[Bug ld/20241] New: plugin lto + archive: invalid read access might cause SIGSEGV
https://sourceware.org/bugzilla/show_bug.cgi?id=20241 Bug ID: 20241 Summary: plugin lto + archive: invalid read access might cause SIGSEGV Product: binutils Version: 2.27 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: frederic.germain at gmail dot com Target Milestone: --- Hi, I got that bug on ld.bfd on arm-none-eabi-binutils-cs toolchain on fedora when using LTO on archive file : https://bugzilla.redhat.com/show_bug.cgi?id=1343670 After further investigation and the help of valgrind, it seems some bad memory access are made in add_archive_element, and can cause strange log (if --verbose option is present) or SIGSEGV depending on which toolchain I tried. It is still happening on HEAD, so opening a bug here. ==15446== Invalid read of size 8 ==15446==at 0x4175C8: add_archive_element (ldmain.c:866) ==15446==by 0x46F070: elf_link_add_archive_symbols (elflink.c:5050) ==15446==by 0x46F070: bfd_elf_link_add_symbols (elflink.c:5106) ==15446==by 0x411203: load_symbols (ldlang.c:2863) ==15446==by 0x411DB4: open_input_bfds (ldlang.c:3320) ==15446==by 0x411C76: open_input_bfds (ldlang.c:3275) ==15446==by 0x414219: lang_process (ldlang.c:6685) ==15446==by 0x40374C: main (ldmain.c:418) ==15446== Address 0x59712c0 is 192 bytes inside a block of size 256 free'd ==15446==at 0x4C29CF0: free (vg_replace_malloc.c:530) ==15446==by 0x42F53E: bfd_close (opncls.c:743) ==15446==by 0x41F3C4: plugin_maybe_claim (plugin.c:890) ==15446==by 0x4174EA: add_archive_element (ldmain.c:809) ==15446==by 0x46F070: elf_link_add_archive_symbols (elflink.c:5050) ==15446==by 0x46F070: bfd_elf_link_add_symbols (elflink.c:5106) ==15446==by 0x411203: load_symbols (ldlang.c:2863) ==15446==by 0x411DB4: open_input_bfds (ldlang.c:3320) ==15446==by 0x411C76: open_input_bfds (ldlang.c:3275) ==15446==by 0x414219: lang_process (ldlang.c:6685) ==15446==by 0x40374C: main (ldmain.c:418) ==15446== Block was alloc'd at ==15446==at 0x4C2A988: calloc (vg_replace_malloc.c:711) ==15446==by 0x42E142: bfd_zmalloc (libbfd.c:317) ==15446==by 0x42EFCA: _bfd_new_bfd (opncls.c:61) ==15446==by 0x42F197: bfd_fopen (opncls.c:197) ==15446==by 0x423D96: _bfd_get_elt_at_filepos (archive.c:685) ==15446==by 0x46F029: elf_link_add_archive_symbols (elflink.c:5041) ==15446==by 0x46F029: bfd_elf_link_add_symbols (elflink.c:5106) ==15446==by 0x411203: load_symbols (ldlang.c:2863) ==15446==by 0x411DB4: open_input_bfds (ldlang.c:3320) ==15446==by 0x411C76: open_input_bfds (ldlang.c:3275) ==15446==by 0x414219: lang_process (ldlang.c:6685) ==15446==by 0x40374C: main (ldmain.c:418) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/20241] plugin lto + archive: invalid read access might cause SIGSEGV
https://sourceware.org/bugzilla/show_bug.cgi?id=20241
--- Comment #2 from Frédéric Germain ---
So sorry, it's indeed the trace from
arm-none-eabi-binutils-cs-2.25-2.fc23.src.rpm, so a 2.25 version
I made more test on HEAD. actually, the bug happens only on thin archive (T
option in ar)
here a simple script to be able to get into this condition
echo -e "int main(int argc, const char** argv){ return 0;}\n\n" > prog.c
gcc -flto -c prog.c -o prog.o
rm -f prog.a && gcc-ar crsT prog.a prog.o
gcc -flto prog.a -Wl,-fuse-ld=bfd -Wl,--verbose
I used "strace -f -s 256 -v gcc -flto prog.a -Wl,-fuse-ld=bfd -Wl,--verbose
2>&1 |grep execve" to get ld command that is run by gcc
==24927== Invalid read of size 8
==24927==at 0x41E0D0: vfinfo (ldmisc.c:233)
==24927==by 0x41E727: info_msg (ldmisc.c:452)
==24927==by 0x418E81: add_archive_element (ldmain.c:902)
==24927==by 0x4EB5155: elf_link_add_archive_symbols (elflink.c:5306)
==24927==by 0x4EB5155: bfd_elf_link_add_symbols (elflink.c:5362)
==24927==by 0x412F8F: load_symbols (ldlang.c:2874)
==24927==by 0x413B0E: open_input_bfds (ldlang.c:3323)
==24927==by 0x416039: lang_process (ldlang.c:6826)
==24927==by 0x405363: main (ldmain.c:415)
==24927== Address 0x578e270 is 208 bytes inside a block of size 280 free'd
==24927==at 0x4C29CF0: free (vg_replace_malloc.c:530)
==24927==by 0x4E85AA6: bfd_close (opncls.c:745)
==24927==by 0x421E74: plugin_maybe_claim (plugin.c:1207)
==24927==by 0x418D52: add_archive_element (ldmain.c:802)
==24927==by 0x4EB5155: elf_link_add_archive_symbols (elflink.c:5306)
==24927==by 0x4EB5155: bfd_elf_link_add_symbols (elflink.c:5362)
==24927==by 0x412F8F: load_symbols (ldlang.c:2874)
==24927==by 0x413B0E: open_input_bfds (ldlang.c:3323)
==24927==by 0x416039: lang_process (ldlang.c:6826)
==24927==by 0x405363: main (ldmain.c:415)
==24927== Block was alloc'd at
==24927==at 0x4C28BF6: malloc (vg_replace_malloc.c:299)
==24927==by 0x4E7FD62: bfd_malloc (libbfd.c:184)
==24927==by 0x4E7FF0D: bfd_zmalloc (libbfd.c:269)
==24927==by 0x4E8551A: _bfd_new_bfd (opncls.c:61)
==24927==by 0x4E85717: bfd_fopen (opncls.c:199)
==24927==by 0x4E77347: open_nested_file (archive.c:390)
==24927==by 0x4E7810A: _bfd_get_elt_at_filepos (archive.c:699)
==24927==by 0x4EB5109: elf_link_add_archive_symbols (elflink.c:5297)
==24927==by 0x4EB5109: bfd_elf_link_add_symbols (elflink.c:5362)
==24927==by 0x412F8F: load_symbols (ldlang.c:2874)
==24927==by 0x413B0E: open_input_bfds (ldlang.c:3323)
==24927==by 0x416039: lang_process (ldlang.c:6826)
==24927==by 0x405363: main (ldmain.c:415)
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/20241] plugin lto + archive: invalid read access might cause SIGSEGV
https://sourceware.org/bugzilla/show_bug.cgi?id=20241 --- Comment #5 from Frédéric Germain --- (In reply to H.J. Lu from comment #3) > Please try users/hjl/lto-mixed/master branch to see if it works. Got the same problem on that branch : ==20063== Invalid read of size 8 ==20063==at 0x41F8A0: vfinfo (ldmisc.c:233) ==20063==by 0x41FEF7: info_msg (ldmisc.c:452) ==20063==by 0x41A561: add_archive_element (ldmain.c:885) ==20063==by 0x40A46B5: elf_link_add_archive_symbols (elflink.c:5306) ==20063==by 0x40A46B5: bfd_elf_link_add_symbols (elflink.c:5362) ==20063==by 0x4142F6: load_symbols (ldlang.c:2894) ==20063==by 0x414EFE: open_input_bfds (ldlang.c:3343) ==20063==by 0x417429: lang_process (ldlang.c:6846) ==20063==by 0x405879: main (ldmain.c:391) ==20063== Address 0x54487e8 is 216 bytes inside a block of size 288 free'd ==20063==at 0x4C29CF0: free (vg_replace_malloc.c:530) ==20063==by 0x4075116: bfd_close (opncls.c:745) ==20063==by 0x423674: plugin_maybe_claim (plugin.c:1213) ==20063==by 0x41A436: add_archive_element (ldmain.c:783) ==20063==by 0x40A46B5: elf_link_add_archive_symbols (elflink.c:5306) ==20063==by 0x40A46B5: bfd_elf_link_add_symbols (elflink.c:5362) ==20063==by 0x4142F6: load_symbols (ldlang.c:2894) ==20063==by 0x414EFE: open_input_bfds (ldlang.c:3343) ==20063==by 0x417429: lang_process (ldlang.c:6846) ==20063==by 0x405879: main (ldmain.c:391) ==20063== Block was alloc'd at ==20063==at 0x4C28BF6: malloc (vg_replace_malloc.c:299) ==20063==by 0x406F3D2: bfd_malloc (libbfd.c:184) ==20063==by 0x406F57D: bfd_zmalloc (libbfd.c:269) ==20063==by 0x4074B8A: _bfd_new_bfd (opncls.c:61) ==20063==by 0x4074D87: bfd_fopen (opncls.c:199) ==20063==by 0x4066897: open_nested_file (archive.c:390) ==20063==by 0x406765A: _bfd_get_elt_at_filepos (archive.c:699) ==20063==by 0x40A4669: elf_link_add_archive_symbols (elflink.c:5297) ==20063==by 0x40A4669: bfd_elf_link_add_symbols (elflink.c:5362) ==20063==by 0x4142F6: load_symbols (ldlang.c:2894) ==20063==by 0x414EFE: open_input_bfds (ldlang.c:3343) ==20063==by 0x417429: lang_process (ldlang.c:6846) ==20063==by 0x405879: main (ldmain.c:391) -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
