dot com Resolution|--- |FIXED --- Comment #2 from Nick Clifton --- Hi Marcel (and Van-Thuan) Thanks for reporting this bug. I have checked in a small patch to the assembler which replaces the call to abort (which results in the internal error message) with an more helpful error message. Cheers Nick PS. For future reference it helps if you can tell us the target architecture for which you built the assembler (or other binutils)... -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20892] Segfault in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=20892 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e82ab856bb4689330c29fb9f1c57a8555b26380e commit e82ab856bb4689330c29fb9f1c57a8555b26380e Author: Nick Clifton Date: Thu Dec 1 10:49:39 2016 + Fix a seg-fault disassembling a corrupt binary. PR binutils/20892 * aoutx.h (find_nearest_line): Handle the case where the function name is empty. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20892] Segfault in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=20892 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||nickc at redhat dot com Resolution|--- |FIXED --- Comment #2 from Nick Clifton --- Hi Thuan, Thanks for reporting this bug. I have checked in a small patch that adds a check for a NULL buffer pointer and then repsonds appropriately. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/16720] wrong overflow check in R_MIPS_HI16
https://sourceware.org/bugzilla/show_bug.cgi?id=16720 --- Comment #4 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=40a0bfddf07620f5321927b3231502debb3b73bc commit 40a0bfddf07620f5321927b3231502debb3b73bc Author: Ma Jiang Date: Thu Dec 1 12:21:30 2016 + Fix handling of MIPS16 HI16 relocs. PR ld/16720 * elfxx-mips.c (mips_elf_calculate_relocation): Remove overflow test for HI16 relocs. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/16720] wrong overflow check in R_MIPS_HI16
https://sourceware.org/bugzilla/show_bug.cgi?id=16720 Nick Clifton changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Nick Clifton --- Hi Ma, Sorry for the delay in reviewing this PR. I agree with your analysis, so I have gone ahead and checked in your suggested patch. Thanks very much for creating it! Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/20868] ld relaxes TLS access erroneously for aarch64 in ilp32 mode
https://sourceware.org/bugzilla/show_bug.cgi?id=20868 --- Comment #5 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5cd1d8bcc24e948e86a636161e6d72f6316545a7 commit 5cd1d8bcc24e948e86a636161e6d72f6316545a7 Author: Yury Norov Date: Thu Dec 1 12:31:51 2016 + Fix accesses to the GOT for AARCH64 operating in 32-bit mode. PR ld/20868 bfd * elfnn-aarch64.c (elfNN_aarch64_tls_relax): Use 32-bit accesses to the GOT when operating in 32-bit mode. ld * testsuite/ld-aarch64/tls-relax-gd-ie-ilp32.d: New test. * testsuite/ld-aarch64/relocs-ilp32.ld: Linker script for the new test. * testsuite/ld-aarch64/aarch64-elf.exp: Run the new test. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/20868] ld relaxes TLS access erroneously for aarch64 in ilp32 mode
https://sourceware.org/bugzilla/show_bug.cgi?id=20868 Nick Clifton changed: What|Removed |Added Status|ASSIGNED|RESOLVED CC||nickc at redhat dot com Resolution|--- |FIXED --- Comment #6 from Nick Clifton --- Patch applied. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20896] New: AS: Buffer Overflow when expanding .irp directives
https://sourceware.org/bugzilla/show_bug.cgi?id=20896 Bug ID: 20896 Summary: AS: Buffer Overflow when expanding .irp directives Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: gas Assignee: unassigned at sourceware dot org Reporter: boehme.marcel at gmail dot com Target Milestone: --- Dear all, The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. The assembler crashes for the following execution: $ printf ".irp\n0;#000\"00\n" > test $ ./as test On trunk, Ubuntu 14.04 x86_64: test:2: Internal error! Assertion failure in ignore_rest_of_line at read.c:3758. Please report this bug. On Binutils v2.26.1, Ubuntu 16.04 x86_64: Segmentation Fault On Binutils v2.24, Ubuntu 14.04 x86_64: No problems. ASAN says: = ==123173==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0a5b0 at pc 0x0046f678 bp 0x7fff7ce8b410 sp 0x7fff7ce8b408 READ of size 1 at 0x60b0a5b0 thread T0 #0 0x46f677 in next_char_of_string ../../gas/read.c:5533 #1 0x470580 in demand_copy_string ../../gas/read.c:5741 #2 0x463001 in s_app_line ../../gas/read.c:2039 #3 0x44ecd3 in buffer_and_nest ../../gas/macro.c:231 #4 0x45a0fd in expand_irp ../../gas/macro.c:1323 #5 0x4645a0 in s_irp ../../gas/read.c:2366 #6 0x45f518 in read_a_source_file ../../gas/read.c:1146 #7 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172 #8 0x40c86c in main ../../gas/as.c:1296 #9 0x7f2c353bff44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #10 0x403858 (/home/ubuntu/subjects/binutils-gdb/obj-asan/gas/as-new+0x403858) 0x60b0a5b0 is located 0 bytes to the right of 112-byte region [0x60b0a540,0x60b0a5b0) allocated by thread T0 here: #0 0x7f2c36740710 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) #1 0x928e38 in xrealloc ../../libiberty/xmalloc.c:180 #2 0x473fa1 in sb_check ../../gas/sb.c:150 #3 0x47436d in sb_add_buffer ../../gas/sb.c:187 #4 0x4656a6 in get_line_sb ../../gas/read.c:2658 #5 0x465730 in get_non_macro_line_sb ../../gas/read.c:2672 #6 0x44ee8f in buffer_and_nest ../../gas/macro.c:241 #7 0x45a0fd in expand_irp ../../gas/macro.c:1323 #8 0x4645a0 in s_irp ../../gas/read.c:2366 #9 0x45f518 in read_a_source_file ../../gas/read.c:1146 #10 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172 #11 0x40c86c in main ../../gas/as.c:1296 #12 0x7f2c353bff44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) SUMMARY: AddressSanitizer: heap-buffer-overflow ../../gas/read.c:5533 in next_char_of_string Valgrind reports several reads of size 1: ==123176== Invalid read of size 1 ==123176==at 0x4CEB0F: next_char_of_string (read.c:5533) ==123176==by 0x4CEB0F: demand_copy_string (read.c:5741) ==123176==by 0x4D1B89: s_app_line (read.c:2039) ==123176==by 0x470328: buffer_and_nest (macro.c:231) ==123176==by 0x4755D3: expand_irp (macro.c:1323) ==123176==by 0x482DE4: s_irp (read.c:2366) ==123176==by 0x4B5BAF: read_a_source_file (read.c:1146) ==123176==by 0x407ED1: perform_an_assembly_pass (as.c:1172) ==123176==by 0x407ED1: main (as.c:1296) ... ==123176== Invalid read of size 1 ==123176==at 0x4D1BE7: get_linefile_number (read.c:1985) ==123176==by 0x4D1BE7: s_app_line (read.c:2045) ==123176==by 0x470328: buffer_and_nest (macro.c:231) ==123176==by 0x4755D3: expand_irp (macro.c:1323) ==123176==by 0x482DE4: s_irp (read.c:2366) ==123176==by 0x4B5BAF: read_a_source_file (read.c:1146) ==123176==by 0x407ED1: perform_an_assembly_pass (as.c:1172) ==123176==by 0x407ED1: main (as.c:1296) ==123176== Address 0x57ebf12 is 30 bytes before a block of size 74,304 in arena "client" ==123176== ==123176== Invalid read of size 1 ==123176==at 0x4D0C3B: ignore_rest_of_line (read.c:3758) ==123176==by 0x4D0C3B: s_app_line (read.c:2098) ==123176==by 0x470328: buffer_and_nest (macro.c:231) ==123176==by 0x4755D3: expand_irp (macro.c:1323) ==123176==by 0x482DE4: s_irp (read.c:2366) ==123176==by 0x4B5BAF: read_a_source_file (read.c:1146) ==123176==by 0x407ED1: perform_an_assembly_pass (as.c:1172) ==123176==by 0x407ED1: main (as.c:1296) ==123176== Address 0x57ebf12 is 30 bytes before a block of size 74,304 in arena "client" Best regards, - Marcel -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20897] New: AS: dumping stats in folder leads to a crash
https://sourceware.org/bugzilla/show_bug.cgi?id=20897 Bug ID: 20897 Summary: AS: dumping stats in folder leads to a crash Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: gas Assignee: unassigned at sourceware dot org Reporter: boehme.marcel at gmail dot com Target Milestone: --- Dear all, The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. The assembler crashes for the following execution on Ubuntu 16.04 x86_64 and 14.04 x86_64 for Binutils v2.24, v2.26.1, and trunk: $ touch a $ as --statistics -o/ a Assembler messages: Fatal error: can't create /: Is a directory as: total time in assembly: 0.00 as: data size 135168 frag chains: Segmentation fault Valgrind says: ==121985== Invalid read of size 8 ==121985==at 0x4E2393: subsegs_print_statistics (subsegs.c:301) ==121985==by 0x412394: dump_statistics (as.c:1058) ==121985==by 0x9D7F71: xatexit_cleanup (xatexit.c:98) ==121985==by 0x9D8C85: xexit (xexit.c:50) ==121985==by 0x479EC1: as_fatal (messages.c:286) ==121985==by 0x47B306: output_file_create (output-file.c:43) ==121985==by 0x407BA7: main (as.c:1256) ==121985== Address 0x90 is not stack'd, malloc'd or (recently) free'd Best regards, - Marcel -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20898] New: AS: Buffer Overflow when scrubing chars
https://sourceware.org/bugzilla/show_bug.cgi?id=20898 Bug ID: 20898 Summary: AS: Buffer Overflow when scrubing chars Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: gas Assignee: unassigned at sourceware dot org Reporter: boehme.marcel at gmail dot com Target Milestone: --- Dear all, The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. There is a global buffer overflow (write of size 1) in the assembler for the following execution on Ubuntu 14.04 x86_64 for Binutils v2.26 and in trunk. Interestingly, it does not seg-fault on my machine. $ printf "/" > test $ ./as test ASAN says: ==141249==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0143fdbf at pc 0x00407db7 bp 0x7ffd85bdacb0 sp 0x7ffd85bdaca8 WRITE of size 1 at 0x0143fdbf thread T0 #0 0x407db6 in do_scrub_chars ../../gas/app.c:1193 #1 0x44351b in input_file_give_next_buffer ../../gas/input-file.c:243 #2 0x444a05 in input_scrub_next_buffer ../../gas/input-scrub.c:356 #3 0x460204 in read_a_source_file ../../gas/read.c:835 #4 0x40c417 in perform_an_assembly_pass ../../gas/as.c:1172 #5 0x40c86c in main ../../gas/as.c:1296 #6 0x7fb7630e5f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #7 0x403858 (/home/ubuntu/subjects/binutils-gdb/obj-asan/gas/as-new+0x403858) 0x0143fdbf is located 55 bytes to the right of global variable 'saved_input_len' defined in '../../gas/app.c:218:15' (0x143fd80) of size 8 0x0143fdbf is located 1 bytes to the left of global variable 'input_buffer' defined in '../../gas/app.c:219:13' (0x143fdc0) of size 32768 SUMMARY: AddressSanitizer: global-buffer-overflow ../../gas/app.c:1193 in do_scrub_chars Valgrind does not complain. Best regards, - Marcel -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20880] [LD] [Bug] Wrong Hint Value For ImportLib IDATA6
https://sourceware.org/bugzilla/show_bug.cgi?id=20880 --- Comment #3 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4ee1d7e401a8c1aedfdc86aac7faa8267eab1e5c commit 4ee1d7e401a8c1aedfdc86aac7faa8267eab1e5c Author: Rudy Y Date: Thu Dec 1 14:43:36 2016 + Fix generation of IDATA[6] for PE files. PR ld/20880 * pe-dll.c (make_one): Use the hint if the ordinal is -1. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20880] [LD] [Bug] Wrong Hint Value For ImportLib IDATA6
https://sourceware.org/bugzilla/show_bug.cgi?id=20880 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||nickc at redhat dot com Resolution|--- |FIXED --- Comment #4 from Nick Clifton --- Hi Rudy, Thanks for the problem description and patch. I have now applied your suggested fix. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20896] AS: Buffer Overflow when expanding .irp directives
https://sourceware.org/bugzilla/show_bug.cgi?id=20896 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com Version|2.28 (HEAD) |2.26 --- Comment #1 from Nick Clifton --- Hi Marcel, I am sorry, but I cannot reproduce this problem. I was however using the 2.26.2 sources rather than 2.26.1. So possibly this is the reason. Would it be possible for you to retest using a more modern set of sources, and see if the problem persists ? Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20897] AS: dumping stats in folder leads to a crash
https://sourceware.org/bugzilla/show_bug.cgi?id=20897 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4cbd84083ea89e870526ed0c80d462084887ba6e commit 4cbd84083ea89e870526ed0c80d462084887ba6e Author: Nick Clifton Date: Thu Dec 1 15:02:45 2016 + Fix seg-fault printing assembler statistics when the output file was not created. PR gas/20897 * subsegs.c (subsegs_print_statistics): Do nothing if no output file was created. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20897] AS: dumping stats in folder leads to a crash
https://sourceware.org/bugzilla/show_bug.cgi?id=20897 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||nickc at redhat dot com Resolution|--- |FIXED --- Comment #2 from Nick Clifton --- Hi Marcel, Thanks for reporting this problem. I have checked in a small patch to fix the statics dumper so that it checks to see if the output file was actually created before trying to emit information about it. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20896] AS: Buffer Overflow when expanding .irp directives
https://sourceware.org/bugzilla/show_bug.cgi?id=20896 --- Comment #2 from Marcel Böhme --- Hi Nick, I can reproduce on Ubuntu 16.04 x86_64 with most recent sources from Binutils trunk. root@0168b58eac41:/binutils-gdb/obj-norm# printf ".irp\n0;#000\"00\n" > test root@0168b58eac41:/binutils-gdb/obj-norm# gas/as-new test test: Assembler messages: test: Warning: end of file in string; '"' inserted test:2: Warning: missing closing `"' Segmentation fault root@0168b58eac41:/binutils-gdb/obj-norm# uname -r 4.1.12-boot2docker Best regards, - Marcel -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20898] AS: Buffer Overflow when scrubing chars
https://sourceware.org/bugzilla/show_bug.cgi?id=20898 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=69ace2200106348a1b00d509a6a234337c104c17 commit 69ace2200106348a1b00d509a6a234337c104c17 Author: Nick Clifton Date: Thu Dec 1 15:20:19 2016 + Fix seg fault attempting to unget an EOF character. PR gas/20898 * app.c (do_scrub_chars): Do not attempt to unget EOF. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20898] AS: Buffer Overflow when scrubing chars
https://sourceware.org/bugzilla/show_bug.cgi?id=20898 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||nickc at redhat dot com Resolution|--- |FIXED --- Comment #2 from Nick Clifton --- Hi Marcel, Thanks for reporting this bug. I have checked in a small patch to stop the assembler from attempting to push and end-of-file value back into the input stream, which should fix the bug. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20880] [LD] [Bug] Wrong Hint Value For ImportLib IDATA6
https://sourceware.org/bugzilla/show_bug.cgi?id=20880 --- Comment #5 from Rudy Y. --- Nick...Thanks but sorry, I didn't online couple a days. I don't know how, but that patch won't fix the problem. For the past couple of days, I'm still looking whats make ld generate different ordinal between def file and import lib, so thats why I didn't go online and didn't check my email until today (2016/12/01 GMT). I used this command: gcc -shared foo.c -Wl,--output-def,foo.def -Wl,--out-implib,foo.a -o foo.dll Its possible from "ld/pe-dll.c->generate_edata" since there is a code in there that could lead ordinal number start from zero when min_ordinal = 1. But I didn't check for more because I'm stress out from testing and recompile (a lot). So maybe you or someone else can chek for more, perhaps. Thanks. I'm replying this since my bug report for that has gone. On Thu, Dec 1, 2016 at 4:15 PM, nickc at redhat dot com wrote: > https://sourceware.org/bugzilla/show_bug.cgi?id=20880 > > Nick Clifton changed: > >What|Removed |Added > > Status|UNCONFIRMED |RESOLVED > CC||nickc at redhat dot com > Resolution|--- |FIXED > > --- Comment #4 from Nick Clifton --- > Hi Rudy, > > Thanks for the problem description and patch. I have now applied your > suggested fix. > > Cheers > Nick > > -- > You are receiving this mail because: > You reported the bug. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/20807] gold assertion failure on aarch64 branch target in SHF_MERGE rodata section: internal error in set_merged_symbol_value, at ../../binutils-2.27/gold/object.h:1718
https://sourceware.org/bugzilla/show_bug.cgi?id=20807 --- Comment #2 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Cary Coutant : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0f1254327820d7b3f67f873aa40e76679f067288 commit 0f1254327820d7b3f67f873aa40e76679f067288 Author: Cary Coutant Date: Thu Dec 1 12:50:21 2016 -0800 Fix internal error when relaxing branches to STT_SECTION symbols. gold/ PR gold/20807 * aarch64.cc (Target_aarch64::scan_reloc_section_for_stubs): Handle section symbols correctly. * arm.cc (Target_arm): Likewise. * powerpc.cc (Target_powerpc): Likewise. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/20807] gold assertion failure on aarch64 branch target in SHF_MERGE rodata section: internal error in set_merged_symbol_value, at ../../binutils-2.27/gold/object.h:1718
https://sourceware.org/bugzilla/show_bug.cgi?id=20807 Cary Coutant changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #3 from Cary Coutant --- The internal error is fixed on trunk. The test case will now produce an error that we cannot handle a branch into a merge section, which is (currently) expected behavior. If you need to be able to handle branches into a merge section during relaxation, please file a separate enhancement request. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/20870] free pascal requires INSERT AFTER linker script command
https://sourceware.org/bugzilla/show_bug.cgi?id=20870 Cary Coutant changed: What|Removed |Added Status|UNCONFIRMED |NEW Last reconfirmed||2016-12-01 Summary|Cannot use gold linker |free pascal requires INSERT |together with free pascal |AFTER linker script command Ever confirmed|0 |1 Severity|normal |enhancement --- Comment #1 from Cary Coutant --- Sorry, the gold linker does not support the use of a linker script to supplement the default script, and consequently does not support INSERT AFTER|BEFORE. Gold does not use a default linker script, so this is unlikely to be supported in the near future. We could, however, incorporate the .fpcdata and .threadvar sections into gold's built-in section handling logic without too much difficulty. The rest of your script, without the SECTIONS clause and the INSERT AFTER command, should work without issue. Whether the work is worthwhile or not will probably depend on whether the Free Pascal project would want to deal with the differences between the two linkers. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20649] [MIPS] Can't find matching LO16 reloc
https://sourceware.org/bugzilla/show_bug.cgi?id=20649 --- Comment #6 from Aurelien Jarno --- (In reply to Maciej W. Rozycki from comment #5) > Sure, the GNU GPL applies. Due to other commitments it'll take me a > few days yet to get the test cases made, but I don't plan to change the > code update itself any further, so any future merge from upstream > Debian people will make should result in an easy to resolve "can be > reverse-applied" result. > > NB I'm still waiting to have my Bugzilla permissions restored (there's > been some confusion around it), which is why I wasn't able to update > the status of this bug. Ping. Do you think this can be merged now? Thanks. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20649] [MIPS] Can't find matching LO16 reloc
https://sourceware.org/bugzilla/show_bug.cgi?id=20649 --- Comment #7 from Maciej W. Rozycki --- I yet need to integrate the test case with the test suite, but please be assured this fix will make it to 2.28. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/18989] please enable --push-state / --pop-state for gold
https://sourceware.org/bugzilla/show_bug.cgi?id=18989 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Cary Coutant : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=376c3ecd17d0636bcf4e527c2e2ca2f94822fe64 commit 376c3ecd17d0636bcf4e527c2e2ca2f94822fe64 Author: Cary Coutant Date: Thu Dec 1 16:32:38 2016 -0800 Implement --push-state/--pop-state. gold/ PR gold/18989 * options.cc (General_options::object_format_to_string): New function. (General_options::copy_from_posdep_options): New function. (General_options::parse_push_state): New function. (General_options::parse_pop_state): New function. * options.h (--push-state, --pop-state): New options. (General_options::object_format_to_string): New method. (General_options::set_incremental_disposition): New method. (General_options::copy_from_posdep_options): New method. (General_options::options_stack_): New data member. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/18989] please enable --push-state / --pop-state for gold
https://sourceware.org/bugzilla/show_bug.cgi?id=18989 Cary Coutant changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED Severity|normal |enhancement --- Comment #2 from Cary Coutant --- Implemented on trunk. Unlike Gnu ld, gold implements this as a true stack: push and pop may be nested to any depth. The -r , -n, and -N options are listed in the Gnu linker manual among the saved options, but they are not position-dependent options, and have nothing to do with the treatment of input files. I have not included them in the list of options saved. The position-dependent options saved by --push-state in gold are: --as-needed/--no-as-needed -Bdynamic/-Bstatic/-dy/-dn --format --whole-archive/--no-whole-archive --incremental-changed/-unchanged/-unknown -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20893] Sigabrt in objdump
https://sourceware.org/bugzilla/show_bug.cgi?id=20893 --- Comment #3 from Thuan Pham --- Hi Nick, I have checked out the newest version of binutils and run the test case I reported. There is no abort anymore, so it should be fixed already. Thanks, Thuan -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20901] New: AS: Hangs
https://sourceware.org/bugzilla/show_bug.cgi?id=20901
Bug ID: 20901
Summary: AS: Hangs
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gas
Assignee: unassigned at sourceware dot org
Reporter: boehme.marcel at gmail dot com
Target Milestone: ---
Dear all,
The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.
The assembler hangs for the following execution on Ubuntu 16.04 x86_64 and
14.04 x86_64 for Binutils v2.24, v2.26.1, and trunk:
$ printf
"\x20\x00\x1a\x3b\x64\x63\x67\x67\x64\x67\x67\x67\x67\x67\x67\x67\x6c\xff\xfd\x40\xff\xff\xff\x80\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x00\xff\xe2\xff\xff\x7f\xe1\x00\x2e\x64\x53\x09\x34\x34\x34\x34\x34\x2a\x34\x34\x34\x35\x35\x35\x35\x35\x35\x38\x38\x35\x35\x35\x35\x35\x35\x35\x2c\x35\x35\x35\x35\x35\xff\xff\xff\x7f\x7e\x7e\x00\x00\x38\x38\x35\x00\x10\x35\x35\x35\x38\x38\x35\x35\x35\x35\x35\x35\x35\x35\x35\x35\x35\x2c\x35\x35\x35\x35\x35\xff\xff\xff\x7f\x7e\x7e\x00\x00\x38\x38\x35\x35\x35\x35\x03\xf8\x79\xff\x7f\x7e\x7e\x00\x00\x38\x38\x35\x35\x35\x35\x03\xf8\x79\x00\x00\x40\x0f\x00\x63\x00\x00\x17\x80\x00\x20\x00\x3d\x63\x03\x04\x1b\xff\xff\x10\xff\xff\x80\x00\x3d\x3d\x43\x25\x83\xff\xff\x8c\x09\x0f\x37"
> a
$ ./as a
..
It slowly eats up the available memory. Couldn't determine whether this is
actually an infinite loop or just a very long execution. Was unable to minimize
the test case with this execution time.
STRACE reports repeated calls to brk:
...
brk(0x2705000) = 0x2705000
brk(0x2726000) = 0x2726000
brk(0x2747000) = 0x2747000
brk(0x2768000) = 0x2768000
brk(0x2789000) = 0x2789000
brk(0x27aa000) = 0x27aa000
...
ASAN reports as signed integer overflow:
../../gas/expr.c:1939:46: runtime error: signed integer overflow: 4 *
4445588555 cannot be represented in type 'long int'
Interupting GDB at a random point during the execution gives:
(gdb) bt
#0 frag_more (nchars=2) at frags.c:208
#1 0x00498c8f in emit_expr_with_reloc (reloc=BFD_RELOC_NONE,
nbytes=, exp=0x7fffe180) at read.c:4336
#2 emit_expr (nbytes=, exp=0x7fffe180) at read.c:4184
#3 s_space (mult=) at read.c:3401
#4 0x004b5bb0 in read_a_source_file (name=) at
read.c:1146
#5 0x00407ed2 in perform_an_assembly_pass (argv=0xccef08,
argc=) at as.c:1172
#6 main (argc=, argv=) at as.c:1296
(gdb) p *exp
$1 = {X_add_symbol = 0x0, X_op_symbol = 0x0, X_add_number = 5, X_op =
O_constant, X_unsigned = 1, X_extrabit = 0, X_md = 63469}
Best regards,
- Marcel
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/20834] ld.gold on armel hits internal error when using 64K page size
https://sourceware.org/bugzilla/show_bug.cgi?id=20834 --- Comment #5 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Cary Coutant : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=be2884c1ea9b96fdb04c6d244d9e7aa1b654a47a commit be2884c1ea9b96fdb04c6d244d9e7aa1b654a47a Author: Cary Coutant Date: Thu Dec 1 19:00:30 2016 -0800 Fix problem causing internal error when -z max-page-size is used. If the default starting address is less than the new ABI page size, we end up misaligning the file header, causing an internal error. gold/ PR gold/20834 * target.h (Target::default_text_segment_address): Bump default start address up to ABI page size. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20901] AS: Hangs
https://sourceware.org/bugzilla/show_bug.cgi?id=20901 --- Comment #1 from Marcel Böhme --- It seems to be only a very long execution of the loop in line read.c:3401 of function s_space when exp->X_add_number is very large. Here is another reproducer without overflow and memory exhaustion: $ printf ".ds 777,7" > test $ ./as test -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/20834] ld.gold on armel hits internal error when using 64K page size
https://sourceware.org/bugzilla/show_bug.cgi?id=20834 Cary Coutant changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #6 from Cary Coutant --- Fixed on trunk. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/20717] --gc-sections fails to remove an unused orphan section if the last output section has a KEEP command.
https://sourceware.org/bugzilla/show_bug.cgi?id=20717 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Cary Coutant : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=397b8d2a9fb6651924c311f41b90cabeb3fc3ae9 commit 397b8d2a9fb6651924c311f41b90cabeb3fc3ae9 Author: Cary Coutant Date: Thu Dec 1 19:54:05 2016 -0800 Fix problem where orphan section is treated as a KEEP section. gold/ PR gold/20717 * script-sections.cc (Script_sections): Set *keep to false when no match. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/20717] --gc-sections fails to remove an unused orphan section if the last output section has a KEEP command.
https://sourceware.org/bugzilla/show_bug.cgi?id=20717 Cary Coutant changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #2 from Cary Coutant --- Fixed on trunk. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20902] New: AS:Assertion Violation when ignoring characters after printing warning messages
https://sourceware.org/bugzilla/show_bug.cgi?id=20902 Bug ID: 20902 Summary: AS:Assertion Violation when ignoring characters after printing warning messages Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: gas Assignee: unassigned at sourceware dot org Reporter: boehme.marcel at gmail dot com Target Milestone: --- Dear all, The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. The assembler fails with an assertion violation for the following execution on Ubuntu 16.04 x86_64 and 14.04 x86_64 for Binutils v2.26.1 and trunk. It works fine for v2.24: $ printf "#10\"\n\" " > test $ ./as test test: Assembler messages: test:1: Warning: unterminated string; newline inserted test:2: Warning: unterminated string; newline inserted test:3: Internal error! Assertion failure in ignore_rest_of_line at read.c:3758. Please report this bug. After printing a warning message, ignore_rest_of_line in read.c attempts to skip to the end of line but finds itself no eol. Best regards, - Marcel -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/20512] Assertion failure with relocation against symbol #0
https://sourceware.org/bugzilla/show_bug.cgi?id=20512 Cary Coutant changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2016-12-02 Ever confirmed|0 |1 -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/13213] Gold does not support the BE-8 big-endian variant of the ARM architecture
https://sourceware.org/bugzilla/show_bug.cgi?id=13213 Cary Coutant changed: What|Removed |Added Status|NEW |RESOLVED CC||ccoutant at gmail dot com Resolution|--- |FIXED Assignee|dougkwan at google dot com |ccoutant at gmail dot com Severity|normal |enhancement --- Comment #2 from Cary Coutant --- Implemented on trunk: https://sourceware.org/ml/binutils-cvs/2016-08/msg00142.html -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/16720] wrong overflow check in R_MIPS_HI16
https://sourceware.org/bugzilla/show_bug.cgi?id=16720 ma.jiang at zte dot com.cn changed: What|Removed |Added Status|RESOLVED|CLOSED --- Comment #6 from ma.jiang at zte dot com.cn --- (In reply to Nick Clifton from comment #5) > Hi Ma, > > Sorry for the delay in reviewing this PR. > > I agree with your analysis, so I have gone ahead and checked in your > suggested patch. Thanks very much for creating it! > > Cheers > Nick Hi Nick, It's happy to see this local patch go upstream. Thanks, I'll close the bug now. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/20904] New: AS: Assertion violation when handling whitespaces in expressions
https://sourceware.org/bugzilla/show_bug.cgi?id=20904 Bug ID: 20904 Summary: AS: Assertion violation when handling whitespaces in expressions Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: gas Assignee: unassigned at sourceware dot org Reporter: boehme.marcel at gmail dot com Target Milestone: --- Dear all, The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. The assembler fails with an assertion violation for the following execution on Ubuntu 16.04 x86_64 and 14.04 x86_64 for Binutils v2.26.1 and trunk. It works fine for v2.24: $ printf "\"\x00.=&%%/ 0" > test $ ./as test test: Assembler messages: test: Warning: end of file in string; '"' inserted test:1: Warning: missing closing '"' test:1: Error: expecting mnemonic; got nothing test:1: Internal error! Assertion failure in operand at expr.c:1375. Please report this bug. SKIP_WHITESPACE really skips only one space-character, so that the next character can indeed be another space-character. Best regards, - Marcel -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20905] New: Heap buffer overflow in bfd/peicode.h
https://sourceware.org/bugzilla/show_bug.cgi?id=20905
Bug ID: 20905
Summary: Heap buffer overflow in bfd/peicode.h
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: thuanpv at comp dot nus.edu.sg
Target Milestone: ---
Dear all,
Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, with ASAN
enabled we found a heap buffer overflow in bfd/peicode.h.
The bug was found on Ubuntu 14.04 64-bit & binutils was checked out from
https://github.com/bminor/binutils-gdb repository. Its commit is
268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016).
To reproduce:
printf
"\x00\x00\xff\xff\x00\x00\x4c\x01\xfb\x5b\x89\x7a\x02\x00\x00\x00\x3a\x7a\x7a\x7a\x7a\x84\x7a\x7a\x7a\x7a\x7e\x5b\x01\x00\x5b\x09\x09\xe6\xff\x00\x00\x00\x7f\xff\x8b\xb3\x09\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x09\x00\x80\x24\x29\x41\x02\x00\x00\x99\x20\x02\x40"
> fd
addr2line -e fd
OR
size @- fd
OR
strings -w -d fd
When we run "strings -w -d fd", ASAN says:
==139869==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6211dce0 at pc 0x7f5482b026d3 bp 0x7ffd60c03920 sp 0x7ffd60c030d0
READ of size 4049 at 0x6211dce0 thread T0
#0 0x7f5482b026d2 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c6d2)
#1 0x560beb in pe_ILF_object_p ../../bfd/peicode.h:1272
#2 0x560beb in pe_bfd_object_p ../../bfd/peicode.h:1407
#3 0x41848c in bfd_check_format_matches ../../bfd/format.c:311
#4 0x40b137 in strings_object_file ../../binutils/strings.c:411
#5 0x40b137 in strings_file ../../binutils/strings.c:454
#6 0x40b137 in main ../../binutils/strings.c:321
#7 0x7f5481807f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#8 0x40c376
(/home/ubuntu/subjects/binutils-asan/obj-asan/binutils/strings+0x40c376)
0x6211dce0 is located 0 bytes to the right of 4064-byte region
[0x6211cd00,0x6211dce0)
allocated by thread T0 here:
#0 0x7f5482b883a8 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
#1 0x671e38 in objalloc_create ../../libiberty/objalloc.c:95
#2 0x41f61b in _bfd_new_bfd ../../bfd/opncls.c:73
#3 0x41fb71 in bfd_fopen ../../bfd/opncls.c:199
#4 0x40b122 in strings_object_file ../../binutils/strings.c:402
#5 0x40b122 in strings_file ../../binutils/strings.c:454
#6 0x40b122 in main ../../binutils/strings.c:321
#7 0x7f5481807f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c6d2)
Shadow bytes around the buggy address:
0x0c427fffbb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
0x0c427fffbba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
After checking the code in peicode.h and debugging it in GDB, we found that
although the size to allocate ptr is just 36 but after calling bfd_bread, the
string length of ptr is much bigger than that. So, ASAN detects the heap buffer
overflow in the call strlen(sym_name). The bug allows source_dll pointing to
some location outside the boundary of symbol_name/ptr and it could lead to some
bad thing if source_dll is not checked & used properly.
ptr = (bfd_byte *) bfd_alloc (abfd, size);
if (ptr == NULL)
return NULL;
if (bfd_bread (ptr, size, abfd) != size)
{
bfd_release (abfd, ptr);
return NULL;
}
symbol_name = (char *) ptr;
source_dll = symbol_name + strlen (symbol_name) + 1;
Best regards,
Thuan
--
You are receiving this mail because:
You are on t
[Bug ld/20906] New: LD: ld crashes for malformed inputs
https://sourceware.org/bugzilla/show_bug.cgi?id=20906 Bug ID: 20906 Summary: LD: ld crashes for malformed inputs Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: boehme.marcel at gmail dot com Target Milestone: --- Dear all, The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing session on Binutils. Thanks also to Van-Thuan Pham. The linker crashes with an invalid write of size 1 for the following execution on 14.04 x86_64 for Binutils v2.24 and trunk. It does not crash on Ubuntu 16.04 x86_64 Binutils v2.26.1 or trunk but the invalid write is still there. $ printf "\x6b\x22\x17\x1d\x00\x7f\x00\x00\x00\x00\x00\x52\x6e\x71\x1d\x00\x00\x01\x00\x00\x00\x00\x00\x00\x52\x6b\x22\x00\xdf\x12\xef\x17\x66\x52\x6b\x22\x17\x1d\x00\x6b\x22\x00\xdf\x2e\xef\x00\x69" > test $ ./ld test *** Error in `/home/ubuntu/subjects/binutils-gdb/ld/ld-new': malloc(): memory corruption: 0x0188a6e0 *** Aborted ASAN reports it sometimes as use-after-free and sometimes as heap-based buffer overflow: = ==8360==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020c828 at pc 0x00413f9e bp 0x7ffd709c9a00 sp 0x7ffd709c99f8 WRITE of size 1 at 0x6020c828 thread T0 #0 0x413f9d in yylex /home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldlex.l:420 #1 0x404901 in yyparse /home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldgram.c:2298 #2 0x43845e in load_symbols ../../ld/ldlang.c:2818 #3 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346 #4 0x4568f7 in lang_process ../../ld/ldlang.c:6871 #5 0x465a39 in main ../../ld/ldmain.c:428 #6 0x7fdb8cba8f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #7 0x403968 (/home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ld-new+0x403968) 0x6020c828 is located 8 bytes to the left of 2-byte region [0x6020c830,0x6020c832) allocated by thread T0 here: #0 0x7fdb8df293a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x92547b in xmalloc ../../libiberty/xmalloc.c:148 #2 0x92571a in xstrdup ../../libiberty/xstrdup.c:34 #3 0x413ba4 in yylex /home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldlex.l:379 #4 0x404901 in yyparse /home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldgram.c:2298 #5 0x43845e in load_symbols ../../ld/ldlang.c:2818 #6 0x43c299 in open_input_bfds ../../ld/ldlang.c:3346 #7 0x4568f7 in lang_process ../../ld/ldlang.c:6871 #8 0x465a39 in main ../../ld/ldmain.c:428 #9 0x7fdb8cba8f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/subjects/binutils-gdb/obj-asan/ld/ldlex.l:420 in yylex The stacktraces vary significantly for different fuzzing inputs but it is always the call to yyparse that crashes the linker. Best regards, - Marcel -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/20907] New: Internal error in peicode.h causes program to abort
https://sourceware.org/bugzilla/show_bug.cgi?id=20907 Bug ID: 20907 Summary: Internal error in peicode.h causes program to abort Product: binutils Version: 2.28 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: thuanpv at comp dot nus.edu.sg Target Milestone: --- Dear all, Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, we found an input causing different programs (addr2line, strings and size) to abort due to an exception in peicode.h. The bug was found on Ubuntu 14.04 64-bit & binutils was checked out from https://github.com/bminor/binutils-gdb repository. Its commit is 268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016). We also checked and confirmed the bug using the newest development version of binutils & binutils 2.24. To reproduce: printf "\x00\x00\xff\xff\x00\x00\x4c\x01\x30\x30\x30\x30\x24\x00\x00\x00\x00\x00\x01\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30" > fd addr2line -e fd OR size fd OR strings -d fd Error message: BFD (GNU Binutils) 2.27.51.20161128 internal error, aborting at ../../bfd/peicode.h:896 in pe_ILF_build_a_bfd Best regards, Thuan -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
