Bug 7059 - Wrong COFF_LONG_SECTION_NAMES handling
Summary: Wrong COFF_LONG_SECTION_NAMES handling
Status: VERIFIED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: gas (show other bugs)
Version: 2.20
: P2 normal
Target Milestone: ---
Assignee: Dave Korn
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-29 16:53 UTC by Petr Bauch
Modified: 2009-02-22 13:17 UTC (History)
2 users (show)

See Also:
Host:
Target: i686-pc-mingw32
Build:
Last reconfirmed:


Attachments
Fix s_name field overflow. (833 bytes, patch)
2009-02-17 16:52 UTC, Dave Korn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Bauch 2008-11-29 16:53:10 UTC
I am trying to cross-compile DiVinE-MC
(http://divine.fi.muni.cz/page.php?page=divine-mc) into Win32 enviroment at
this moment. I am using Cmake to put the tool together and Mingw to compile it.
The preprocessed source is slightly bigger (1.9MB) so I can't attach it anyway.
I might try to make it smaller but since it is "buffer
overflow", I am afraid that size actually matters in this case. If it turns out
to be necessary to send it, I will try to find out how. So here it is:

as version:

GNU assembler version 2.18.50 (i686-pc-mingw32) using BFD version (GNU Binutils)
2.18.50.20080109

compiler version:

Using built-in specs.
Target: i686-pc-mingw32
Configured with: ../configure --prefix=/usr --bindir=/usr/bin
--includedir=/usr/include --libdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --build=i686-pc-linux-gnu
--host=i686-pc-linux-gnu --target=i686-pc-mingw32 --with-gnu-as --with-gnu-ld
--verbose --without-newlib --disable-multilib --with-system-zlib --disable-nls
--without-included-gettext --disable-win32-registry
--enable-version-specific-runtime-libs
--with-sysroot=/usr/i686-pc-mingw32/sys-root --enable-languages=c,c++
Thread model: win32
gcc version 4.3.2 (GCC)

the compiler output:

[ 97%] Building CXX object tools/CMakeFiles/divine-mc.dir/divine-mc.obj
*** buffer overflow detected ***:
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as
terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0x435ce8]
/lib/libc.so.6[0x433de0]
/lib/libc.so.6[0x4334d8]
/lib/libc.so.6(_IO_default_xsputn+0xc8)[0x3aae48]
/lib/libc.so.6(_IO_vfprintf+0x14dc)[0x37ec2c]
/lib/libc.so.6(__vsprintf_chk+0xa7)[0x433587]
/lib/libc.so.6(__sprintf_chk+0x2d)[0x4334cd]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x808deab]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x807e678]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x805ac27]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x804bee3]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x80ddb55]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x80ddbf1]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x804bd40]
/lib/libc.so.6(__libc_start_main+0xe6)[0x3555d6]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x8049521]
======= Memory map: ========
00110000-00111000 r-xp 00110000 00:00 0          [vdso]
002bc000-002c9000 r-xp 00000000 08:06 3597572   
/lib/libgcc_s-4.3.0-20080428.so.1
002c9000-002ca000 rw-p 0000c000 08:06 3597572   
/lib/libgcc_s-4.3.0-20080428.so.1
0031f000-0033b000 r-xp 00000000 08:06 3597547    /lib/ld-2.8.so
0033b000-0033c000 r--p 0001c000 08:06 3597547    /lib/ld-2.8.so
0033c000-0033d000 rw-p 0001d000 08:06 3597547    /lib/ld-2.8.so
0033f000-004a2000 r-xp 00000000 08:06 3597548    /lib/libc-2.8.so
004a2000-004a4000 r--p 00163000 08:06 3597548    /lib/libc-2.8.so
004a4000-004a5000 rw-p 00165000 08:06 3597548    /lib/libc-2.8.so
004a5000-004a8000 rw-p 004a5000 00:00 0 
08048000-0811e000 r-xp 00000000 08:06 475462     /usr/i686-pc-mingw32/bin/as
0811e000-08120000 rw-p 000d5000 08:06 475462     /usr/i686-pc-mingw32/bin/as
08120000-0812d000 rw-p 08120000 00:00 0 
09eb1000-0d7f5000 rw-p 09eb1000 00:00 0          [heap]
b7f0c000-b80d5000 rw-p b7f0c000 00:00 0 
b80e9000-b80ea000 rw-p b80e9000 00:00 0 
bf9d4000-bf9e9000 rw-p bffeb000 00:00 0          [stack]
i686-pc-mingw32-g++: Internal error: Aborted (program as)
Please submit a full bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.

the command line:

/usr/bin/i686-pc-mingw32-g++      -I/home/hydergine/divine-mc-1.3
-I/home/hydergine/divine-mc-1.3/_build
-I/home/hydergine/divine-mc-1.3/divine/legacy   -O2 -DNDEBUG
-fomit-frame-pointer -save-temps CMakeFiles/divine-mc.dir/divine-mc.obj  -o
divine-mc.exe -Wl,--out-implib,libdivine-mc.dll.a
-Wl,--major-image-version,0,--minor-image-version,0  ../divine/libdivine.a
../wibble/libwibble.a -lregex -lwsock32
Comment 1 H.J. Lu 2008-11-29 20:01:56 UTC
Please provide tools/CMakeFiles/divine-mc.dir/divine-mc.s as well as
the assembler command options used to reproduce the bug.
Comment 2 Petr Bauch 2008-12-02 18:12:36 UTC
The 'divine-mc.s' file has almost 27 MBs and I am not sure how to find out the
assembler command option.

Comment 3 H.J. Lu 2008-12-02 18:30:54 UTC
(In reply to comment #2)
> The 'divine-mc.s' file has almost 27 MBs and I am not sure how to find out the
> assembler command option.
> 
> 

You can bzip divine-mc.s and put it somewhere or email it to me directly.
You can upload the output of

# gcc -c -v divine-mc.s
Comment 4 Petr Bauch 2008-12-02 22:58:52 UTC
The gunzipped 'divine-mc.s' has been send to your e-mail. I wasn't sure which
compiler I was to use, so I tried both:
$ i686-pc-mingw32-g++ -c -v divine-mc.s
Using built-in specs.
Target: i686-pc-mingw32
Configured with: ../configure --prefix=/usr --bindir=/usr/bin
--includedir=/usr/include --libdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --build=i686-pc-linux-gnu
--host=i686-pc-linux-gnu --target=i686-pc-mingw32 --with-gnu-as --with-gnu-ld
--verbose --without-newlib --disable-multilib --with-system-zlib --disable-nls
--without-included-gettext --disable-win32-registry
--enable-version-specific-runtime-libs
--with-sysroot=/usr/i686-pc-mingw32/sys-root --enable-languages=c,c++
Thread model: win32
gcc version 4.3.2 (GCC) 
COLLECT_GCC_OPTIONS='-c' '-v' '-mtune=generic'
 /usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as -v -o
divine-mc.o divine-mc.s
GNU assembler version 2.18.50 (i686-pc-mingw32) using BFD version (GNU Binutils)
2.18.50.20080109
*** buffer overflow detected ***:
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0x435ce8]
/lib/libc.so.6[0x433de0]
/lib/libc.so.6[0x4334d8]
/lib/libc.so.6(_IO_default_xsputn+0xc8)[0x3aae48]
/lib/libc.so.6(_IO_vfprintf+0x14dc)[0x37ec2c]
/lib/libc.so.6(__vsprintf_chk+0xa7)[0x433587]
/lib/libc.so.6(__sprintf_chk+0x2d)[0x4334cd]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x808deab]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x807e678]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x805ac27]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x804bee3]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x80ddb55]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x80ddbf1]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x804bd40]
/lib/libc.so.6(__libc_start_main+0xe6)[0x3555d6]
/usr/lib/gcc/i686-pc-mingw32/4.3.2/../../../../i686-pc-mingw32/bin/as[0x8049521]
======= Memory map: ========
00110000-00111000 r-xp 00110000 00:00 0          [vdso]
002bc000-002c9000 r-xp 00000000 08:06 3597572    /lib/libgcc_s-4.3.0-20080428.so.1
002c9000-002ca000 rw-p 0000c000 08:06 3597572    /lib/libgcc_s-4.3.0-20080428.so.1
0031f000-0033b000 r-xp 00000000 08:06 3597547    /lib/ld-2.8.so
0033b000-0033c000 r--p 0001c000 08:06 3597547    /lib/ld-2.8.so
0033c000-0033d000 rw-p 0001d000 08:06 3597547    /lib/ld-2.8.so
0033f000-004a2000 r-xp 00000000 08:06 3597548    /lib/libc-2.8.so
004a2000-004a4000 r--p 00163000 08:06 3597548    /lib/libc-2.8.so
004a4000-004a5000 rw-p 00165000 08:06 3597548    /lib/libc-2.8.so
004a5000-004a8000 rw-p 004a5000 00:00 0 
08048000-0811e000 r-xp 00000000 08:06 475462     /usr/i686-pc-mingw32/bin/as
0811e000-08120000 rw-p 000d5000 08:06 475462     /usr/i686-pc-mingw32/bin/as
08120000-0812d000 rw-p 08120000 00:00 0 
091f8000-0d02c000 rw-p 091f8000 00:00 0          [heap]
b7d5c000-b7f25000 rw-p b7d5c000 00:00 0 
b7f39000-b7f3a000 rw-p b7f39000 00:00 0 
bf925000-bf93a000 rw-p bffeb000 00:00 0          [stack]
i686-pc-mingw32-g++: Internal error: Aborted (program as)
Please submit a full bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.

$ gcc -c -v divine-mc.s
Using built-in specs.
Target: i386-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla
--enable-bootstrap --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk
--disable-dssi --enable-plugin
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre
--enable-libgcj-multifile --enable-java-maintainer-mode
--with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib
--with-cpu=generic --build=i386-redhat-linux
Thread model: posix
gcc version 4.3.0 20080428 (Red Hat 4.3.0-8) (GCC) 
COLLECT_GCC_OPTIONS='-c' '-v' '-mtune=generic'
 as -V -Qy -o divine-mc.o divine-mc.s
GNU assembler version 2.18.50.0.6 (i386-redhat-linux) using BFD version version
2.18.50.0.6-2 20080403
divine-mc.s: Assembler messages:
divine-mc.s:2: Fatal error: Bad .section directive: want a,w,x,M,S,G,T in string

Comment 5 H.J. Lu 2009-01-04 19:04:25 UTC
A patch is posted at

http://sourceware.org/ml/binutils/2009-01/msg00043.html
Comment 6 H.J. Lu 2009-01-05 14:49:03 UTC
(In reply to comment #5)
> A patch is posted at
> 
> http://sourceware.org/ml/binutils/2009-01/msg00043.html

It is wrong:

http://sourceware.org/ml/binutils/2009-01/msg00049.html
Comment 7 Dave Korn 2009-02-17 15:52:55 UTC
Taking assignment.  My patch doesn't address this one, but a trivial patch on
top should do the job.
Comment 8 Dave Korn 2009-02-17 16:52:01 UTC
Created attachment 3748 [details]
Fix s_name field overflow.

Also adds an error when the table gets too large.  Now testing.
Comment 9 Sourceware Commits 2009-02-18 18:38:19 UTC
Subject: Bug 7059

CVSROOT:	/cvs/src
Module name:	src
Changes by:	davek@sourceware.org	2009-02-18 18:38:07

Modified files:
	bfd            : ChangeLog coffcode.h 

Log message:
	PR gas/7059
	* coffcode.h (coff_write_object_contents):  Don't let the string
	table offset overflow the s_name field when using long section names.

Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/bfd/ChangeLog.diff?cvsroot=src&r1=1.4465&r2=1.4466
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/bfd/coffcode.h.diff?cvsroot=src&r1=1.147&r2=1.148

Comment 10 Dave Korn 2009-02-18 18:41:18 UTC
Petr, I believe this bug is now fixed in CVS.  If you'd like to try updating
your binutils and can confirm that the bug no longer arises, please set the bug
to "verified", or reopen it if there's still a problem.

    cheers,
      DaveK
Comment 11 Petr Bauch 2009-02-22 13:17:06 UTC
Ta, patch has been verified and it works just fine now. Petr.