[Bug ld/27180] RISC-V far relocations for auipc instructions may cause segfault with --emit-relocs
https://sourceware.org/bugzilla/show_bug.cgi?id=27180 Nelson Chu changed: What|Removed |Added CC||nelsonc1225 at sourceware dot org --- Comment #1 from Nelson Chu --- Created attachment 13402 --> https://sourceware.org/bugzilla/attachment.cgi?id=13402&action=edit Proposed solution -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/27180] RISC-V far relocations for auipc instructions may cause segfault with --emit-relocs
https://sourceware.org/bugzilla/show_bug.cgi?id=27180 Nelson Chu changed: What|Removed |Added Attachment #13402|application/mbox|text/plain mime type|| Attachment #13402|0 |1 is patch|| -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/27180] RISC-V far relocations for auipc instructions may cause segfault with --emit-relocs
https://sourceware.org/bugzilla/show_bug.cgi?id=27180 --- Comment #2 from Nelson Chu --- Hi Julius, Thanks for reporting this. Your assumption is correct, the PCREL relocs are converted to the directly access relocs, but we don't update them to the relocation table, so we will get segment fault when the --emit-relocs is set. Attached is my proposed solution, without fully testing. My idea is that try to update the PCREL relocs and their referenced symbols to the corresponding HI20/ LO12_I/S relocs and correct target symbols. But there is a problem for the R_RISCV_GOT_HI20 + PCREL_LO12. If we convert it to HI20 + LO12, then we should update the symbol to the got entry (maybe need to add one, but seems hard to get the dynindx or ...). Or alternatively, we probably can encode the symbol value to the r_addend directly, without referring to a symbol, like what RELATIVE relocs do. I don't know which one is better, so I just report the dangerous relocs for those changed R_RISCV_GOT_HI20, rather than report segment fault. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27594] build processes broken by changed space handling
https://sourceware.org/bugzilla/show_bug.cgi?id=27594
Martin Storsjö changed:
What|Removed |Added
CC||martin at martin dot st
--- Comment #2 from Martin Storsjö ---
+1, there's predecent that windres takes this parameter as a
supposedly-pre-quoted/escaped string that is passed as-is to popen().
The same also goes for other preprocessor arguments, like -D and
--preprocessor-arg - they are passed almost (will elaborate below) as-is on to
popen(). This means that any caller that wants to pass e.g. a define for a
quoted string needs to escape quotes doubly - see e.g.
https://git.savannah.gnu.org/gitweb/?p=libiconv.git;a=blob;f=windows/windres-options;h=779fddec305d1e78f1e5c3123683b3c380e4a82e;hb=4b1a76b8e7f718fb23eb1a48cd1be208cfff6c2a
for an example of projects in the wild, doing extra escaping when passing
defines to windres.
A minimal example of that double quoting:
$ cat test1.rc
STRINGTABLE {
1 STRING1
}
$ x86_64-w64-mingw32-windres -DSTRING1=\"foo\" test1.rc
x86_64-w64-mingw32-windres: test1.rc:2: syntax error
$ x86_64-w64-mingw32-windres -DSTRING1=\\\"foo\\\" test1.rc
[..snip..]
STRINGTABLE MOVEABLE PURE DISCARDABLE
BEGIN
1, "foo"
END
Windres does try to escape one kind of char in the provided argument strings;
it tries to escape spaces with a backslash. Unfortunately, as the shells
(invoked by popen) differ between unix and windows (one can't backslash escape
spaces in windows command lines, the argument has to be quoted), this only
actually works when run on unix:
$ x86_64-w64-mingw32-windres "-DSTRING1=\\\"foo bar\\\"" test1.rc
[..snip..]
STRINGTABLE MOVEABLE PURE DISCARDABLE
BEGIN
1, "foo bar"
END
If you try to run the same on windows (built as mingw executables), it fails:
$ windres test1.rc "-DSTRING1=\\\"foo bar\\\""
gcc: error: bar": Invalid argument
C:\msys64\mingw64\bin\windres.exe: preprocessing failed.
Furthermore, other things that differ between how shells interpret things in
popen():
)$ x86_64-w64-mingw32-windres -DSTRING1=\\\"foobar\\\" test1.rc -v
Using `x86_64-w64-mingw32-gcc -E -xc -DRC_INVOKED -DSTRING1=\"foobar\"
test1.rc'
Using popen to read preprocessor output
[..snip..]
STRINGTABLE MOVEABLE PURE DISCARDABLE
BEGIN
1, "foo\\bar"
END
But on windows:
$ windres test1.rc -DSTRING1=\\\"foobar\\\" -v
[..snip..]
STRINGTABLE MOVEABLE PURE DISCARDABLE
BEGIN
1, "foobar"
END
Using `C:\msys64\mingw64\bin\gcc -E -xc -DRC_INVOKED -DSTRING1=\"foobar\"
test1.rc'
The last few are hypothetical. However the habit of double-escaping quotes for
such strings exists in the wild, and should be documented as such. The fact
that it differs between platforms exactly how one should do the double escaping
is problematic too, when it comes to more complicated strings.
(I recently implemented llvm-windres, and went to some lengths to mimic the GNU
windres behaviour of these options, to make it work as a drop-in replacement
for how existing projects in the wild call windres.)
--
You are receiving this mail because:
You are on the CC list for the bug.
[Bug binutils/27594] build processes broken by changed space handling
https://sourceware.org/bugzilla/show_bug.cgi?id=27594 --- Comment #3 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5edb8e3f5ad8d74a83fc0df7f6e4514eed0aa77f commit 5edb8e3f5ad8d74a83fc0df7f6e4514eed0aa77f Author: Nick Clifton Date: Thu Apr 29 13:11:29 2021 +0100 Correct the text describing windres's --processor option. PR 27594 * doc/binutils.texi (windres): Correct the description of the default value of the --preprocessor argument. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27594] build processes broken by changed space handling
https://sourceware.org/bugzilla/show_bug.cgi?id=27594 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com --- Comment #4 from Nick Clifton --- Created attachment 13403 --> https://sourceware.org/bugzilla/attachment.cgi?id=13403&action=edit Proposed patch Is anyone able to try out this patch as a possible workaround for this issue ? It implements Thomas' suggestion that a space followed by a dash not be considered as a reason for quoting the preprocessor command string. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27594] build processes broken by changed space handling
https://sourceware.org/bugzilla/show_bug.cgi?id=27594 --- Comment #5 from Thomas Wolff --- Unfortunately the patch doesn't fix the issue, as it only decides how to handle the whole string but does not break at that position. Also please note Johannes' suggestion to prefer a more state-of-the-art approach. My suggestion is to first revert the regression and then implement quote detection as he suggested. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27792] New: [nm] heap buffer overflow found in bfd/som.c:4805
https://sourceware.org/bugzilla/show_bug.cgi?id=27792 Bug ID: 27792 Summary: [nm] heap buffer overflow found in bfd/som.c:4805 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13404 --> https://sourceware.org/bugzilla/attachment.cgi?id=13404&action=edit crash test case Hello, I report a heap buffer overflow detected by address sanitizer. I found this test input by a fuzz testing. The stack traces is as follows: ==8812==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0d694 at pc 0x0057991d bp 0x7ff fdc60 sp 0x7fffd400 READ of size 1 at 0x60c0d694 thread T0 #0 0x57991c in strncmp (.../afl++/subjects_friend/nm/nm.san+0x57991c) #1 0x6a0682 in startswith .../subjects/binutils-gdb/bfd/./bfd.h:547:10 #2 0x6a0682 in som_slurp_symbol_table .../subjects/binutils-gdb/bfd/som.c:4805:16 #3 0x697b9c in som_get_symtab_upper_bound .../subjects/binutils-gdb/bfd/som.c:4594:8 #4 0x63a723 in _bfd_generic_read_minisymbols .../subjects/binutils-gdb/bfd/syms.c:805:15 #5 0xe7d8bd in display_rel_file .../subjects/binutils-gdb/binutils/nm.c:1177:14 #6 0xe7cdde in display_file .../subjects/binutils-gdb/binutils/nm.c:1446:7 #7 0xe7bfac in main .../subjects/binutils-gdb/binutils/nm.c:1965:12 #8 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #9 0x5661a9 in _start (.../afl++/subjects_friend/nm/nm.san+0x5661a9) You can reproduce the bug by executing ./nm -C I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27793] New: [nm] segv in bfd.h:1233
https://sourceware.org/bugzilla/show_bug.cgi?id=27793 Bug ID: 27793 Summary: [nm] segv in bfd.h:1233 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13405 --> https://sourceware.org/bugzilla/attachment.cgi?id=13405&action=edit crash test case Hello, I report a SEGV detected by address sanitizer. I found this test input by a fuzz testing. The stack traces is as follows: ==6834==ERROR: AddressSanitizer: SEGV on unknown address 0x0029 (pc 0x00697f76 bp 0x62a007f0 sp 0x7fffdc40 T0) ==6834==The signal is caused by a READ memory access. ==6834==Hint: address points to the zero page. #0 0x697f76 in bfd_is_com_section .../subjects/binutils-gdb/bfd/./bfd.h:1233:39 #1 0x697f76 in som_decode_symclass .../subjects/binutils-gdb/bfd/som.c:5843:7 #2 0x697f76 in som_get_symbol_info .../subjects/binutils-gdb/bfd/som.c:5893:15 #3 0xe7f43e in print_symbol .../subjects/binutils-gdb/binutils/nm.c:939:3 #4 0xe7ebe6 in print_symbols .../subjects/binutils-gdb/binutils/nm.c:1152:7 #5 0xe7ebe6 in display_rel_file .../subjects/binutils-gdb/binutils/nm.c:1279:5 #6 0xe7cdde in display_file .../subjects/binutils-gdb/binutils/nm.c:1446:7 #7 0xe7bfac in main .../subjects/binutils-gdb/binutils/nm.c:1965:12 #8 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #9 0x5661a9 in _start (.../afl++/subjects_friend/nm/nm.san+0x5661a9) You can reproduce the bug by executing ./nm -C I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27794] New: [nm] heap-buffer-overflow in bfd.c:2389
https://sourceware.org/bugzilla/show_bug.cgi?id=27794 Bug ID: 27794 Summary: [nm] heap-buffer-overflow in bfd.c:2389 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13406 --> https://sourceware.org/bugzilla/attachment.cgi?id=13406&action=edit crash test case Hello, I report a heap buffer overflow detected by address sanitizer. I found this test input by a fuzz testing. The stack traces is as follows: ==6874==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00240 at pc 0x0057b4f4 bp 0x7ff fdaf0 sp 0x7fffd2b0 READ of size 2 at 0x60c00240 thread T0 #0 0x57b4f3 in strchr (.../afl++/subjects_friend/nm/nm.san+0x57b4f3) #1 0xe31a8e in bfd_demangle .../subjects/binutils-gdb/bfd/bfd.c:2389:9 #2 0xe31775 in print_symname .../subjects/binutils-gdb/binutils/nm.c:456:15 #3 0xe7f607 in print_symbol .../subjects/binutils-gdb/binutils/nm.c:968:3 #4 0xe7ebe6 in print_symbols .../subjects/binutils-gdb/binutils/nm.c:1152:7 #5 0xe7ebe6 in display_rel_file .../subjects/binutils-gdb/binutils/nm.c:1279:5 #6 0xe7cdde in display_file .../subjects/binutils-gdb/binutils/nm.c:1446:7 #7 0xe7bfac in main .../subjects/binutils-gdb/binutils/nm.c:1965:12 #8 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #9 0x5661a9 in _start (.../afl++/subjects_friend/nm/nm.san+0x5661a9) You can reproduce the bug by executing ./nm -C I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27795] New: [nm] heap-buffer-overflow in bfd/coff-rs6000.c:1699
https://sourceware.org/bugzilla/show_bug.cgi?id=27795 Bug ID: 27795 Summary: [nm] heap-buffer-overflow in bfd/coff-rs6000.c:1699 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13407 --> https://sourceware.org/bugzilla/attachment.cgi?id=13407&action=edit crash test case Hello, I report a heap buffer overflow detected by address sanitizer. I found this test input by a fuzz testing. The stack traces is as follows: ==20505==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f002c7 at pc 0x0049521a bp 0x7fffdf30 sp 0x7fffd6f8WRITE of size 112 at 0x60f002c7 thread T0' #0 0x495219 in __asan_memcpy (.../subjects_asan/nm/nm.san+0x495219)' #1 0xd4ba3b in _bfd_xcoff_read_ar_hdr .../subjects/binutils-gdb/bfd/coff-rs6000.c:1699:7' #2 0x4d7726 in _bfd_get_elt_at_filepos .../subjects/binutils-gdb/bfd/archive.c:667:44' #3 0xd4c7e4 in _bfd_xcoff_openr_next_archived_file .../subjects/binutils-gdb/bfd/coff-rs6000.c:1763:10' #4 0x4d87f3 in bfd_openr_next_archived_file .../subjects/binutils-gdb/bfd/archive.c:811:10' #5 0x4c96fb in display_archive .../subjects/binutils-gdb/binutils/nm.c:1372:16' #6 0x4c6bf2 in display_file .../subjects/binutils-gdb/binutils/nm.c:1440:7' #7 0x4c656c in main .../subjects/binutils-gdb/binutils/nm.c:1965:12' #8 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310' #9 0x41bea9 in _start (.../subjects_asan/nm/nm.san+0x41bea9)' You can reproduce the bug by executing ./nm -C I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27796] New: [readelf] Attempting free on wrong address in binutils/dwarf.c:11590
https://sourceware.org/bugzilla/show_bug.cgi?id=27796 Bug ID: 27796 Summary: [readelf] Attempting free on wrong address in binutils/dwarf.c:11590 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13408 --> https://sourceware.org/bugzilla/attachment.cgi?id=13408&action=edit crash test case Hello, I report a wrong free detected by address sanitizer. I found this test input by a fuzz testing. The stack traces are as follows: ==12151==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x61601283 in thread T0 #0 0x3bc29d in free (.../afl++/subjects_friend/readelf/readelf.san+0x3bc29d) #1 0x46650a in free_debug_memory .../subjects/binutils-gdb/binutils/dwarf.c:11590:7 #2 0x46650a in process_object .../subjects/binutils-gdb/binutils/readelf.c:21425:3 #3 0x461678 in process_file .../subjects/binutils-gdb/binutils/readelf.c:21791:13 #4 0x461678 in main .../subjects/binutils-gdb/binutils/readelf.c:21862:11 #5 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #6 0x3426b9 in _start (.../afl++/subjects_friend/readelf/readelf.san+0x3426b9) You can reproduce the bug by executing ./readelf -a I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27797] New: [size] attempting double-free on bfd/mach-o.c:5978
https://sourceware.org/bugzilla/show_bug.cgi?id=27797 Bug ID: 27797 Summary: [size] attempting double-free on bfd/mach-o.c:5978 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Hello, I report a double free detected by address sanitizer. I found this test input by fuzz testing. The stack traces are as follows: You can reproduce the bug by executing ./readelf -a I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27797] [size] attempting double-free on bfd/mach-o.c:5978
https://sourceware.org/bugzilla/show_bug.cgi?id=27797 --- Comment #1 from Ahcheong Lee --- Created attachment 13409 --> https://sourceware.org/bugzilla/attachment.cgi?id=13409&action=edit crash test case -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27798] New: [size] heap-buffer-overflow on bfd/coff-rs6000.c:1699
https://sourceware.org/bugzilla/show_bug.cgi?id=27798 Bug ID: 27798 Summary: [size] heap-buffer-overflow on bfd/coff-rs6000.c:1699 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13410 --> https://sourceware.org/bugzilla/attachment.cgi?id=13410&action=edit crash test case Hello, I report a heap-buffer-overflow detected by address sanitizer. I found this test input by fuzz testing. The stack traces are as follows: ==22140==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f002c5 at pc 0x004951ca bp 0x7fffe1d0 sp 0x7fffd998WRITE of size 112 at 0x60f002c5 thread T0' #0 0x4951c9 in __asan_memcpy (.../subjects_asan/size/size.san+0x4951c9)' #1 0xd3c7cb in _bfd_xcoff_read_ar_hdr .../subjects/binutils-gdb/bfd/coff-rs6000.c:1699:7' #2 0x4cf476 in _bfd_get_elt_at_filepos .../subjects/binutils-gdb/bfd/archive.c:667:44' #3 0x8cf947 in xcoff64_openr_next_archived_file .../subjects/binutils-gdb/bfd/coff64-rs6000.c:1933:10' #4 0x4d0543 in bfd_openr_next_archived_file .../subjects/binutils-gdb/bfd/archive.c:811:10' #5 0x4c6a5f in display_archive .../subjects/binutils-gdb/binutils/size.c:381:16' #6 0x4c6816 in display_file .../subjects/binutils-gdb/binutils/size.c:430:5' #7 0x4c6412 in main .../subjects/binutils-gdb/binutils/size.c:258:7' #8 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310' #9 0x41be59 in _start (.../subjects_asan/size/size.san+0x41be59)' You can reproduce the bug by executing ./size I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27797] [size] attempting double-free on bfd/mach-o.c:5978
https://sourceware.org/bugzilla/show_bug.cgi?id=27797 --- Comment #2 from Ahcheong Lee --- Sorry about the wrong comment The crashed stack trace is ==14202==ERROR: AddressSanitizer: attempting double-free on 0x61900580 in thread T0: #0 0x5d809d in free (.../afl++/subjects_friend/size/size.san+0x5d809d) #1 0x7a433a in bfd_mach_o_core_fetch_environment .../subjects/binutils-gdb/bfd/bfdio.c #2 0x7a433a in bfd_mach_o_core_file_failing_command .../subjects/binutils-gdb/bfd/mach-o.c:5978:9 #3 0xe2ae15 in bfd_core_file_failing_command .../subjects/binutils-gdb/bfd/corefile.c:58:10 #4 0xe2ae15 in display_bfd .../subjects/binutils-gdb/binutils/size.c:352:18 #5 0xe2a98e in display_file .../subjects/binutils-gdb/binutils/size.c:432:5 #6 0xe29ad3 in main .../subjects/binutils-gdb/binutils/size.c:258:7 #7 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #8 0x55e4b9 in _start (.../afl++/subjects_friend/size/size.san+0x55e4b9) You can reproduce by ./size -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27799] New: [size] heap-buffer-overflow on bfd/libbfd.c:548
https://sourceware.org/bugzilla/show_bug.cgi?id=27799 Bug ID: 27799 Summary: [size] heap-buffer-overflow on bfd/libbfd.c:548 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13411 --> https://sourceware.org/bugzilla/attachment.cgi?id=13411&action=edit crash test case Hello, I report a double free detected by address sanitizer. I found this test input by fuzz testing. The stack traces are as follows: ==22808==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000d5 at pc 0x004fab69 bp 0x7fffcd40 sp 0x7fffcd38READ of size 1 at 0x607000d5 thread T0' #0 0x4fab68 in bfd_getl16 .../subjects/binutils-gdb/bfd/libbfd.c:548:11' #1 0x13b486a in elf_xtensa_grok_prstatus .../subjects/binutils-gdb/bfd/elf32-xtensa.c:3747:36' #2 0x5fffa3 in elfcore_grok_note .../subjects/binutils-gdb/bfd/elf.c:10326:6' #3 0x59bfd9 in elf_parse_notes .../subjects/binutils-gdb/bfd/elf.c:12205:13' #4 0x5affba in elf_read_notes .../subjects/binutils-gdb/bfd/elf.c:12254:8' #5 0x721d07 in _bfd_elf32_core_find_build_id .../subjects/binutils-gdb/bfd/./elfcore.h:411:4' #6 0x5afe93 in _bfd_elf_core_find_build_id .../subjects/binutils-gdb/bfd/elf.c:3030:12' #7 0x5af9a9 in bfd_section_from_phdr .../subjects/binutils-gdb/bfd/elf.c:3049:2' #8 0x720ed1 in bfd_elf32_core_file_p .../subjects/binutils-gdb/bfd/./elfcore.h:285:11' #9 0x4f402a in bfd_check_format_matches .../subjects/binutils-gdb/bfd/format.c:343:17' #10 0x4c6ce6 in display_bfd .../subjects/binutils-gdb/binutils/size.c:345:7' #11 0x4c6824 in display_file .../subjects/binutils-gdb/binutils/size.c:432:5' #12 0x4c6412 in main .../subjects/binutils-gdb/binutils/size.c:258:7' #13 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310' #14 0x41be59 in _start (.../subjects_asan/size/size.san+0x41be59)' You can reproduce the bug by executing ./size I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27800] New: [size] heap-buffer-overflow on bfd/archive.c:667
https://sourceware.org/bugzilla/show_bug.cgi?id=27800 Bug ID: 27800 Summary: [size] heap-buffer-overflow on bfd/archive.c:667 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13412 --> https://sourceware.org/bugzilla/attachment.cgi?id=13412&action=edit crash test case Hello, I report a double free detected by address sanitizer. I found this test input by fuzz testing. The stack traces are as follows: ==19714==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f002c7 at pc 0x004951ca bp 0x7fffe130 sp 0x7fffd8f8WRITE of size 112 at 0x60f002c7 thread T0' #0 0x4951c9 in __asan_memcpy (.../subjects_asan/size/size.san+0x4951c9)' #1 0xd3c7cb in _bfd_xcoff_read_ar_hdr .../subjects/binutils-gdb/bfd/coff-rs6000.c:1699:7' #2 0x4cf476 in _bfd_get_elt_at_filepos .../subjects/binutils-gdb/bfd/archive.c:667:44' #3 0xd3d574 in _bfd_xcoff_openr_next_archived_file .../subjects/binutils-gdb/bfd/coff-rs6000.c:1763:10' #4 0x4d0543 in bfd_openr_next_archived_file .../subjects/binutils-gdb/bfd/archive.c:811:10' #5 0x4c6a5f in display_archive .../subjects/binutils-gdb/binutils/size.c:381:16' #6 0x4c6816 in display_file .../subjects/binutils-gdb/binutils/size.c:430:5' #7 0x4c6412 in main .../subjects/binutils-gdb/binutils/size.c:258:7' #8 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310' #9 0x41be59 in _start (.../subjects_asan/size/size.san+0x41be59)' You can reproduce the bug by executing ./size I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27801] New: [size] heap-buffer-overflow on bfd/mach-o.c:5934
https://sourceware.org/bugzilla/show_bug.cgi?id=27801 Bug ID: 27801 Summary: [size] heap-buffer-overflow on bfd/mach-o.c:5934 Product: binutils Version: 2.37 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: dkcjd2000 at gmail dot com Target Milestone: --- Created attachment 13413 --> https://sourceware.org/bugzilla/attachment.cgi?id=13413&action=edit crash test case Hello, I report a double free detected by address sanitizer. I found this test input by fuzz testing. The stack traces are as follows: ==3915==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400071 at pc 0x01442705 bp 0x7fffe3a0 sp 0x7fffe398READ of size 8 at 0x60400071 thread T0' #0 0x1442704 in bfd_mach_o_core_fetch_environment ...//subjects/binutils-gdb/bfd/mach-o.c:5934:11' #1 0x1442dae in bfd_mach_o_core_file_failing_command ...//subjects/binutils-gdb/bfd/mach-o.c:5978:9' #2 0x4ed8e6 in bfd_core_file_failing_command ...//subjects/binutils-gdb/bfd/corefile.c:58:10' #3 0x4c6d42 in display_bfd ...//subjects/binutils-gdb/binutils/size.c:352:18' #4 0x4c6824 in display_file ...//subjects/binutils-gdb/binutils/size.c:432:5' #5 0x4c6412 in main ...//subjects/binutils-gdb/binutils/size.c:258:7' #6 0x76e22bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310' #7 0x41be59 in _start (...//subjects_asan/size/size.san+0x41be59)' You can reproduce the bug by executing ./size I tested the subject on the latest version uploaded on git, build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld --enable-targets=all configure options. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27792] [nm] heap buffer overflow found in bfd/som.c:4805
https://sourceware.org/bugzilla/show_bug.cgi?id=27792 Nick Clifton changed: What|Removed |Added Assignee|unassigned at sourceware dot org |nickc at redhat dot com CC||nickc at redhat dot com Last reconfirmed||2021-04-29 Ever confirmed|0 |1 Status|UNCONFIRMED |ASSIGNED -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27792] [nm] heap buffer overflow found in bfd/som.c:4805
https://sourceware.org/bugzilla/show_bug.cgi?id=27792 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063e75c9e4307d21b787a71b6d5b61a2560f5073 commit 063e75c9e4307d21b787a71b6d5b61a2560f5073 Author: Nick Clifton Date: Thu Apr 29 17:41:43 2021 +0100 Fix illegal memory accesses when parsing a corrupt SOM format file. PR 27792 * som.c (som_slurp_string_table): Place a terminating NUL byte at the end of the table. (som_slurp_symbol_table): Check for an over-large offset into the string string table. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27792] [nm] heap buffer overflow found in bfd/som.c:4805
https://sourceware.org/bugzilla/show_bug.cgi?id=27792 Nick Clifton changed: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED --- Comment #2 from Nick Clifton --- Hi Ahcheong, Thanks for reporting this problem. I have checked in a patch to fix the illegal memory access. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27793] [nm] segv in bfd.h:1233
https://sourceware.org/bugzilla/show_bug.cgi?id=27793 Nick Clifton changed: What|Removed |Added CC||nickc at redhat dot com Ever confirmed|0 |1 Assignee|unassigned at sourceware dot org |nickc at redhat dot com Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2021-04-29 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27793] [nm] segv in bfd.h:1233
https://sourceware.org/bugzilla/show_bug.cgi?id=27793 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=09e40e44ad05822ed72f6ad720b5e75ea2a8fc67 commit 09e40e44ad05822ed72f6ad720b5e75ea2a8fc67 Author: Nick Clifton Date: Thu Apr 29 17:55:43 2021 +0100 Fix an access through a null pointer when parsing a corrupt SOM format fle. PR 27793 * som.c (som_slurp_symbol_table): Assign symbols without any scope to the undefined section. (som_decode_symclass): Check for a missing symbol section. * syms.c (bfd_decode_symclass): Likewise. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/27793] [nm] segv in bfd.h:1233
https://sourceware.org/bugzilla/show_bug.cgi?id=27793 --- Comment #2 from Nick Clifton --- Hi Ahcheong, Thanks for reporting this bug. I have checked in a patch to test for the NULL pointer, and to prevent such a pointer being assigned in the first place. Cheers Nick -- You are receiving this mail because: You are on the CC list for the bug.
