[Bug gas/23040] .uleb128 directive doesn't accept some valid expressions
https://sourceware.org/bugzilla/show_bug.cgi?id=23040 --- Comment #2 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Alan Modra : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=38cf168be5816b098cc05abffc482fc905db86a2 commit 38cf168be5816b098cc05abffc482fc905db86a2 Author: Alan Modra Date: Sat Oct 20 22:22:37 2018 +1030 PR23040, .uleb128 directive doesn't accept some valid expressions What a trip down a rabbit hole this bug has been. First observation: You can't use deferred_expression in s_leb128. deferred_expression implements the semantics of .eqv or '==', saving an expression with minimal simplification for assignment to a symbol so that the expression is evaluated at uses of the symbol. In particular, the value of "dot" is not evaluated at the .eqv symbol assignment, but later. When s_leb128 uses deferred_expression, "later" is at the end of assembly, giving entirely the wrong value of "dot". There is no way to fix this for the s_leb128 use without breaking .equ (which incidentally was already somewhat broken, see commit e4c2619ad1). So, don't use deferred_expression in s_leb128. But that leads to the gas test elf/dwarf2-17 failing, because view symbols are calculated with a chain of expression symbols. In the dwarf2-17 .L1 case there is a "temp_sym_1 > temp_sym_2" expression, with temp_sym_1 and temp_sym_2 on either side of a ".balign". Since ".balign" and many other directives moving "dot" are not calculated on the first (and only) pass over source, .L1 cannot be calculated until final addresses are assigned to frags. However, ".uleb128 .L1" *is* calculated immediately, resulting in the wrong value. The reason why .L1 is calculated immediately is that code in expr.c:operand after the comment /* If we have an absolute symbol or a reg, then we know its value now. */ does as it says and fixes the value of .L1, because .L1 is assigned to absolute_section in dwarf2dbg.c:set_or_check_view. So, correct that to expr_section. Unfortunately that fix leads to failure of the elf/dwarf2-5 test with ../gas/elf/dwarf2-5.s: Error: attempt to get value of unresolved symbol `.L5' ../gas/elf/dwarf2-5.s: Error: attempt to get value of unresolved symbol `.L11' ../gas/elf/dwarf2-5.s: Error: attempt to get value of unresolved symbol `.L12' So why is that? Well, it turns out that .L5 is defined in terms of .L4, and apparently .L4 is undefined. But .L4 clearly is defined, otherwise we would hit an error when trying to use .L4 a little earlier. There are two copies of .L4! So, symbols are cloned when that should not happen. Symbol cloning is a technique used by gas to support saving the value of symbols that change between uses, but that isn't the case with .L4. Only one value is set and used for .L4, but indeed .L4 was being cloned by symbol_clone_if_forward_ref. This despite no forward refs being present. Also, .L4 is a local symbol and a cursory glance at symbol_clone_if_forward_ref "if (symbolP && !LOCAL_SYMBOL_CHECK (symbolP))" would seem to prevent cloning of local symbols. All is not as it seems though, a curse of using macros. LOCAL_SYMBOL_CHECK modifies its argument if a "struct local_symbol" is converted to the larger "struct symbol", as happens when assigning a view symbol value. That fact results in the recursive call to symbol_clone_if_forward_ref returning a different address for "add_symbol". This problem could have been fixed by using symbol_same_p rather than comparing symbol pointers, but I thought it better to use the real symbol throughout. Note that symbol_find_exact also returns the real symbol for a converted local symbol. Finally, this patch does expose lack of support for forward symbol definitions in various targets. For example: alpha-linux +ERROR: ../ld/testsuite/ld-elf/pr11138-2.c: compilation failed This is caused by view symbol uses. On alpha-linux-gcc (GCC) 8.1.1 20180502 they happen to occur in .byte directives so were silently broken in cases like elf/dwarf2-17 anyway. /tmp/ccvtsMfU.s: Assembler messages: /tmp/ccvtsMfU.s: Fatal error: unhandled relocation type BFD_RELOC_8 /tmp/ccvtsMfU.s: Fatal error: unhandled relocation type BFD_RELOC_8 md_apply_fix on those targets needs to handle fixups that resolve down to a constant. PR 23040 * symbols.c (get_real_sym): New function. (symbol_same_p): Use get_real_sym. (symbol_clone_if_forward_ref): Save real original add_symbol and op_symbol for comparison against that returned from lookup or recursive calls. * dwarf2dbg.c (set_or_check_view): Use expr_section for expression symbols, not absolute_section. (dwarf2_directive_loc): Check
[Bug ld/23806] NULL Pointer Dereference problem was discovered in function merge_strings() in merge.c in bfd
https://sourceware.org/bugzilla/show_bug.cgi?id=23806 wcventure changed: What|Removed |Added Summary|Invalid Address Read|NULL Pointer Dereference |problem was discovered in |problem was discovered in |function merge_strings() in |function merge_strings() in |merge.c in bfd |merge.c in bfd -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23805] NULL Pointer Dereference exists in the function elf_link_input_bfd() in merge.c
https://sourceware.org/bugzilla/show_bug.cgi?id=23805 wcventure changed: What|Removed |Added Summary|An Invalid Memory Address |NULL Pointer Dereference |Dereference exists in the |exists in the function |function|elf_link_input_bfd() in |elf_link_input_bfd() in |merge.c |merge.c | -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23806] New: Invalid Address Read problem was discovered in function merge_strings() in merge.c in bfd
https://sourceware.org/bugzilla/show_bug.cgi?id=23806 Bug ID: 23806 Summary: Invalid Address Read problem was discovered in function merge_strings() in merge.c in bfd Product: binutils Version: 2.31 Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 11358 --> https://sourceware.org/bugzilla/attachment.cgi?id=11358=edit POC Hi, there. An Invalid Memory Address Dereference problem was discovered in function merge_strings() in merge.c in bfd of binutils 2.31 the latest code base. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Please use the "./ld -E $POC" to reproduce the bug. The ASAN dumps the stack trace as follows: > ASAN:DEADLYSIGNAL > = > ==7821==ERROR: AddressSanitizer: SEGV on unknown address 0x0028 (pc > 0x0109f0a5 bp 0x7ffd27ebac70 sp 0x7ffd27eba4e0 T0) > #0 0x109f0a4 in merge_strings bintuils_gdb/bfd/merge.c:712:32 > #1 0x10979ce in _bfd_merge_sections bintuils_gdb/bfd/merge.c:762:9 > #2 0xba24d3 in _bfd_elf_merge_sections bintuils_gdb/bfd/elflink.c:7398:5 > #3 0x589ea4 in lang_process bintuils_gdb/ld/ldlang.c:7543:7 > #4 0x5fd19c in main bintuils_gdb/ld/./ldmain.c:438:3 > #5 0x7f6f3917682f in __libc_start_main > /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 > #6 0x419638 in _start > (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_ASAN_O0/build/bin/ld+0x419638) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV bintuils_gdb/bfd/merge.c:712:32 in > merge_strings > ==7821==ABORTING > Aborted -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23805] New: An Invalid Memory Address Dereference exists in the function elf_link_input_bfd() in merge.c
https://sourceware.org/bugzilla/show_bug.cgi?id=23805 Bug ID: 23805 Summary: An Invalid Memory Address Dereference exists in the function elf_link_input_bfd() in merge.c Product: binutils Version: 2.31 Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 11357 --> https://sourceware.org/bugzilla/attachment.cgi?id=11357=edit POC Hi, there. An Invalid Memory Address Dereference problem was discovered in function elf_link_input_bfd in merge.c in bfd of binutils 2.31 the latest code base. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Please use the "./ld -E $POC" to reproduce the bug. The ASAN dumps the stack trace as follows: > ASAN:DEADLYSIGNAL > = > ==23971==ERROR: AddressSanitizer: SEGV on unknown address 0x0028 (pc > 0x00bdbbe8 bp 0x7fffab7d10f0 sp 0x7fffab7cede0 T0) > #0 0xbdbbe7 in elf_link_input_bfd > /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/bfd/elflink.c:10492:65 > #1 0xbbec24 in bfd_elf_final_link > /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/bfd/elflink.c:12158:11 > #2 0x60b09d in ldwrite > /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/ld/ldwrite.c:581:8 > #3 0x5fdaf9 in main > /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/ld/./ldmain.c:454:3 > #4 0x7f0026f3982f in __libc_start_main > /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 > #5 0x419638 in _start > (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_ASAN_O0/build/bin/ld+0x419638) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV > /media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_ASAN_O0/bfd/elflink.c:10492:65 > in elf_link_input_bfd > ==23971==ABORTING > Aborted -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23804] New: Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E"
https://sourceware.org/bugzilla/show_bug.cgi?id=23804 Bug ID: 23804 Summary: Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E" Product: binutils Version: 2.31 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: wcventure at 126 dot com Target Milestone: --- Created attachment 11355 --> https://sourceware.org/bugzilla/attachment.cgi?id=11355=edit POC1 Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E" Hi, there. A Heap-buffer-overflow problem was discovered in function Sec_merge_hash_lookup in merge.c of binutils 2.31. This problem can be reproduced in the latest code base, too. A crafted ELF input can cause segment faults and I have confirmed them with address sanitizer too. Please use the "./ld -E $POC" to reproduce the bug. The ASAN dumps the stack trace as follows: > ==6219==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x7fafe4eca898 at pc 0x010a46ef bp 0x7fffeb302450 sp 0x7fffeb302448 > READ of size 1 at 0x7fafe4eca898 thread T0 > #0 0x10a46ee in sec_merge_hash_lookup bintuils_gdb/bfd/merge.c:166:7 > #1 0x10a685d in sec_merge_add bintuils_gdb/bfd/merge.c:268:11 > #2 0x10996e5 in record_section bintuils_gdb/bfd/merge.c:488:12 > #3 0x10974ed in _bfd_merge_sections bintuils_gdb/bfd/merge.c:751:13 > #4 0xba24d3 in _bfd_elf_merge_sections bintuils_gdb/bfd/elflink.c:7398:5 > #5 0x589ea4 in lang_process bintuils_gdb/ld/ldlang.c:7543:7 > #6 0x5fd19c in main bintuils_gdb/ld/./ldmain.c:438:3 > #7 0x7fafe409382f in __libc_start_main > /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 > #8 0x419638 in _start > (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_ASAN_O0/build/bin/ld+0x419638) > > 0x7fafe4eca898 is located 0 bytes to the right of 131224-byte region > [0x7fafe4eaa800,0x7fafe4eca898) > allocated by thread T0 here: > #0 0x4b9748 in malloc > (/media/hjwang/01D3344861A8D2E0/wcventure/Project/binutils_latest_ASAN_O0/build/bin/ld+0x4b9748) > #1 0x12a243c in _objalloc_alloc bintuils_gdb/libiberty/./objalloc.c:143:22 > #2 0x83a238 in bfd_alloc bintuils_gdb/bfd/opncls.c:949:9 > #3 0x1094f3a in _bfd_add_merge_section bintuils_gdb/bfd/merge.c:432:15 > #4 0xba1cd4 in _bfd_elf_merge_sections bintuils_gdb/bfd/elflink.c:7389:12 > #5 0x589ea4 in lang_process bintuils_gdb/ld/ldlang.c:7543:7 > #6 0x5fd19c in main bintuils_gdb/ld/./ldmain.c:438:3 > #7 0x7fafe409382f in __libc_start_main > /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > bintuils_gdb/bfd/merge.c:166:7 in sec_merge_hash_lookup > Shadow bytes around the buggy address: > 0x0ff67c9d14c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff67c9d14d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff67c9d14e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff67c9d14f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ff67c9d1500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0ff67c9d1510: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ff67c9d1520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ff67c9d1530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ff67c9d1540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ff67c9d1550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ff67c9d1560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user:f7 > Container overflow: fc > Array cookie:ac > Intra object redzone:bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone:cb > ==6219==ABORTING > Aborted -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug binutils/23804] Heap-buffer-overflow problem in function Sec_merge_hash_lookup in merge.c, as demonstrated by "ld -E"
https://sourceware.org/bugzilla/show_bug.cgi?id=23804 --- Comment #1 from wcventure --- Created attachment 11356 --> https://sourceware.org/bugzilla/attachment.cgi?id=11356=edit POC2 Please use the "./ld -E $POC" to reproduce the bug. This bug was discovered by NTU Cyber-Security-Lab. If you have any questions, please let me know. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23803] __init_array_end - __init_array_start < 0
https://sourceware.org/bugzilla/show_bug.cgi?id=23803 --- Comment #8 from schorsch_76 at gmx dot de --- Toolchain Info: georg@M4700-vm:~/Downloads/gcc-arm-none-eabi-7-2018-q2-update/bin$ ./arm-none-eabi-gcc --version arm-none-eabi-gcc (GNU Tools for Arm Embedded Processors 7-2018-q2-update) 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907] Copyright (C) 2017 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. georg@M4700-vm:~/Downloads/gcc-arm-none-eabi-7-2018-q2-update/bin$ ./arm-none-eabi-ld --version GNU ld (GNU Tools for Arm Embedded Processors 7-2018-q2-update) 2.30.0.20180329 Copyright (C) 2018 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) a later version. This program has absolutely no warranty. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23803] __init_array_end - __init_array_start < 0
https://sourceware.org/bugzilla/show_bug.cgi?id=23803 schorsch_76 at gmx dot de changed: What|Removed |Added Target||arm Host||x86_64 -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23803] __init_array_end - __init_array_start < 0
https://sourceware.org/bugzilla/show_bug.cgi?id=23803 --- Comment #7 from schorsch_76 at gmx dot de --- Created attachment 11354 --> https://sourceware.org/bugzilla/attachment.cgi?id=11354=edit New Makefile with s/(MCU)/(CPU)/g -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23803] __init_array_end - __init_array_start < 0
https://sourceware.org/bugzilla/show_bug.cgi?id=23803 --- Comment #5 from schorsch_76 at gmx dot de --- The project doesnt run, it is just as much scaled down to show this behaviour. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23803] __init_array_end - __init_array_start < 0
https://sourceware.org/bugzilla/show_bug.cgi?id=23803 --- Comment #6 from schorsch_76 at gmx dot de --- Ops: I hade a small error in the specified makefile: Here is the update. I had MCU instead of CPU variable used. But the __init_array_start is still greater than __init_array_end. -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23803] __init_array_end - __init_array_start < 0
https://sourceware.org/bugzilla/show_bug.cgi?id=23803 --- Comment #4 from schorsch_76 at gmx dot de --- Created attachment 11353 --> https://sourceware.org/bugzilla/attachment.cgi?id=11353=edit Linker script -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23803] __init_array_end - __init_array_start < 0
https://sourceware.org/bugzilla/show_bug.cgi?id=23803 --- Comment #3 from schorsch_76 at gmx dot de --- Created attachment 11352 --> https://sourceware.org/bugzilla/attachment.cgi?id=11352=edit Startup File for MCU -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23803] __init_array_end - __init_array_start < 0
https://sourceware.org/bugzilla/show_bug.cgi?id=23803 --- Comment #2 from schorsch_76 at gmx dot de --- Created attachment 11351 --> https://sourceware.org/bugzilla/attachment.cgi?id=11351=edit Makefile -- You are receiving this mail because: You are on the CC list for the bug. ___ bug-binutils mailing list bug-binutils@gnu.org https://lists.gnu.org/mailman/listinfo/bug-binutils
[Bug ld/23803] New: __init_array_end - __init_array_start < 0
https://sourceware.org/bugzilla/show_bug.cgi?id=23803
Bug ID: 23803
Summary: __init_array_end - __init_array_start < 0
Product: binutils
Version: 2.30
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: schorsch_76 at gmx dot de
Target Milestone: ---
The C++ Objects get instantiated from __libc_init_array. On this MCU it is
newlib. It initialize the c++ objects like this
https://github.com/redox-os/newlib/blob/master/newlib/libc/misc/init.c
/* Iterate over all the init routines. */
void
__libc_init_array (void)
{
size_t count;
size_t i;
count = __preinit_array_end - __preinit_array_start;
for (i = 0; i < count; i++)
__preinit_array_start[i] ();
_init ();
count = __init_array_end - __init_array_start;
for (i = 0; i < count; i++)
__init_array_start[i] ();
}
on my MCU (in the reset handler) i use gdb to print these variables, but they
are like this:
#0 0x0800017c in Reset_Handler ()
(gdb) print __init_array_start
$1 = 134218568
(gdb) p __init_array_end
$2 = 134217996
(gdb) p __init_array_end - __init_array_start
$3 = -572
As count is an size_t it is unsigned and the loop doesn't stop. But end should
be greater than start in any case.
I created a very minimalistic c++ Project on Stm32F103RBT6 with the toolchain
from arm. It uses binutils and also tried different other compilers. like from
debian but all show this behaviour.
--- Comment #1 from schorsch_76 at gmx dot de ---
Created attachment 11350
--> https://sourceware.org/bugzilla/attachment.cgi?id=11350=edit
main.cpp
--
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
