[Bug ld/23818] Symbols from discarded section in IR object leaked into final executable
https://sourceware.org/bugzilla/show_bug.cgi?id=23818 --- Comment #5 from Romain Geissler --- After rebuilding libssh2 and a few other open source libraries, now indeed I don't see any more these odd absolute relocations, and now ld.lld happily accepts them as valid input .so files. So it looks like you fixed it ;) Is it ok to backport in release branch 2.31 ? Cheers, Romain -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23818] Symbols from discarded section in IR object leaked into final executable
https://sourceware.org/bugzilla/show_bug.cgi?id=23818 --- Comment #6 from H.J. Lu --- (In reply to Romain Geissler from comment #5) > Is it ok to backport in release branch 2.31 ? Please request backport on the binutils mailing list. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23832] New: Memory Leak (118487342)
https://sourceware.org/bugzilla/show_bug.cgi?id=23832 Bug ID: 23832 Summary: Memory Leak (118487342) Product: binutils Version: 2.32 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: security-tps at google dot com Target Milestone: --- Created attachment 11367 --> https://sourceware.org/bugzilla/attachment.cgi?id=11367&action=edit Proof of concept Hello binutils team, As part of our fuzzing efforts at Google, we have identified an issue affecting binutils (tested with revision * master fd2b4de5e63ad5994baf9c57b5d0c49d1f1dd4e4). To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/ Instructions: `unzip artifacts_118487342.zip` `docker build --build-arg SANITIZER=address --tag=autofuzz-binutils-118487342 autofuzz_118487342` `docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_118487342/poc-c1878acf79314dc6651e4b972cf574c16cd008c6ebbb5bec39edf0383e4ef270_min:/tmp/poc autofuzz-binutils-118487342 "" /tmp/poc` `docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_118487342/poc-c1878acf79314dc6651e4b972cf574c16cd008c6ebbb5bec39edf0383e4ef270_min:/tmp/poc -it autofuzz-binutils-118487342` Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here: ``` INFO: Seed: 1569119816 INFO: Loaded 0 modules (0 guards): /fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 500 time(s) each. Running: /tmp/poc-c1878acf79314dc6651e4b972cf574c16cd008c6ebbb5bec39edf0383e4ef270 /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10: runtime error: signed integer overflow: 814616325 * 10 cannot be represented in type 'int' #0 0x520dbb in get_count /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3597:10 #1 0x51ee52 in demangle_template /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2221:8 #2 0x51b9ad in gnu_special /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3057:18 #3 0x51afbc in internal_cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1244:14 #4 0x519f28 in cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9 #5 0x5215e2 in demangle_template_value_parm /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2128:12 #6 0x51f238 in demangle_template /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2313:14 #7 0x528287 in demangle_fund_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4132:19 #8 0x519565 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17 #9 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #10 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #11 0x51d3c2 in demangle_signature /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1709:18 #12 0x523876 in iterate_demangle_function /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2743:14 #13 0x51afe2 in internal_cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1253:14 #14 0x519f28 in cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9 #15 0x5215e2 in demangle_template_value_parm /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2128:12 #16 0x51f238 in demangle_template /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2313:14 #17 0x528287 in demangle_fund_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4132:19 #18 0x519565 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17 #19 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #20 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #21 0x51d3c2 in demangle_signature /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1709:18 #22 0x523876 in iterate_demangle_function /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2743:14 #23 0x51afe2 in internal_cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1253:14 #24 0x519f28 in cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9 #25 0x517a1d in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/demangle_fuzzer.cc:11:21 #26 0x54aa3e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x54aa3e) #27 0x53fb8e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53fb8e) #28 0x544097 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x544097) #29 0x53f8ab in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53f8ab) #30 0x7f7194ce92e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20
[Bug binutils/23833] New: Segmentation Fault (118485394)
https://sourceware.org/bugzilla/show_bug.cgi?id=23833 Bug ID: 23833 Summary: Segmentation Fault (118485394) Product: binutils Version: 2.32 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: security-tps at google dot com Target Milestone: --- Created attachment 11368 --> https://sourceware.org/bugzilla/attachment.cgi?id=11368&action=edit Proof of concept Hello binutils team, As part of our fuzzing efforts at Google, we have identified an issue affecting binutils (tested with revision * master fd2b4de5e63ad5994baf9c57b5d0c49d1f1dd4e4). To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/ Instructions: `unzip artifacts_118485394.zip` `docker build --build-arg SANITIZER=address --tag=autofuzz-binutils-118485394 autofuzz_118485394` `docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_118485394/poc-0d94a933986f6862d85612a4b4318f589de3a9b1e998551df2a9d4983c4f6935_min:/tmp/poc autofuzz-binutils-118485394 "" /tmp/poc` `docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_118485394/poc-0d94a933986f6862d85612a4b4318f589de3a9b1e998551df2a9d4983c4f6935_min:/tmp/poc -it autofuzz-binutils-118485394` Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here: ``` INFO: Seed: 1711824187 INFO: Loaded 0 modules (0 guards): /fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 500 time(s) each. Running: /tmp/poc-0d94a933986f6862d85612a4b4318f589de3a9b1e998551df2a9d4983c4f6935 ASAN:DEADLYSIGNAL = ==8==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x0053686d bp 0x7ffdab291030 sp 0x7ffdab290d20 T0) ==8==The signal is caused by a READ memory access. ==8==Hint: address points to the zero page. #0 0x53686c in d_print_comp_inner /fuzzing/binutils-gdb/libiberty/cp-demangle.c #1 0x52d07c in d_print_comp /fuzzing/binutils-gdb/libiberty/cp-demangle.c:5728:3 #2 0x534434 in d_print_comp_inner /fuzzing/binutils-gdb/libiberty/cp-demangle.c:4661:7 #3 0x52d07c in d_print_comp /fuzzing/binutils-gdb/libiberty/cp-demangle.c:5728:3 #4 0x52ca6a in cplus_demangle_print_callback /fuzzing/binutils-gdb/libiberty/cp-demangle.c:4305:5 #5 0x52df35 in d_demangle_callback /fuzzing/binutils-gdb/libiberty/cp-demangle.c:6277:16 #6 0x52d95b in d_demangle /fuzzing/binutils-gdb/libiberty/cp-demangle.c:6299:12 #7 0x52d855 in cplus_demangle_v3 /fuzzing/binutils-gdb/libiberty/cp-demangle.c:6456:10 #8 0x519da3 in cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:880:13 #9 0x5215e2 in demangle_template_value_parm /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2128:12 #10 0x51f238 in demangle_template /fuzzing/binutils-gdb/libiberty/cplus-dem.c:2313:14 #11 0x528287 in demangle_fund_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4132:19 #12 0x519565 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3907:17 #13 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #14 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #15 0x51d087 in demangle_signature /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1732:16 #16 0x51b02d in internal_cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:1257:14 #17 0x519f28 in cplus_demangle /fuzzing/binutils-gdb/libiberty/cplus-dem.c:918:9 #18 0x517a1d in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/demangle_fuzzer.cc:11:21 #19 0x54aa3e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x54aa3e) #20 0x53fb8e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53fb8e) #21 0x544097 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x544097) #22 0x53f8ab in main (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x53f8ab) #23 0x7fc9ada182e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #24 0x41f479 in _start (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x41f479) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /fuzzing/binutils-gdb/libiberty/cp-demangle.c in d_print_comp_inner ==8==ABORTING ``` We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation. Once you have reproduced the issu
[Bug binutils/23834] New: Infinite Recursion in demangle_nested_args - Stack Overflow (118486503)
https://sourceware.org/bugzilla/show_bug.cgi?id=23834 Bug ID: 23834 Summary: Infinite Recursion in demangle_nested_args - Stack Overflow (118486503) Product: binutils Version: 2.32 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: security-tps at google dot com Target Milestone: --- Created attachment 11369 --> https://sourceware.org/bugzilla/attachment.cgi?id=11369&action=edit Proof of concept Hello binutils team, As part of our fuzzing efforts at Google, we have identified an issue affecting binutils (tested with revision * master fd2b4de5e63ad5994baf9c57b5d0c49d1f1dd4e4). To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/ Instructions: `unzip artifacts_118486503.zip` `docker build --build-arg SANITIZER=address --tag=autofuzz-binutils-118486503 autofuzz_118486503` `docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_118486503/poc-9139592704bf42e2a8f72de91be0975306d89ed168aff579bafacca21f6c8644_min:/tmp/poc autofuzz-binutils-118486503 "" /tmp/poc` `docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_118486503/poc-9139592704bf42e2a8f72de91be0975306d89ed168aff579bafacca21f6c8644_min:/tmp/poc -it autofuzz-binutils-118486503` Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here: ``` INFO: Seed: 120513314 INFO: Loaded 0 modules (0 guards): /fuzzing/binutils-gdb/build/demangle_fuzzer: Running 1 inputs 500 time(s) each. Running: /tmp/poc-9139592704bf42e2a8f72de91be0975306d89ed168aff579bafacca21f6c8644 ASAN:DEADLYSIGNAL = ==8==ERROR: AddressSanitizer: stack-overflow on address 0x7fff89489e38 (pc 0x004c6920 bp 0x7fff8948a6b0 sp 0x7fff89489e40 T0) #0 0x4c691f in __asan_memset (/fuzzing/binutils-gdb/build/demangle_fuzzer+0x4c691f) #1 0x51b4cf in string_init /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4935:15 #2 0x52715f in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4285:3 #3 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #4 0x5278bd in demangle_nested_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12 #5 0x518d20 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9 #6 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #7 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #8 0x5278bd in demangle_nested_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12 #9 0x518d20 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9 #10 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #11 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #12 0x5278bd in demangle_nested_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12 #13 0x518d20 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9 #14 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #15 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #16 0x5278bd in demangle_nested_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12 #17 0x518d20 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9 #18 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #19 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #20 0x5278bd in demangle_nested_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12 #21 0x518d20 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9 #22 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #23 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #24 0x5278bd in demangle_nested_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12 #25 0x518d20 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9 #26 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #27 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #28 0x5278bd in demangle_nested_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12 #29 0x518d20 in do_type /fuzzing/binutils-gdb/libiberty/cplus-dem.c:3719:9 #30 0x527378 in do_arg /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4332:8 #31 0x526682 in demangle_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4659:9 #32 0x5278bd in demangle_nested_args /fuzzing/binutils-gdb/libiberty/cplus-dem.c:4713:12 #33 0x518d20 in do_ty
