crash accessing address 0 in readelf (binutils-2.2.7a)

2018-07-25 Thread Laurent Simon 
Hi

I've come across an issue in readelf (binutils-2.2.7a), as follows:


Problem:
---
"readelf -a input" crashes trying to access uninitialized memory (0) if given 
the right input.

Reproduce:
-
$ CFLAGS="-g -fsanitize=address" CC=clang ../configure --disable-shared 
--disable-nls --disable-werror --disable-gdb --disable-libdecnumber 
--disable-readline --disable-sim
$ ASAN_SYMBOLIZER_PATH=`which llvm-symbolizer` ./build/binutils/readelf -a input

==30209==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 
0x0055c484 sp 0x7ffc692c6520 bp 0x7ffc692c6c50 T0)
#0 0x55c483 in dump_hppa_unwind 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:7849
#1 0x553415 in hppa_process_unwind 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:8129
#2 0x4b29f7 in process_unwind 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:9262
#3 0x48c2d8 in process_object 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:18751
#4 0x487870 in process_file 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:19188
#5 0x485916 in main 
/path/binutils-2.2.7a.asan/build/binutils/../../binutils/readelf.c:19247
#6 0x7f95f0d03f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#7 0x47e01c in _start 
(/path/binutils-2.2.7a.asan/build/binutils/readelf+0x47e01c)


Details:
---
in file readelf.c, function hppa_process_unwind():

if (! slurp_hppa_unwind_table (filedata, &aux, sec))
res = FALSE;
  if (aux.table_len > 0)
{
  if (! dump_hppa_unwind (filedata, &aux))
res = FALSE;
}
[...]


Even if the function slurp_hppa_unwind_table() fails, the function 
dump_hppa_unwind()
is executed. In dump_hppa_unwind():

for (tp = aux->table; tp < aux->table + aux->table_len; ++tp)
{
  bfd_vma offset;
  const char * procname;
  find_symbol_for_address (filedata, aux->funtab, aux->nfuns, aux->strtab,
   aux->strtab_size, tp->start, &procname,
   &offset);
  [...]

Because slurp_hppa_unwind_table() failed, aux->table_len may be non-zero but 
aux->table
is still 0. So tp is NULL and the program tries to access address 0x0.

I don't think this is exploitable because 0 is not controllable by user input: 
it's the value
set in function hppa_process_unwind() thru:

memset (& aux, 0, sizeof (aux));

Fix:

Change:

if ( aux.table_len > 0)

to:

if ( res && aux.table_len > 0)



I can give you the input to trigger the bug if you'd like. I tried to attach it 
to this email but could not as your server thinks there is malware in it...

Laurent

___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/19011] Issues with ld on mingw-w64 and bad defaults

2018-07-25 Thread hugo at beauzee dot fr 
https://sourceware.org/bugzilla/show_bug.cgi?id=19011

hugo at beauzee dot fr  changed:

   What|Removed |Added

 CC||hugo at beauzee dot fr

--- Comment #4 from hugo at beauzee dot fr  ---
Created attachment 11152
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11152&action=edit
Don't strip reloc sections when building with dynamicbase

This should address the "- Never strip the reloc section." part.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/19011] Issues with ld on mingw-w64 and bad defaults

2018-07-25 Thread hugo at beauzee dot fr 
https://sourceware.org/bugzilla/show_bug.cgi?id=19011

--- Comment #5 from hugo at beauzee dot fr  ---
The attached patch fixes the IMAGE_FILE_RELOCS_STRIPPED bit to be set in the
headers when no symbol is exported, when building with -Wl,--dynamicbase.

Please let me know if some corrections are to be made!

AFAIU I need to explicitly state that I'm ok with the copyright being assigned
to the FSF, so I'm ok with it.

Regards,

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gas/23451] New: RISC-V gas aborts with "Error: unknown default architecture `'" in GCC configure tests

2018-07-25 Thread sebastian.hu...@embedded-brains.de 
https://sourceware.org/bugzilla/show_bug.cgi?id=23451

Bug ID: 23451
   Summary: RISC-V gas aborts with "Error: unknown default
architecture `'" in GCC configure tests
   Product: binutils
   Version: 2.31
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: gas
  Assignee: unassigned at sourceware dot org
  Reporter: sebastian.hu...@embedded-brains.de
  Target Milestone: ---

I tried to build a riscv-rtems5 GCC using Binutils 2.31.1 and a recent GCC 9.
There are several configure tests in GCC which test gas features. They fail now
with a "Error: unknown default architecture `'" error message (about 30 tests),
e.g.

configure:24456: checking assembler for thread-local storage support
configure:24469: /build/rtems/5/riscv-rtems5/bin/as   --fatal-warnings -o
conftest.o conftest.s >&5
Assembler messages:
Error: unknown default architecture `'
configure:24472: $? = 1
configure: failed program was

.section .tdata,"awT",@progbits
x:  .word 2
.text
la.tls.gd a0,x
call __tls_get_addr

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gas/23451] RISC-V gas aborts with "Error: unknown default architecture `'" in GCC configure tests

2018-07-25 Thread sebastian.hu...@embedded-brains.de 
https://sourceware.org/bugzilla/show_bug.cgi?id=23451

Sebastian Huber  changed:

   What|Removed |Added

 Target||riscv-rtems5
 CC||wilson at gcc dot gnu.org

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gas/23451] RISC-V gas aborts with "Error: unknown default architecture `'" in GCC configure tests

2018-07-25 Thread sch...@linux-m68k.org 
https://sourceware.org/bugzilla/show_bug.cgi?id=23451

--- Comment #1 from Andreas Schwab  ---
gas/configure.tgt only knows about riscv32 and riscv64.  Another reason why the
introduction of a riscv cpu was a mistake.  config.sub really should
canonicalize riscv into riscv32.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gas/23451] RISC-V gas aborts with "Error: unknown default architecture `'" in GCC configure tests

2018-07-25 Thread sebastian.hu...@embedded-brains.de 
https://sourceware.org/bugzilla/show_bug.cgi?id=23451

--- Comment #2 from Sebastian Huber  ---
I am not sure at which level this should be fixed now.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug ld/19011] Issues with ld on mingw-w64 and bad defaults

2018-07-25 Thread hugo at beauzee dot fr 
https://sourceware.org/bugzilla/show_bug.cgi?id=19011

--- Comment #6 from hugo at beauzee dot fr  ---
Well, apparently the attached fixes the header, but makes windows fail to run
the resulting executable, so I guess something's missing.

Any help would be appreciated!

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gold/23258] Linker cored dump at process_one_opcode

2018-07-25 Thread ccoutant at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=23258

--- Comment #11 from Cary Coutant  ---
(In reply to Lan from comment #10)
> Finally managed to get back to this issue.  (I had reverted to use clang
> 3.8, so needed to reinstall clang 6.0 to try to reproduce the problem.)
> 
> After changing GseAdmTempFile() to replace tempnam() with mkstemp(), I no
> longer hit the trap in the loader.
> 
> So the trap is related to the warning message.

Yes, in producing the warning, the linker tries to parse the debug info (if
present) in order to give source file name and line number. If that fails, it
should fall back gracefully to the object file name.


> I can fix all the warning to work around the trap in the loader, but it is
> still a defect that the loader shouldn't trap, right ?

Yes, I'd like to find and fix it, but with the objects you provided, I wasn't
able to reproduce the problem. It seems like it should be a problem with the
debug info in GseAdEnableDB.o, but my version of gold is able to parse the
debug info with no problem. It's possible that the segfault is triggered by a
combination of factors, and without the same libraries that you have, it's not
hitting the same conditions.

If you add the -t option to the link, the linker will list all the files it
reads. If you can then package all of those up, I'll give it another try.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug gas/14480] PDP11 gas generates invalid code for deferred indirect JSR with 0 index

2018-07-25 Thread cptjustice at gmail dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=14480

--- Comment #6 from James Patrick Conlon  ---
Hold off on the 2018-07-19 patch.  There are some additional fixes necessary.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils