[Bug gold/20949] New: GOLD: Reading beyond buffer during parsing

2016-12-08 Thread boehme.marcel at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=20949

Bug ID: 20949
   Summary: GOLD: Reading beyond buffer during parsing
   Product: binutils
   Version: 2.28 (HEAD)
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gold
  Assignee: ccoutant at gmail dot com
  Reporter: boehme.marcel at gmail dot com
CC: ian at airs dot com
  Target Milestone: ---

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.

Valgrind reports a a read of size 1 in the lexer of the linker for the
following executions on Binutils in trunk and pre-installed v2.24 on Ubuntu
14.04.

For this execution Valgrind points out two locations (script.cc:810,
script.cc:825): 
$ printf "\x0d" > test
$ gold/ld-new test

For this execution, there is only one location (script.cc:825):
$ printf "\x80" > test
$ gold/ld-new test

ASAN says:
==116723==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6030434a at pc 0x016367e1 bp 0x7ffec7190920 sp 0x7ffec7190918
READ of size 1 at 0x6030434a thread T0
#0 0x16367e0 in gold::Lex::get_token(char const**) ../../gold/script.cc:825
#1 0x1637151 in gold::Lex::next_token() ../../gold/script.cc:875
#2 0x164ba27 in gold::Parser_closure::next_token()
../../gold/script.cc:1339
#3 0x164224b in yylex ../../gold/script.cc:2574
#4 0x17473e2 in yyparse
/home/ubuntu/subjects/binutils-gdb_fixed/obj-gold-asan/gold/yyscript.c:1964
#5 0x163b238 in gold::read_input_script(gold::Workqueue*,
gold::Symbol_table*, gold::Layout*, gold::Dirsearch*, int,
gold::Input_objects*, gold::Mapfile*, gold::Input_group*, gold::Input_argument
const*, gold::Input_file*, gold::Task_token*, bool*) ../../gold/script.cc:1500
#6 0x1542934 in gold::Read_script::run(gold::Workqueue*)
../../gold/readsyms.cc:913
#7 0x1741207 in gold::Workqueue::find_and_run_task(int)
../../gold/workqueue.cc:319
#8 0x1742951 in gold::Workqueue::process(int) ../../gold/workqueue.cc:495
#9 0x405d95 in main ../../gold/main.cc:252
#10 0x7fbb1bba9f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x405147 
(/home/ubuntu/subjects/binutils-gdb_fixed/obj-gold-asan/gold/ld-new+0x405147)

0x6030434a is located 0 bytes to the right of 26-byte region
[0x60304330,0x6030434a)
allocated by thread T0 here:
#0 0x7fbb1d02d270 in operator new(unsigned long)
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc3270)
#1 0x1998df8 in std::string::_Rep::_S_create(unsigned long, unsigned long,
std::allocator const&)
(/home/ubuntu/subjects/binutils-gdb_fixed/obj-gold-asan/gold/ld-new+0x1998df8)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../gold/script.cc:825 in
gold::Lex::get_token(char const**)

Best regards,
- Marcel

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/20932] LD: Internal error during record link assignment

2016-12-08 Thread cvs-commit at gcc dot gnu.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=20932

--- Comment #9 from cvs-commit at gcc dot gnu.org  ---
The master branch has been updated by Alan Modra :

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8e2a4f11d477986aa360a3b588d35a194efe58f8

commit 8e2a4f11d477986aa360a3b588d35a194efe58f8
Author: Alan Modra 
Date:   Thu Dec 8 09:51:00 2016 +1030

PR20932, Internal error during record link assignment

PR ld/20932
* elflink.c (bfd_elf_record_link_assignment): Handle warning symbols.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gold/16711] Linker script causes gold to include .bss in output file

2016-12-08 Thread amodra at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=16711

Alan Modra  changed:

   What|Removed |Added

 CC||amodra at gmail dot com

--- Comment #1 from Alan Modra  ---
Confirmed.  This is seen when linking the linux kernel.

  [36] .data_nosave PROGBITS c8906000 8916000 001000  00  WA  0 0  4
  [37] .bss NOBITS   c891 892 2e32ba0 00  WA  0 0 65536
  [38] .comment PROGBITS  b752ba0 39  01  MS  0 0  1

LOAD 0x01 0xc000 0x 0xb742ba0 0xb742ba0 RWE
0x1

Note the file offset of .comment and p_filesz == p_memsz in the load header.

Also seen with existing gold tests that use a script, eg. tls_script_test
  [32] .got.plt PROGBITS 10101f38 001f38 70 00  WA  0   0  8
  [33] .bss NOBITS   10202060 002060 000100 00  WA  0   0 32
  [34] .comment PROGBITS  002160 35 01  MS  0   0  1


I started debugging this and it seems like the problem lies in
Output_segment::set_section_addresses where we have
  if (i < static_cast(ORDER_SMALL_BSS))
{
  this->filesz_ = *poff - orig_off;
  off = *poff;
}
and sections in a script are not sorted into output_lists_[] by ORDER_*.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gold/16711] Linker script causes gold to allocate file space for bss

2016-12-08 Thread amodra at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=16711

Alan Modra  changed:

   What|Removed |Added

Summary|Linker script causes gold   |Linker script causes gold
   |to include .bss in output   |to allocate file space for
   |file|bss

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils