[Bug gas/24851] New: gas/testsuite/gas/epiphany/badrelax.s failure with MALLOC_PERTURB_=1
https://sourceware.org/bugzilla/show_bug.cgi?id=24851
Bug ID: 24851
Summary: gas/testsuite/gas/epiphany/badrelax.s failure with
MALLOC_PERTURB_=1
Product: binutils
Version: 2.33 (HEAD)
Status: NEW
Severity: normal
Priority: P2
Component: gas
Assignee: unassigned at sourceware dot org
Reporter: amodra at gmail dot com
Target Milestone: ---
regexp_diff match failure
regexp "^ 2: 013b sub r0,r0,2$"
line " 2: 013b ff00 *unknown*"
FAIL: badrelax
If as-new is run under valgrind, it complains about writing uninitialised
memory to file.
Some uninitialised memory is read in md_convert_frag:
/* Do all the housekeeping for frag conversions. */
switch (fragP->fr_subtype)
{
case EPIPHANY_RELAX_ARITH_SIMM11:
*opcode |= OP4_IMM32;
displacement = &opcode[0];
extension += 3;
addend
= (((addend & 0x7) << 7)
| opcode[0]
| ((addend & 0x7f8) << 13)
| (opcode[1] << 8)
| (opcode[2] << 16));
opcode[2] is uninitialised.
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/24851] gas/testsuite/gas/epiphany/badrelax.s failure with MALLOC_PERTURB_=1
https://sourceware.org/bugzilla/show_bug.cgi?id=24851 --- Comment #1 from Alan Modra --- Created attachment 11921 --> https://sourceware.org/bugzilla/attachment.cgi?id=11921&action=edit possible fix -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gas/24851] gas/testsuite/gas/epiphany/badrelax.s failure with MALLOC_PERTURB_=1
https://sourceware.org/bugzilla/show_bug.cgi?id=24851 Alan Modra changed: What|Removed |Added CC||amylaar at gcc dot gnu.org -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24848] [Bug] When use -flto "weak symbol" are converted to "t".
https://sourceware.org/bugzilla/show_bug.cgi?id=24848 Nick Clifton changed: What|Removed |Added Status|NEW |RESOLVED CC||nickc at redhat dot com Resolution|--- |MOVED --- Comment #1 from Nick Clifton --- Hi Akhilesh, This behaviour may or may not be expected, but if there is a bug then it is in gcc, not the binutils. (It may be that the LTO linker plugin is the cause of this "feature", but that too is a part of gcc, not the binutils). So please could you refile this report at: https://gcc.gnu.org/bugzilla Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24837] readelf: heap buffer overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=24837 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2e6be59c8de57c32260771ac5307968d18793a0a commit 2e6be59c8de57c32260771ac5307968d18793a0a Author: Nick Clifton Date: Thu Jul 25 13:05:27 2019 +0100 Stop an illegal memory access by readelf when parsing a corrupt MIPS binary file. PR 24837 * readelf.c (process_mips_specific): Check for buffer overflow before reading reginfo information. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24837] readelf: heap buffer overflow
https://sourceware.org/bugzilla/show_bug.cgi?id=24837 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC||nickc at redhat dot com Resolution|--- |FIXED --- Comment #2 from Nick Clifton --- Hi Reza, Thanks for reporting this bug. I have checked in a patch to add some boundary checking to the code in readelf that parses MIPS specific sections. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24829] readelf: interger overflow in apply_relocations
https://sourceware.org/bugzilla/show_bug.cgi?id=24829 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com --- Comment #1 from Nick Clifton --- Created attachment 11922 --> https://sourceware.org/bugzilla/attachment.cgi?id=11922&action=edit Proposed patch Hi tfx, Thanks for the detailed bug report. You are right - I am having difficulty reproducing the bug in my test environment, but I agree that the overflow can happen. Please could you try out this proposed patch and let me know if it solves the problem for you ? Thanks. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24829] readelf: interger overflow in apply_relocations
https://sourceware.org/bugzilla/show_bug.cgi?id=24829 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2019-07-25 Ever confirmed|0 |1 -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
Re: Memory leak in disassemble_init_for_target
Hi Philippe, > And I would like to report two bugs, and propose the fuzz target. As a general rule it is best to report bugs with the binutils using the bugzilla system here: https://sourceware.org/bugzilla/enter_bug.cgi?product=binutils > This is a memory leak in function disassemble_init_for_target > And is seems to me that this ressource gets never freed (in programs such as > objdump) (or am I missing a clean function to be called ?) Nope - but it is completely unimportant. The memory will be freed when objdump exits, and it will always exit, so the memory is never consumed for very long. Basically we are interested in fuzzing results that show illegal memory accesses or buffer overruns or the like. But memory leaks are just not interesting because all of the tools are short term programs that never stay permanently resident. Cheers Nick ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
Re: Abort in arc_insn_length
Hi Philippe, > Function arc_insn_length calls abort > Binutils version is from commit d8f68fcb9378b5ab1c945fa676e11da15be56dd6 > It seems to me that this function should return failure instead of aborting > The patch could be as attached. Please could you file this bug report here: https://sourceware.org/bugzilla/enter_bug.cgi?product=binutils If you could include the test case that triggers the problem as well as your proposed patch that would really help. Cheers Nick ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/24815] ld fails to find symbols from DT_NEEDED entries
https://sourceware.org/bugzilla/show_bug.cgi?id=24815 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com --- Comment #1 from Nick Clifton --- Hi Ismael, Have you tried linking with the "--allow-shlib-undefined" linker command line option enabled ? By default the ld linker insists that undefined symbols in shared libraries must be resolved by other libraries/objects present on the linker command line. (The gold linker does not default to this behaviour by the way). The reason being that it forces builders to put all of the shared libraries that their application needs on the command line. Thus making it clear to anyone examining the command line, or the build system, exactly which shared libraries are needed by the application. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/24832] mips: convert from data to object always generate MIPS I
https://sourceware.org/bugzilla/show_bug.cgi?id=24832 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c7c860d2d29ca3e774c29f328d2af42eeb031958 commit c7c860d2d29ca3e774c29f328d2af42eeb031958 Author: YunQiang Su Date: Thu Jul 25 16:34:58 2019 +0100 When linking binary files into MIPS executables, default to MIPS 3 emaulation for 64-bit objects. PR 24832 * elfxx-mips.c (mips_set_isa_flags): Default to MIPS 3 for 64-bit mips inputs. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/24832] mips: convert from data to object always generate MIPS I
https://sourceware.org/bugzilla/show_bug.cgi?id=24832 Nick Clifton changed: What|Removed |Added Status|NEW |RESOLVED CC||nickc at redhat dot com Resolution|--- |FIXED --- Comment #2 from Nick Clifton --- Hi YunQiang, Thanks for the bug report and patch. I have applied the patch along with a changelog entry to the source repository. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24809] objcopy to not add SECTION symbols if section .note.gnu.gold-version present
https://sourceware.org/bugzilla/show_bug.cgi?id=24809 --- Comment #3 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=48467cb99b04c9d908ce2dd74422c9c3f322ccc3 commit 48467cb99b04c9d908ce2dd74422c9c3f322ccc3 Author: Tom de Vries Date: Thu Jul 25 17:24:22 2019 +0100 Have readelf and objdump display the contents of the DWARF augmentation data as a string, if it is printable. PR 24809 * dwarf.c (display_debug_names): Display the contents of the augmentation string, if it is printable. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24809] objcopy to not add SECTION symbols if section .note.gnu.gold-version present
https://sourceware.org/bugzilla/show_bug.cgi?id=24809 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com --- Comment #4 from Nick Clifton --- (In reply to cvs-com...@gcc.gnu.org from comment #3) > The master branch has been updated by Nick Clifton : > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; > h=48467cb99b04c9d908ce2dd74422c9c3f322ccc3 Sorry - this is not a patch for this PR. It was a patch submitted by a different person called Tom, and I got confused. Doh! Nick -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24809] objcopy to not add SECTION symbols if section .note.gnu.gold-version present
https://sourceware.org/bugzilla/show_bug.cgi?id=24809 --- Comment #5 from Tom de Vries --- (In reply to Nick Clifton from comment #4) > (In reply to cvs-com...@gcc.gnu.org from comment #3) > > The master branch has been updated by Nick Clifton : > > > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; > > h=48467cb99b04c9d908ce2dd74422c9c3f322ccc3 > > Sorry - this is not a patch for this PR. It was a patch submitted by a > different person called Tom, and I got confused. Doh! Ah I see, thanks for mentioning this. I was confused there for a bit. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24848] [Bug] When use -flto "weak symbol" are converted to "t".
https://sourceware.org/bugzilla/show_bug.cgi?id=24848 --- Comment #2 from H.J. Lu --- "t" and "W" are equivalent in this case since power isn't in dynamic symbol table. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24798] buffer overflow in process_cu_tu_index
https://sourceware.org/bugzilla/show_bug.cgi?id=24798 Alan Modra changed: What|Removed |Added Summary|Segmentation fault in |buffer overflow in |elfcomm.c |process_cu_tu_index -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24798] Segmentation fault in elfcomm.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24798 Alan Modra changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2019-07-26 Assignee|unassigned at sourceware dot org |amodra at gmail dot com Target Milestone|--- |2.33 Ever confirmed|0 |1 Severity|critical|normal -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24798] buffer overflow in process_cu_tu_index
https://sourceware.org/bugzilla/show_bug.cgi?id=24798 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Alan Modra : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8e2e3c6c346c1c8142e714715e5a86b32f7e31ea commit 8e2e3c6c346c1c8142e714715e5a86b32f7e31ea Author: Alan Modra Date: Fri Jul 26 12:58:52 2019 +0930 PR24798, buffer overflow in process_cu_tu_index PR 24798 * dwarf.c (process_cu_tu_index): Avoid integer overflow on 64-bit systems by casting ncols and nslots expressions to size_t. Display number of columns and slots before giving up due to buffer overflow. Use %u to display unsigned ints. Perform more pointer wrap tests. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24798] buffer overflow in process_cu_tu_index
https://sourceware.org/bugzilla/show_bug.cgi?id=24798 Alan Modra changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #2 from Alan Modra --- Fixed -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug gold/24853] New: OSABI not set when STT_GNU_IFUNC or STB_GNU_UNIQUE symbols output
https://sourceware.org/bugzilla/show_bug.cgi?id=24853 Bug ID: 24853 Summary: OSABI not set when STT_GNU_IFUNC or STB_GNU_UNIQUE symbols output Product: binutils Version: 2.33 (HEAD) Status: NEW Severity: normal Priority: P2 Component: gold Assignee: ccoutant at gmail dot com Reporter: amodra at gmail dot com CC: ian at airs dot com Target Milestone: --- STT_GNU_IFUNC and STB_GNU_UNIQUE are both defined in the relevant LOOS to HIOS range. That means interpretation of symbols with this type or binding is dependent on the value of the header EI_OSABI byte, and that object files using these symbols should not be created having ELFOSABI_NONE. Since git commit df3a023bd6, readelf has not displayed "IFUNC" for object files with ELFOSABI_NONE, exposing this bug in gold by the failure of ver_test_pr16504. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/24854] New: Abort in arc_insn_length
https://sourceware.org/bugzilla/show_bug.cgi?id=24854
Bug ID: 24854
Summary: Abort in arc_insn_length
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: p.antoine at catenacyber dot fr
Target Milestone: ---
Binutils version is from commit d8f68fcb9378b5ab1c945fa676e11da15be56dd6
I have been fuzzing binutils disassembler, you can find the fuzz target here
https://github.com/google/oss-fuzz/pull/2617
This crash comes quick :
Function `arc_insn_length` calls `abort`
It seems to me that this function should return failure instead of aborting
Patch could then be
```
diff --git a/opcodes/arc-dis.c b/opcodes/arc-dis.c
index ee598918..0b9024a6 100644
--- a/opcodes/arc-dis.c
+++ b/opcodes/arc-dis.c
@@ -668,9 +668,8 @@ arc_insn_length (bfd_byte msb, bfd_byte lsb, struct
disassemble_info *info)
return (major_opcode > 0x7) ? 2 : 4;
break;
-default:
- abort ();
}
+ return 0;
}
/* Extract and return the value of OPERAND from the instruction whose value
@@ -1059,6 +1058,9 @@ print_insn_arc (bfd_vma memaddr,
insn_len = arc_insn_length (buffer[highbyte], buffer[lowbyte], info);
pr_debug ("instruction length = %d bytes\n", insn_len);
+ if (insn_len == 0) {
+return 0;
+ }
arc_infop = info->private_data;
arc_infop->insn_len = insn_len;
```
To reproduce the bug, you can run the following commands after having Docker
installed :
git clone --branch binutils --depth 1 https://github.com/catenacyber/oss-fuzz
cd oss-fuzz
python infra/helper.py build_image binutils
python infra/helper.py build_fuzzers --sanitizer address binutils
echo -n -e "\xfc\x37\x34\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2b" >
reproducer
python infra/helper.py reproduce binutils fuzz_disassemble reproducer
Stack trace is then :
==8==ERROR: AddressSanitizer: ABRT on unknown address 0x0008 (pc
0x7f9f36838428 bp 0x7ffe730737d0 sp 0x7ffe73073678 T0)
SCARINESS: 10 (signal)
#0 0x7f9f36838427 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x35427)
#1 0x7f9f3683a029 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37029)
#2 0x5abd97 in arc_insn_length /src/binutils-gdb/opcodes/arc-dis.c:672:7
#3 0x5a8b8c in print_insn_arc /src/binutils-gdb/opcodes/arc-dis.c:1060:14
#4 0x4c8dde in LLVMFuzzerTestOneInput
/src/binutils-gdb/fuzz/fuzz_disassemble.c:68:13
The reproducer means for the fuzz target :
disasm_info.arch = 0x2b;
disasm_info.mach = 0;
disasm_info.flavour = 0;
disasm_info.buffer = {0xfc, 0x37, 0x34, 0x73};
disasm_info.buffer_length = 4;
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
Re: Abort in arc_insn_length
Hi Nick and all, Thank you. I created the following bug : https://sourceware.org/bugzilla/show_bug.cgi?id=24854 Cheers, Philippe > Le 25 juil. 2019 à 16:51, Nick Clifton a écrit : > > Hi Philippe, > >> Function arc_insn_length calls abort >> Binutils version is from commit d8f68fcb9378b5ab1c945fa676e11da15be56dd6 >> It seems to me that this function should return failure instead of aborting >> The patch could be as attached. > > Please could you file this bug report here: > > https://sourceware.org/bugzilla/enter_bug.cgi?product=binutils > > If you could include the test case that triggers the problem as well > as your proposed patch that would really help. > > Cheers > Nick smime.p7s Description: S/MIME cryptographic signature ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
