Created attachment 7849 [details] maxvals.exe Running strings, nm or objdump on one of the attached files will segfault. Here is a stack trace from address sanitizer: ==10552== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffb5979be0 at pc 0x5a2d34 bp 0x7fffb5979890 sp 0x7fffb5979888 WRITE of size 8 at 0x7fffb5979be0 thread T0 #0 0x5a2d33 in _bfd_pei_swap_aouthdr_in /tmp/binutils-2.24.90/bfd/peigen.c:513:0 #1 0x591bf2 in pe_bfd_object_p /tmp/binutils-2.24.90/bfd/peicode.h:1339:0 #2 0x41f10b in bfd_check_format_matches /tmp/binutils-2.24.90/bfd/format.c:305:0 #3 0x41e28f in bfd_check_format /tmp/binutils-2.24.90/bfd/format.c:94:0 #4 0x4038ed in strings_object_file /tmp/binutils-2.24.90/binutils/strings.c:389:0 #5 0x403b29 in strings_file /tmp/binutils-2.24.90/binutils/strings.c:432:0 #6 0x4034f2 in main /tmp/binutils-2.24.90/binutils/strings.c:299:0 #7 0x7f25477b6a64 in __libc_start_main ??:0:0 #8 0x402d58 in _start ??:0:0 These samples come from here: https://github.com/radare/radare2-regressions/tree/master/bins/pe I tested those after reading this comment: http://lcamtuf.blogspot.de/2014/10/psa-dont-run-strings-on-untrusted-files.html?showComment=1414290018616&m=1#c6670003407817856261 However I'm not sure if this bug is the same as the one the commenter there is mentioning.
Created attachment 7850 [details] dllmaxvals.dll
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 7e1e19887abd24aeb15066b141cdff5541e0ec8e (commit) from 493a33860c71cac998f1a56d6d87d6faa801fbaa (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e1e19887abd24aeb15066b141cdff5541e0ec8e commit 7e1e19887abd24aeb15066b141cdff5541e0ec8e Author: Nick Clifton <nickc@redhat.com> Date: Mon Oct 27 14:45:06 2014 +0000 Fix a seg-fault in strings and other binutuils when parsing a corrupt PE executable with an invalid value in the NumberOfRvaAndSizes field of the AOUT header. PR binutils/17512 * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries with an invalid value for NumberOfRvaAndSizes. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 4 ++++ bfd/peXXigen.c | 12 ++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-)
Created attachment 7852 [details] Handle corrupt values for NumberOfRvaAndSizes field Hi Hanno, I have applied the uploaded patch to the mainline sources. Please try it out and see if it resolves the problem for you. Cheers Nick
Created attachment 7853 [details] another crasher
Created attachment 7854 [details] crashes objdump -x The last two came from here (by Alexander Cherepanov): http://seclists.org/oss-sec/2014/q4/451 Michal Zalewski already analyzed their cause: http://seclists.org/oss-sec/2014/q4/452
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via bf67003b4567600ed3022a439207ac8f26454f91 (commit) from 7e1e19887abd24aeb15066b141cdff5541e0ec8e (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf67003b4567600ed3022a439207ac8f26454f91 commit bf67003b4567600ed3022a439207ac8f26454f91 Author: Nick Clifton <nickc@redhat.com> Date: Mon Oct 27 18:05:37 2014 +0000 This fixes more seg-faults in tools like "strings" and "objdump" when presented with corrupt binaries. PR binutils/17512 * elf.c (bfd_section_from_shdr): Detect and warn about ELF binaries with a group of sections linked by the string table indicies. * peXXigen.c (pe_print_edata): Detect out of range rvas and entry counts for the Export Address table, Name Pointer table and Ordinal table. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 5 ++ bfd/elf.c | 194 +++++++++++++++++++++++++++++++++++++------------------- bfd/peXXigen.c | 18 +++++- 3 files changed, 150 insertions(+), 67 deletions(-)
Created attachment 7855 [details] More fixes for parsing corrupt binaries
Hi Hanno, Please try out the latest mainline binutils sources and see if they fix these problems for you. Cheers Nick
(In reply to Nick Clifton from comment #8) for each of the crash fixes, could you post them to the 2.25 branch ? i imagine there will be a lot of noise if they're not in the 2.25 final release ;).
With all patches attached objdump-pe-crasher still causes objdump to crash (attachment 7854 [details] on this bug). To reproduce run objdump -x objdump-pe-crasher
(In reply to Hanno Boeck from comment #10) > With all patches attached objdump-pe-crasher still causes objdump to crash > (attachment 7854 [details] on this bug). To reproduce run > objdump -x objdump-pe-crasher Are you sure ? In my tests objdump works and does not crash. The second patch ("More fixes for parsing corrupt binaries") should have taken care of this problem. Cheers Nick
It's a bit confusing. When I patch binutils 2.24 with attachment 7855 [details] (and a bunch of other crash fixes for the other issues) then I can still reproduce the crash with objdump-pe-crasher (please note that this only appears with objdump -x). However if I take binutils git head code I can't reproduce it any more. So it seems there's some other change in the git code that prevents this crash. (please also note that the stackoverflow sample from bug #17510 still crashes strings/objdump/nm on git head code)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, binutils-2_25-branch has been updated via b2f93c5011cab00f31669363577b938697752e43 (commit) from a809b386e59dfcb3f4dedd8465975dabc55db5db (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b2f93c5011cab00f31669363577b938697752e43 commit b2f93c5011cab00f31669363577b938697752e43 Author: Nick Clifton <nickc@redhat.com> Date: Tue Oct 28 10:50:17 2014 +0000 Import patches from the master branch which prevent seg-faults when parsing corrupt binaries. 2014-10-28 Andreas Schwab <schwab@suse.de> Nick Clifton <nickc@redhat.com> PR binutils/17510 * srec.c (srec_bad_byte): Increase size of buf to allow for negative values. (srec_scan): Use an unsigned char buffer to hold header bytes. 2014-10-27 Nick Clifton <nickc@redhat.com> PR binutils/17512 * elf.c (bfd_section_from_shdr): Detect and warn about ELF binaries with a group of sections linked by the string table indicies. * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries with an invalid value for NumberOfRvaAndSizes. (pe_print_edata): Detect out of range rvas and entry counts for the Export Address table, Name Pointer table and Ordinal table. PR binutils/17510 * elf.c (setup_group): Improve handling of corrupt group sections. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 25 ++++++ bfd/elf.c | 226 +++++++++++++++++++++++++++++++++++++++----------------- bfd/peXXigen.c | 29 +++++++- bfd/srec.c | 4 +- 4 files changed, 212 insertions(+), 72 deletions(-)
Hi Mike, > for each of the crash fixes, could you post them to the 2.25 branch ? Done. :-) Cheers Nick
Hi Hanno, > It's a bit confusing. When I patch binutils 2.24 with attachment 7855 [details] > [details] (and a bunch of other crash fixes for the other issues) then I can > still reproduce the crash with objdump-pe-crasher (please note that this > only appears with objdump -x). > > However if I take binutils git head code I can't reproduce it any more. Ah - my bad then - I must have fixed something else and forgotten to include it in the uploaded patch. Silly me. Still at least the mainline code works now. Cheers Nick > (please also note that the stackoverflow sample from bug #17510 still > crashes strings/objdump/nm on git head code) This should be fixed now...
Created attachment 7857 [details] another crasher for objdump -x Seems to be different from the previous crasher. Sorry, I cannot test git head right now so I cannot be sure it's not yet fixed.
okay, things are getting a little bit compilcated, but here are my test results: objdump-pe-crasher2 gives a heap overflow on latest git head with address sanitizer enabled (will attach symbolized output / trace). For the other samples individually they all are now fine. However if I pass both objdump-elf-crasher and strings-bfd-badfree to objdump -x asan reports a use-after-free: objdump -x objdump-elf-crasher strings-bfd-badfree
Created attachment 7858 [details] address sanitizer trace on objdump-pe-crasher2
Created attachment 7859 [details] address sanitizer trace on objdump-elf-crasher AND strings-bfd-badfree
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 (commit) from 1df4399f27f8ee817d8eb4c73bba42bb65844303 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 commit 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 Author: Nick Clifton <nickc@redhat.com> Date: Tue Oct 28 15:42:56 2014 +0000 More fixes for corrupt binaries crashing the binutils. PR binutils/17512 * elf.c (bfd_section_from_shdr): Allocate and free the recursion detection table on a per-bfd basis. * peXXigen.c (pe_print_edata): Handle binaries with a truncated export table. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 8 ++++++++ bfd/elf.c | 16 +++++++++++++--- bfd/peXXigen.c | 9 +++++++++ 3 files changed, 30 insertions(+), 3 deletions(-)
Hi Hanno, Please try the latest git head, which should address both of the problems detected by the address sanitizer. Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, binutils-2_25-branch has been updated via acafeb6056bec47d7211cf462a7c211a8c95cf42 (commit) from cc8536de0fb8f40587cf99dad9460237ce9af7a7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=acafeb6056bec47d7211cf462a7c211a8c95cf42 commit acafeb6056bec47d7211cf462a7c211a8c95cf42 Author: Nick Clifton <nickc@redhat.com> Date: Tue Oct 28 15:47:13 2014 +0000 Fixes another couple of memory errors reading corrupt binaries. This time detected by the address sanitizer. PR binutils/17512 * elf.c (bfd_section_from_shdr): Allocate and free the recursion detection table on a per-bfd basis. * peXXigen.c (pe_print_edata): Handle binaries with a truncated export table. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 7 +++++++ bfd/elf.c | 16 +++++++++++++--- bfd/peXXigen.c | 9 +++++++++ 3 files changed, 29 insertions(+), 3 deletions(-)
The objdump-pe-crasher2 issue is fixed, the use-after-free (when running strings or objdump -x on objdump-elf-crasher and strings-bfd-badfree at the same time) is stillt there.
Hi Hanno, Running objdump -x with multiple arguments is now working for me. Maybe it is something to do with this strings-bfd-badfree binary that you are using. Please could you upload it to this issue ? (Or is strings-bfd-badfree another name for strings-bfd-badptr ?) Cheers Nick
Created attachment 7860 [details] strings-bfd-badfree
Hi Hanno, Thanks for the upload. Unfortunately objdump (and nm and strings) all continue to work with single and multiple arguments. And this is definitely with address sanitization enabled as well, and with the very latest FSF master sources, with no local patches applied. :-( If the problem still exists with you, would you mind doing a little investigation please ? The use-after-free is almost certainly happening at line 1610 or 1616 of bfd/elf.c. Could you confirm this ? Also can you etll me the exact command line you are using to reproduce the problem, and also how you configured and built the toolchain that you are using ? Cheers Nick
Okay, here's the super-step-by-step-instruction to reproduce the UAF: git clone git://sourceware.org/git/binutils-gdb.git cd binutils-gdb/ ./configure --disable-shared CFLAGS="-fsanitize=address -g" make binutils/objdump -x [path_to]/objdump-elf-crasher [path_to]/strings-bfd-badfree According to asan the use-after-free happens in line 2110/elf.c, this is the code: sections_being_created [shindex] = FALSE;
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via e5b470e24ce448a56230137a37d3b17299593041 (commit) from f60325bea599bab4cb721c6e797bc6b908fa616c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e5b470e24ce448a56230137a37d3b17299593041 commit e5b470e24ce448a56230137a37d3b17299593041 Author: Nick Clifton <nickc@redhat.com> Date: Wed Oct 29 20:58:13 2014 +0000 Fixes another memory corruption bug introduced by patches for PR 17512. * elf.c (bfd_section_from_shdr): Fix heap use after free memory leak. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 7 ++++++- bfd/elf.c | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-)
Hi Hanno, Thanks for the step by step guide. With that I was able to reproduce the problem. I do not know why it did not show for me in my original tests, but at least now I can report that the latest git head sources should work for you as well as for me. Cheers Nick
Created attachment 7862 [details] fuzzed objdump-pe-crasher Hi Nick, thanks for the fixes. However, further fuzzing turned up another asan-detected issue. This is actually a fuzzed version of the objdump-pe-crasher binary (attachment 7854 [details]): ==2937== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60080000b834 at pc 0x4d0c67 bp 0x7fffdd272be0 sp 0x7fffdd272bd8 READ of size 1 at 0x60080000b834 thread T0 #0 0x4d0c66 in bfd_getl32 /data/binutils/binutils-gdb-asan/bfd/libbfd.c:619:0 #1 0x650684 in _bfd_pei_swap_aux_in /data/binutils/binutils-gdb-asan/bfd/peigen.c:314:0 #2 0x4c9ab1 in coff_get_normalized_symtab /data/binutils/binutils-gdb-asan/bfd/coffgen.c:1781:0 #3 0x64c021 in coff_slurp_symbol_table /data/binutils/binutils-gdb-asan/bfd/coffcode.h:4663:0 #4 0x4c0b5c in coff_get_symtab_upper_bound /data/binutils/binutils-gdb-asan/bfd/coffgen.c:410:0 #5 0x4044ab in slurp_symtab /data/binutils/binutils-gdb-asan/binutils/./objdump.c:563:0 #6 0x4123ee in dump_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3227:0 #7 0x41285d in display_object_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3315:0 #8 0x412b85 in display_any_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3389:0 #9 0x412bf6 in display_file /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3410:0 #10 0x41370e in main /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3692:0 #11 0x7f0eb1633a64 in __libc_start_main ??:0:0 #12 0x402f78 in _start ??:0:0 0x60080000b834 is located 0 bytes to the right of 36-byte region [0x60080000b810,0x60080000b834) allocated by thread T0 here: #0 0x7f0eb1de4dda in malloc ??:0:0 #1 0x4d01ed in bfd_malloc /data/binutils/binutils-gdb-asan/bfd/libbfd.c:181:0 #2 0x4c8d02 in _bfd_coff_get_external_symbols /data/binutils/binutils-gdb-asan/bfd/coffgen.c:1619:0 #3 0x4c973f in coff_get_normalized_symtab /data/binutils/binutils-gdb-asan/bfd/coffgen.c:1752:0 #4 0x64c021 in coff_slurp_symbol_table /data/binutils/binutils-gdb-asan/bfd/coffcode.h:4663:0 #5 0x4c0b5c in coff_get_symtab_upper_bound /data/binutils/binutils-gdb-asan/bfd/coffgen.c:410:0 #6 0x4044ab in slurp_symtab /data/binutils/binutils-gdb-asan/binutils/./objdump.c:563:0 #7 0x4123ee in dump_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3227:0 #8 0x41285d in display_object_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3315:0 #9 0x412b85 in display_any_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3389:0 #10 0x412bf6 in display_file /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3410:0 #11 0x41370e in main /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3692:0 #12 0x7f0eb1633a64 in __libc_start_main ??:0:0
Hi Hanno, OK, the head/master branch sources have been updated again. Please give this new version a go. Cheers Nick PS. I think that the difference between my address sanitized build and yours was that you configured with CFLAGS="-fsanitize=address -g" whereas I just configured with CFLAGS="-faddress=sanitize"...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 7e760b06b212f01b3819d5b37e8f5b613e0db34c (commit) from 3bdff46b67a527886f49735a5d192c05a332a131 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e760b06b212f01b3819d5b37e8f5b613e0db34c commit 7e760b06b212f01b3819d5b37e8f5b613e0db34c Author: Nick Clifton <nickc@redhat.com> Date: Thu Oct 30 15:52:10 2014 +0000 Closes another memory corruption, this time due to heap overrun. PR binutils/17512 * coffgen.c (coff_get_normalized_symtab): Prevent buffer overrun. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 5 +++++ bfd/coffgen.c | 8 ++++++-- 2 files changed, 11 insertions(+), 2 deletions(-)
Created attachment 7869 [details] ihex stack overflow Hi Nick, thanks. One fixed, one more fuzzed :-) ==25054== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffdcc2b2d8 at pc 0x4fa49a bp 0x7fffdcc2b1e0 sp 0x7fffdcc2b1d8 READ of size 1 at 0x7fffdcc2b2d8 thread T0 #0 0x4fa499 in ihex_scan /data/binutils/binutils-gdb-asan/bfd/ihex.c:324:0 #1 0x4fc449 in ihex_object_p /data/binutils/binutils-gdb-asan/bfd/ihex.c:526:0 #2 0x4cf130 in bfd_check_format_matches /data/binutils/binutils-gdb-asan/bfd/format.c:305:0 #3 0x41284d in display_object_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3313:0 #4 0x412b85 in display_any_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3389:0 #5 0x412bf6 in display_file /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3410:0 #6 0x41370e in main /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3692:0 #7 0x7f7d7cc57a64 in __libc_start_main ??:0:0 #8 0x402f78 in _start ??:0:0 Address 0x7fffdcc2b2d8 is located at offset 104 in frame <ihex_scan> of T0's stack: This frame has 3 object(s): [32, 36) 'error' [96, 104) 'hdr' [160, 180) 'secbuf' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) Shadow bytes around the buggy address: 0x10007b97d600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b97d610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b97d620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b97d630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b97d640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 =>0x10007b97d650: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00[f4]f4 f4 f2 f2 0x10007b97d660: f2 f2 00 00 04 f4 00 00 00 00 00 00 00 00 00 00 0x10007b97d670: 00 00 00 00 f1 f1 f1 f1 00 01 f4 f4 00 00 00 00 0x10007b97d680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b97d690: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 0x10007b97d6a0: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==25054== ABORTING
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 0102ea8cec5fc509bba6c91df61b7ce23a799d32 (commit) from 7e760b06b212f01b3819d5b37e8f5b613e0db34c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0102ea8cec5fc509bba6c91df61b7ce23a799d32 commit 0102ea8cec5fc509bba6c91df61b7ce23a799d32 Author: Nick Clifton <nickc@redhat.com> Date: Thu Oct 30 17:16:17 2014 +0000 Fixes a seg-fault in the ihex parser when it encounters a malformed ihex file. PR binutils/17512 * ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 1 + bfd/ihex.c | 2 +- 2 files changed, 2 insertions(+), 1 deletions(-)
Hi Hanno, [Queues up Queen's Another One Bites The Dust...] Try head again - the ihex fix is in. Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, binutils-2_25-branch has been updated via 5278f3dd9f3bfa44af7348fd6687a78692aafbfb (commit) from b0b93f3592f3d165896e8dc8186a7ba285f0f3e4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5278f3dd9f3bfa44af7348fd6687a78692aafbfb commit 5278f3dd9f3bfa44af7348fd6687a78692aafbfb Author: Nick Clifton <nickc@redhat.com> Date: Fri Oct 31 10:24:58 2014 +0000 Import a patch from the mainline to fix a seg-fault in the BFD library: PR binutils/17512 * ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte. * coffgen.c (coff_get_normalized_symtab): Prevent buffer overrun. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 9 +++++++++ bfd/ihex.c | 2 +- 2 files changed, 10 insertions(+), 1 deletions(-)
Hi Nick, You'll be happy to hear that even with lots of fuzzing samples I wasn't able to create another address sanitizer error. But I'll keep trying. However I still experience some warnings that I think would deserver a fix. They allocate too much memory. One is triggered by the dllmaxvals.dll (attachment 7850 [details]). I think what is happening here is that libbfd is just allocating space for the executable segments with whatever values are given in the header. A check to verify if the executable is that large should stop this. The other is in the elf parser and I haven't analzed further. I'll attach the fuzzing sample exposing it and also the valgrind output (with non-asan binaries, because valgrind and asan don't mix well). Address Sanitizer doesn't give that much output for these, but valgrind does and this should give a clue what's going on. cu, Hanno
Created attachment 7873 [details] fuzzed elf out of memory sample
Created attachment 7874 [details] valgrind on dllmaxvals
Created attachment 7875 [details] valgrind on fuzzed elf
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via f54498b45795194df671207c6ef3d6cd6d0c0ebb (commit) from fe06005387223e8a8b37e49036efe06b4062c7f4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f54498b45795194df671207c6ef3d6cd6d0c0ebb commit f54498b45795194df671207c6ef3d6cd6d0c0ebb Author: Nick Clifton <nickc@redhat.com> Date: Fri Oct 31 16:36:31 2014 +0000 Avoid allocating over-large buffers when parsing corrupt binaries. PR binutils/17512 * coffgen.c (_bfd_coff_get_external_symbols): Do not try to load a symbol table bigger than the file. * elf.c (bfd_elf_get_str_section): Do not try to load a string table bigger than the file. * readelf.c (process_program_headers): Avoid memory exhaustion due to corrupt values in a dynamis segment header. (get_32bit_elf_symbols): Do not attempt to read an over-large section. (get_64bit_elf_symbols): Likewise. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 8 ++++++++ bfd/coffgen.c | 5 +++++ bfd/elf.c | 5 +++++ binutils/ChangeLog | 9 +++++++++ binutils/readelf.c | 32 ++++++++++++++++++++++++++++---- 5 files changed, 55 insertions(+), 4 deletions(-)
Hi Hanno, OK, head has been updated again. Please give it a respin. Cheers Nick
Created attachment 7877 [details] objdump -s hanger It's not over yet. This one will cause objdump -s to hang forever, likely an endless loop.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 690725fa0d98ae52c991f4b3ea58b6b47b4fbc80 (commit) from f54498b45795194df671207c6ef3d6cd6d0c0ebb (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=690725fa0d98ae52c991f4b3ea58b6b47b4fbc80 commit 690725fa0d98ae52c991f4b3ea58b6b47b4fbc80 Author: Nick Clifton <nickc@redhat.com> Date: Fri Oct 31 18:00:55 2014 +0000 Fix an (almost) infinite loop in the tekhex parser. PR binutils/17512 * tekhex.c (first_phase): Check that the section range is sane. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 1 + bfd/tekhex.c | 3 +++ 2 files changed, 4 insertions(+), 0 deletions(-)
Hi Hanno, The loop would have ended eventually - when your machine ran out of memory. :-) Anyway it is fixed now, so bring on the next one. Cheers Nick
Created attachment 7878 [details] another memory exhaustion sample (elf)
Created attachment 7879 [details] another memory exhaustion sample (pe)
Created attachment 7880 [details] another memory exhaustion sample (aout)
Created attachment 7881 [details] Several pe crashers all different according to valgrind
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 5a3f568b70bdfb91aacdfb66657b56d8c6d242f1 (commit) from ba241f2d5a6f1ac57e746d230892e27a70def4a6 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5a3f568b70bdfb91aacdfb66657b56d8c6d242f1 commit 5a3f568b70bdfb91aacdfb66657b56d8c6d242f1 Author: Nick Clifton <nickc@redhat.com> Date: Mon Nov 3 17:44:00 2014 +0000 More fixes for buffer overruns instigated by corrupt binaries. PR binutils/17512 * objdump.c (slurp_symtab): Fail gracefully if the table could not be read. (dump_relocs_in_section): Likewise. * aoutx.h (slurp_symbol_table): Check that computed table size is not bigger than the file from which is it being read. (slurp_reloc_table): Likewise. * coffcode.h (coff_slurp_line_table): Remove unneeded local 'warned'. Do not try to print the details of a symbol with an invalid index. * coffgen.c (make_a_sectiobn_from_file): Check computed string index against length of string table. (bfd_coff_internal_syment_name): Check read in string offset against length of string table. (build_debug_section): Return a pointer to the section used. (_bfd_coff_read_string_table): Store the length of the string table in the coff_tdata structure. (bfd_coff_free_symbols): Set the length of the string table to zero when it is freed. (coff_get_normalized_symtab): Check offsets against string table or data table lengths as appropriate. * cofflink.c (_bfd_coff_link_input_bfd): Check offset against length of string table. * compress.c (bfd_get_full_section_contents): Check computed size against the size of the file. * libcoff-in.h (obj_coff_strings_len): Define. (struct coff_tdata): Add strings_len field. * libcoff.h: Regenerate. * peXXigen.c (pe_print_debugdata): Do not attempt to print the data if the debug section is too small. * xcofflink.c (xcoff_link_input_bfd): Check offset against length of string table. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 32 +++++++++++++++++++++++ bfd/aoutx.h | 7 +++++ bfd/coffcode.h | 11 +++----- bfd/coffgen.c | 72 +++++++++++++++++++++++++++++++++++++-------------- bfd/cofflink.c | 5 +++- bfd/compress.c | 7 +++++ bfd/libcoff-in.h | 3 ++ bfd/libcoff.h | 3 ++ bfd/peXXigen.c | 9 ++++++- bfd/xcofflink.c | 5 +++- binutils/ChangeLog | 7 +++++ binutils/objdump.c | 11 ++++++- 12 files changed, 140 insertions(+), 32 deletions(-)
Hi Hanno, Hi Alexander, Please try the latest master binutils sources. They should be able to handle the new test files gracefully. Cheers Nick
Nick, have you seen bug #17533 ? (ar archive crasher) That's still unfixed, all others seem fine now. I'll do a re-run on my large fuzzing samples collection.
Created attachment 7885 [details] valgrind output for 140849-0.004.exe Shows a bunch of error of the following types: - Use of uninitialised value of size ... - Conditional jump or move depends on uninitialised value(s)
Created attachment 7886 [details] More crashers for `objdump -x` list.txt inside the archive lists various errors from valgrind (with distinct backtraces) and an example of sample which hit it.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 79f2a78e76fae1885163027f843e1bafde984b4c (commit) from e0a31db1b16fe0a010aa46185e4a31a08e7fd97f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=79f2a78e76fae1885163027f843e1bafde984b4c commit 79f2a78e76fae1885163027f843e1bafde984b4c Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 4 16:00:10 2014 +0000 Fix problem with linker created sections being mistakenly flagged as corrupt by the new error checking code in bfd_get_full_section_contents. PR binutils/17512 * compress.c (bfd_get_full_section_contents): Improve test for linker created objects. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 4 ++++ bfd/compress.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletions(-)
(In reply to Alexander Cherepanov from comment #53) > Created attachment 7885 [details] > valgrind output for 140849-0.004.exe > > Shows a bunch of error of the following types: > - Use of uninitialised value of size ... > - Conditional jump or move depends on uninitialised value(s) I am not seeing these problems in the avlgrind output when I run the command locally. Are you using any command line options to valgrind ? (I also note that you are using version 3.10 but I only have version 3.9, so perhaps that is the problem).
Created attachment 7893 [details] valgrind output for 140849-0.004.exe with --track-origins=yes (In reply to Nick Clifton from comment #56) > (In reply to Alexander Cherepanov from comment #53) > > Created attachment 7885 [details] > > valgrind output for 140849-0.004.exe > > > > Shows a bunch of error of the following types: > > - Use of uninitialised value of size ... > > - Conditional jump or move depends on uninitialised value(s) > > I am not seeing these problems in the avlgrind output when I run the command > locally. Are you using any command line options to valgrind ? (I also note > that you are using version 3.10 but I only have version 3.9, so perhaps that > is the problem). No, I run valgrind without any options. I've now run it with --track-origins=yes, like this: valgrind --log-file=140849-0.004.exe.2.txt --track-origins=yes binutils-gdb/binutils/objdump -x 140849-0.004.exe Perhaps this could help. binutils is built with `./configure && make`.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 20ad5e2842911039a60b6bdf9880cee895179e43 (commit) from 1ae1b8cc656639e18715829cbcd72916e86f3324 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=20ad5e2842911039a60b6bdf9880cee895179e43 commit 20ad5e2842911039a60b6bdf9880cee895179e43 Author: Nick Clifton <nickc@redhat.com> Date: Wed Nov 5 10:13:16 2014 +0000 More fixes for processing corrupt files. PR binutils/17512 * coffcode.h (coff_set_alignment_hook): Warn if the file lies about the number of relocations it contains. (coff_sort_func_alent): Return 0 if the pointers are NULL. (coff_slurp_line_table): Add more range checks. Do not free new tables created when sorting line numbers. * peXXigen.c (pe_print_idata): Add range checks. (pe_print_edata): Likewise. (rsrc_print_resource_entries): Likewise. Avoid printing control characters. Terminate priniting if corruption is detected. (rsrc_print_resource_directory): Terminate printing if an unknown directory type is encountered. (pe_print_debugdata): Fix off-by-one error. (rsrc_count_entries): Add range checking. (rsrc_parse_entry): Likewise. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 18 ++++++++ bfd/coffcode.h | 28 +++++++++++-- bfd/peXXigen.c | 122 ++++++++++++++++++++++++++++++++++++++++---------------- 3 files changed, 129 insertions(+), 39 deletions(-)
(In reply to Alexander Cherepanov from comment #54) > More crashers for `objdump -x` Ok - I have updated the master branch with patches for all of these problems. Please try it out and let me know if you find any more issues. Cheers Nick
Created attachment 7898 [details] Proposed patch to fix valgrind's complaints about using uninitialised memory (In reply to comment #57) Hi Alexnder, I still cannot reproduce the valgrind problem, but the log you provided does give me a clue. Please could you try out the uploaded patch (which has *not* been applied to the master branch) and see if it works for you ? Cheers Nick
Created attachment 7900 [details] More crashers for `objdump -x` objdump is definitely getting harder to crash. Keep up the good work! It still crashes though.
(In reply to Alexander Cherepanov from comment #61) > Created attachment 7900 [details] > More crashers for `objdump -x` > > objdump is definitely getting harder to crash. Keep up the good work! > > It still crashes though. Files: 10 Errors: 29 Conditional jump or move depends on uninitialised value(s) 30 Invalid read of size ... 2 Process terminating with default action of signal 11 (SIGSEGV) 4 Use of uninitialised value of size ...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e (commit) from 74e1a04b9787c02ba0fa9b93e3dae691bb44ed96 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e commit a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e Author: Nick Clifton <nickc@redhat.com> Date: Wed Nov 5 17:57:54 2014 +0000 More fixes for memory problems uncovered by file fuzzers. PR binutils/17512 * coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT. Replace another abort with an error message. (coff_slurp_line_table): Add more range checking. * peXXigen.c (pe_print_debugdata): Add range checking. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 8 ++++++++ bfd/coffcode.h | 21 ++++++++++++++------- bfd/peXXigen.c | 6 ++++++ 3 files changed, 28 insertions(+), 7 deletions(-)
Hi Alexander, I have checked another patch in. Please update your sources and try again. Cheers Nick
Hi Nick, If I use latest head and apply 7989 patch for valgrind warnings the number of uninitialized memory issues valgrind reports is reduced, but they don't disappear. I still get some valgrind warnings on these files: 070-7883-0.004 078-11867-0.004 078-12277-0.004 078-2394-0.004 079-8998-0.004 093-3968-0.004 1315-linux-omagic 205-7526-0.004 I will attach valgrind logs. cu, Hanno
Created attachment 7904 [details] remaining valgrind warnings
Created attachment 7905 [details] More crashers for `objdump -x` Files: 9 Errors: 29 Conditional jump or move depends on uninitialised value(s) 3 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 4 Use of uninitialised value of size ...
Created attachment 7910 [details] More badness for `objdump -x` Files: 11 Errors: 1 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 63 Conditional jump or move depends on uninitialised value(s) 16 Invalid read of size ... 2 Invalid write of size ... 1 Syscall param write(buf) contains uninitialised byte(s) 17 Use of uninitialised value of size ...
Hi Hanno, Hi Alexander, Right - please update your master branch sources and try again. In theory all of the test cases that you have posted to this issue should now run without generating any valgrind or address sanitizer problems... Cheers Nick
FTR: It seems the number of the bug in the commit is mistyped as PR binutils/17521. The commit is here: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=36e9d67b868c85232ab630514260f0d9c9c6b27b
I still see some odd things. Three files cause severe ressource usage and long loops: 079-116340-0.004 (part of attachment 7910 [details]) 078-13914-0.004 (part of attachment 7886 [details]) 1315-linux-omagic (attachment 7880 [details]) Also I think I haven't uploaded this file before, I have one elf sample here that exposes more uninitialized values in valgrind (will upload in a minute, 0_001_1604-hello-debug-cflags ).
Created attachment 7918 [details] elf exposing uninitialized value access with valgrind
Hi Hanno, (In reply to Hanno Boeck from comment #71) > I still see some odd things. > > Three files cause severe ressource usage and long loops: > 079-116340-0.004 (part of attachment 7910 [details]) > 078-13914-0.004 (part of attachment 7886 [details]) > 1315-linux-omagic (attachment 7880 [details]) Yeah - I don't see these as being serious. An infinite loop would be a problem, but a long loop is, well not brilliant, but OK for now. At some point in the future I will investigate and fix them, but right now I am concentrating on possible security flaws. > Also I think I haven't uploaded this file before, I have one elf sample here > that exposes more uninitialized values in valgrind (will upload in a minute, > 0_001_1604-hello-debug-cflags ). I tried that file, but I could not find a fault. Either with valgrind or address sanitizer. I have recently updated the readelf sources though, so maybe that fixes the problem that you encountered. Cheers Nick
Created attachment 7919 [details] More badness for `objdump -x` Files: 18 Errors: 10 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 33 Conditional jump or move depends on uninitialised value(s) 5 Invalid read of size ... 4 Invalid write of size ... 6 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ...
(In reply to Nick Clifton from comment #73) > I tried that file, but I could not find a fault. Either with valgrind or > address sanitizer. I have recently updated the readelf sources though, so > maybe that fixes the problem that you encountered. That's odd... This is what valgrind tells me (just re-did with latest git updates, compiled with CFLAGS="-g"): ==30798== Conditional jump or move depends on uninitialised value(s) ==30798== at 0x492661: _bfd_elf_print_private_bfd_data (elf.c:1408) ==30798== by 0x4082E6: dump_bfd_private_header (objdump.c:2648) ==30798== by 0x409781: dump_bfd (objdump.c:3223) ==30798== by 0x409B36: display_object_bfd (objdump.c:3322) ==30798== by 0x409D58: display_any_bfd (objdump.c:3396) ==30798== by 0x409DC9: display_file (objdump.c:3417) ==30798== by 0x40A643: main (objdump.c:3699) ==30798== required from <corrupt>: ==30798== Conditional jump or move depends on uninitialised value(s) ==30798== at 0x492730: _bfd_elf_print_private_bfd_data (elf.c:1410) ==30798== by 0x4082E6: dump_bfd_private_header (objdump.c:2648) ==30798== by 0x409781: dump_bfd (objdump.c:3223) ==30798== by 0x409B36: display_object_bfd (objdump.c:3322) ==30798== by 0x409D58: display_any_bfd (objdump.c:3396) ==30798== by 0x409DC9: display_file (objdump.c:3417) ==30798== by 0x40A643: main (objdump.c:3699) ==30798== ==30798== Conditional jump or move depends on uninitialised value(s) ==30798== at 0x49274C: _bfd_elf_print_private_bfd_data (elf.c:1404) ==30798== by 0x4082E6: dump_bfd_private_header (objdump.c:2648) ==30798== by 0x409781: dump_bfd (objdump.c:3223) ==30798== by 0x409B36: display_object_bfd (objdump.c:3322) ==30798== by 0x409D58: display_any_bfd (objdump.c:3396) ==30798== by 0x409DC9: display_file (objdump.c:3417) ==30798== by 0x40A643: main (objdump.c:3699) ==30798==
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via fcfa62408aec326a54765a6fd8895349fb41eb7c (commit) from 4de1599bcf044a5396ec588f90b8f475be657d4f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fcfa62408aec326a54765a6fd8895349fb41eb7c commit fcfa62408aec326a54765a6fd8895349fb41eb7c Author: Alan Modra <amodra@gmail.com> Date: Tue Nov 11 21:36:37 2014 +1030 Avoid coff OOM bfd_zalloc/bfd_zmalloc to fix uninitialized memory reads is too big a hammer, when the size allocated depends on user input. A typical bfd_alloc, bfd_seek, bfd_bread sequence will give an error or warning at the point the file read fails when some enormous item as described by headers is not actually present in the file. Nice operating system allow memory overcommit. But not if you write to the memory. So bfd_zalloc can cause an OOM, thrashing, or system hangs. The patch also fixes a recently introduced endless loop on bad input. PR binutils/17512 * coffcode.h (coff_slurp_line_table): Don't bfd_zalloc, just memset the particular bits we need. Update src after hitting loop "continue". Don't count lineno omitted due to invalid symbols in nbr_func, and update lineno_count. Init entire terminating lineno. Don't both allocating terminator in n_lineno_cache. Redirect sym->lineno pointer to where n_lineno_cache will be copied, and free n_lineno_cache. * pe-mips.c (NUM_HOWTOS): Typo fix. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 12 +++++++++++ bfd/coffcode.h | 61 ++++++++++++++++++++++++++++--------------------------- bfd/pe-mips.c | 2 +- 3 files changed, 44 insertions(+), 31 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 0ac2337434968896a6393fdd8c0624bd2945bbea (commit) from fcfa62408aec326a54765a6fd8895349fb41eb7c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0ac2337434968896a6393fdd8c0624bd2945bbea commit 0ac2337434968896a6393fdd8c0624bd2945bbea Author: Alan Modra <amodra@gmail.com> Date: Tue Nov 11 22:42:03 2014 +1030 coff coff I missed this use of the loop induction variable outside the loop. PR binutils/17512 * coffcode.h (coff_slurp_line_table): Use updated lineno_count when building func_table. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 7 +++++++ bfd/coffcode.h | 2 +- 2 files changed, 8 insertions(+), 1 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 201159ecec7e17600df4153e5d4e7a145f0c7cfe (commit) from 015de6884f6fdebaffd4b7d4c7f14fb4d5fc0bb1 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=201159ecec7e17600df4153e5d4e7a145f0c7cfe commit 201159ecec7e17600df4153e5d4e7a145f0c7cfe Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 11 15:34:27 2014 +0000 More fixes for invalid memory accesses, uncovered by valgrind and binary fuzzers. PR binutils/17512 * coffcode.h (coff_slurp_line_table): Initialise the parts of the line number cache that would not be initialised by the copy from the new line number table. (coff_classify_symbol): Allow for _bfd_coff_internal_syment_name returning NULL. * coffgen.c (coff_get_normalized_symbols): Get the external symbols before allocating space for the internal symbols, in case the get fails. * elf.c (_bfd_elf_slurp_version_tables): Only allocate a verref array if one is needed. Likewise with the verdef array. * peXXigen.c (_bfd_XXi_swap_sym_in): Replace abort()'s with error messages. (_bfd_XXi_swap_aux_in): Make sure that all fields of the aux structure are initialised. (pe_print_edata): Avoid reading off the end of the data buffer. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 19 +++++++++++++++++++ bfd/coffcode.h | 31 +++++++++++++++++++------------ bfd/coffgen.c | 6 +++--- bfd/elf.c | 22 +++++++++++++--------- bfd/peXXigen.c | 31 ++++++++++++++++++++++++------- 5 files changed, 78 insertions(+), 31 deletions(-)
Hi Alexander, Please try again :-) Cheers Nick
Created attachment 7924 [details] Crashers for `objdump -afphxgGWtTrRw --special-syms` Files: 26 Errors: 6 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 26 Conditional jump or move depends on uninitialised value(s) 29 Invalid read of size ... 3 Invalid write of size ... 7 Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 7925 [details] Aborts in `objdump -afphxgGWtTrRw --special-syms` 3 cases of abort() in `objdump -afphxgGWtTrRw --special-syms`
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via f41e4712a7b7ac60f181e7dfc984ca35c222f0d7 (commit) from 40e91bc71f7993f2064cec4ffd007f2c814a1b29 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f41e4712a7b7ac60f181e7dfc984ca35c222f0d7 commit f41e4712a7b7ac60f181e7dfc984ca35c222f0d7 Author: Nick Clifton <nickc@redhat.com> Date: Wed Nov 12 22:39:58 2014 +0000 Fix more memory faults uncovered by fuzzing various executables. PR binutils/17512 * dwarf.c (read_and_display_attr_value): Check that we do not read past end. (display_debug_pubnames_worker): Add range checks. (process_debug_info): Check for invalid pointer sizes. (display_loc_list): Likewise. (display_loc_list_dwo): Likewise. (display_debug_ranges): Likewise. (display_debug_aranges): Check for invalid address size. (read_cie): Add range checks. Replace call strchr with while loop. * objdump.c (dump_dwarf): Replace abort with a warning message. (print_section_stabs): Improve range checks. * rdcoff.c (coff_get_slot): Use long for indx parameter type. Add check for an excesively large index. * rddbg.c (read_section_stabs_debugging_info): Zero terminate the string table. Avoid walking off the end of the stabs data. * stabs.c (parse_stab_string): Add check for a NULL name. PR binutils/17512 * coffcode.h (coff_slurp_line_table): Set the line number of corrupt entries to -1. (coff_slurp_symbol_table): Alway initialise the value of the symbol. * coffgen.c (coff_print_symbol): Check that the combined pointer is valid. (coff_print_symbol): Do not print negative line numbers. * peXXigen.c (pe_print_idata): Add range checking displaying member names. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 13 +++++ bfd/coffcode.h | 14 ++++- bfd/coffgen.c | 15 +++++- bfd/peXXigen.c | 25 ++++++--- binutils/ChangeLog | 20 +++++++ binutils/dwarf.c | 144 +++++++++++++++++++++++++++++++++++++++------------- binutils/objdump.c | 16 ++++-- binutils/rdcoff.c | 9 +++- binutils/rddbg.c | 40 +++++++++----- binutils/stabs.c | 30 +++++++---- 10 files changed, 244 insertions(+), 82 deletions(-)
Hi Alexander, Once more into the breech dear friends... Cheers Nick
Created attachment 7928 [details] More badness for `objdump -afphxgGWtTrRw --special-syms` Files: 18 Errors: 5 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 33 Conditional jump or move depends on uninitialised value(s) 1 Invalid read of size ... 3 Invalid write of size ... 4 Process terminating with default action of signal 11 (SIGSEGV) 1 Use of uninitialised value of size ...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via a5c71af8d3c7c535f27614947f72883233658706 (commit) from 09bc6c722493047fb50e8a7e70e028023eff8f32 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a5c71af8d3c7c535f27614947f72883233658706 commit a5c71af8d3c7c535f27614947f72883233658706 Author: Nick Clifton <nickc@redhat.com> Date: Thu Nov 13 17:46:11 2014 +0000 More fixes for memory access violations whilst scanning corrupt binaries. PR binutils/17512 * config/obj-coff.c (coff_obj_symbol_new_hook): Set the is_sym field. * coffcode.h (coff_ptr_struct): Add is_sym field. (coff_new_section_hook): Set the is_sym field. (coff_pointerize_aux_hook): Check the is_sym field. (coff_print_aux): Likewise. (coff_compute_section_file_positions): Likewise. (coff_write_object_contents): Likewise. (coff_slurp_line_table): Likewise. (coff_slurp_symbol_table): Likewise. (CALC_ADDEND): Likewise. * coffgen.c (coff_renumber_symbols): Likewise. (coff_mangle_symbols): Likewise. (coff_fix_symbol_name): Likewise. (coff_write_symbol): Likewise. (coff_write_alien_symbol): Likewise. (coff_write_native_symbol): Likewise. (coff_write_symbols): Likewise. (coff_write_linenumbers): Likewise. (coff_pointerize_aux): Likewise. (coff_get_normalized_symtab): Likewise. (coff_get_symbol_info): Likewise. (bfd_coff_get_syment): Likewise. (bfd_coff_get_auxent): Likewise. (coff_print_symbol): Likewise. (coff_find_nearest_line_with_names): Likewise. (bfd_coff_set_symbol_class): Likewise. (coff_make_empty_symbol): Set the is_sym field. (coff_bfd_make_debug_symbol): Likewise. * peicode.h (pe_ILF_make_a_symbol): Likewise. * libcoff.h: Regenerate. * libcoff-in.h: Regenerate. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 34 ++++++++++++++++++++++ bfd/archive.c | 1 + bfd/coffcode.h | 42 +++++++++++++++++++++------ bfd/coffgen.c | 74 ++++++++++++++++++++++++++++++++++++++---------- bfd/libcoff.h | 13 +++++--- bfd/peicode.h | 1 + gas/ChangeLog | 6 ++++ gas/config/obj-coff.c | 1 + 8 files changed, 141 insertions(+), 31 deletions(-)
Hi Alexander, That one was tricky, but it should be resolved now, Cheers Nick
Created attachment 7930 [details] Baddness for `objdump -afphxgGtTrRwW --special-syms` Messed with option in the previous run, readelf now seems to really process debugging info. Files: 10 Errors: 5 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 5 Invalid read of size ... 2 Invalid write of size ... 3 Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 7934 [details] A bit more badness for `objdump -afphxgGtTrRwW --special-syms` Files: 3 Errors: 1 Invalid read of size ... 1 Invalid write of size ... 2 Process terminating with default action of signal 11 (SIGSEGV) 1 Use of uninitialised value of size ...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 041830e03cca866f12be18198898139e558ad31e (commit) from 646da0594c91719ef591d8736865a1d58fbbfc34 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=041830e03cca866f12be18198898139e558ad31e commit 041830e03cca866f12be18198898139e558ad31e Author: Nick Clifton <nickc@redhat.com> Date: Fri Nov 14 12:30:00 2014 +0000 More fixes for invalid memory accesses triggered by corrupt binaries. PR binutils/17512 * dwarf.c (get_encoded_value): Add an 'end' parameter. Change the 'data' parameter to a double pointer and return the updated value. (decode_location_expression): Update call to get_encoded_value. (frame_need_space): Handle the case where one or both of the mallocs fails. (read_cie): Initialise the cie pointer, even if the read fails. (display_debug_frames): Warn if the calculated block_end is before the start of the block. Break the loop if the CIE could not be read. Update call to get_encoded_value. Warn if the read CFA expressions are too big. * ieee.c (ieee_archive_p) Skip processing if no bytes are read at all. (ieee_object_p): Likewise. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 7 +++++ bfd/ieee.c | 6 +++- binutils/ChangeLog | 14 +++++++++++ binutils/dwarf.c | 65 +++++++++++++++++++++++++++++++++++++++------------ 4 files changed, 74 insertions(+), 18 deletions(-)
Hi Alexander, Several improvements to the dwarf reader later and the latest round of test cases should be fixed. Cheers Nick
Created attachment 7937 [details] 4 samples crashing nm and objdump -x I join in again. 4 crash samples, this time created with american fuzzy lop.
Created attachment 7940 [details] Fresh crashers for `objdump -afphxgGtTrRwW --special-syms` Added several samples to the fuzzing... Files: 26 Errors: 4 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 56 Invalid read of size ... 7 Invalid write of size ... 13 Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 7941 [details] And some aborts for `objdump -afphxgGtTrRwW --special-syms` Files: 17 Errors: 17 No assertion info in gdb backtrace.
(In reply to Alexander Cherepanov from comment #93) > Created attachment 7941 [details] > And some aborts for `objdump -afphxgGtTrRwW --special-syms` > > Files: 17 > Errors: > 17 No assertion info in gdb backtrace. Sorry, crashes with SIGSEGV were also included among abort()s.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, binutils-2_25-branch has been updated via 8f66a6af276d17c0e386cd2409873f2e3e0b8a37 (commit) via 32a9d621c3c480aa093a089a36e36c35f68a4010 (commit) from ff67f476b9907b9fddfbafff52caa4cce6a6f58c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8f66a6af276d17c0e386cd2409873f2e3e0b8a37 commit 8f66a6af276d17c0e386cd2409873f2e3e0b8a37 Merge: 32a9d62 ff67f47 Author: Nick Clifton <nickc@redhat.com> Date: Mon Nov 17 17:04:16 2014 +0000 Merge branch 'binutils-2_25-branch' of ssh://sourceware.org/git/binutils-gdb into binutils-2_25-branch Conflicts: gas/ChangeLog https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=32a9d621c3c480aa093a089a36e36c35f68a4010 commit 32a9d621c3c480aa093a089a36e36c35f68a4010 Author: Nick Clifton <nickc@redhat.com> Date: Mon Nov 17 16:59:09 2014 +0000 Applies a series of patches for PR 17512 and 17533 which fix invalid memory accesses. 2014-11-13 Nick Clifton <nickc@redhat.com> PR binutils/17512 * config/obj-coff.c (coff_obj_symbol_new_hook): Set the is_sym field. 2014-11-14 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (get_encoded_value): Add an 'end' parameter. Change the 'data' parameter to a double pointer and return the updated value. (decode_location_expression): Update call to get_encoded_value. (frame_need_space): Handle the case where one or both of the mallocs fails. (read_cie): Initialise the cie pointer, even if the read fails. (display_debug_frames): Warn if the calculated block_end is before the start of the block. Break the loop if the CIE could not be read. Update call to get_encoded_value. Warn if the read CFA expressions are too big. 2014-11-13 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (process_version_sections): If the read of the version def information fails, make sure that the external verdef data is not used. (get_dynamic_data): Do not attempt to allocate memory for more dynamic data than there is in the file. If the read fails, free the allocated buffer. (process_symbol_table): Do not print dynamic information if we were unable to read the dynamic symbol table. (print_gnu_note): Do not print the note if the descsz is too small. 2014-11-12 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (read_and_display_attr_value): Check that we do not read past end. (display_debug_pubnames_worker): Add range checks. (process_debug_info): Check for invalid pointer sizes. (display_loc_list): Likewise. (display_loc_list_dwo): Likewise. (display_debug_ranges): Likewise. (display_debug_aranges): Check for invalid address size. (read_cie): Add range checks. Replace call strchr with while loop. * objdump.c (dump_dwarf): Replace abort with a warning message. (print_section_stabs): Improve range checks. * rdcoff.c (coff_get_slot): Use long for indx parameter type. Add check for an excesively large index. * rddbg.c (read_section_stabs_debugging_info): Zero terminate the string table. Avoid walking off the end of the stabs data. * stabs.c (parse_stab_string): Add check for a NULL name. 2014-11-11 Nick Clifton <nickc@redhat.com> PR binutils/17531 * binutils/readelf.c (dynamic_nent): Change type to size_t. (slurp_rela_relocs): Use size_t type for nrelas. (slurp_rel_relocs): Likewise. (get_program_headers): Improve out of memory error message. (get_32bit_section_headers): Likewise. (get_32bit_section_headers): Likewise. (get_64bit_section_headers): Likewise. (get_32bit_elf_symbols): Likewise. (get_64bit_elf_symbols): Likewise. (process_section_groups): Likewise. (get_32bit_dynamic_section): Likewise. (get_64bit_dynamic_section): Likewise. (process_dynamic_section): Likewise. (process_version_sections): Likewise. (get_symbol_index_type): Likewise. (process_mips_specific): Likewise. (process_corefile_note_segment): Likewise. (process_version_sections): Use size_t type for total. (get_dynamic_data): Change type of number parameter to size_t. Improve out of memory error messages. (process_symbol_table): Change type of nbuckets and nchains to size_t. Skip processing of sections headers if there are none. Improve out of memory error messages. 2014-11-11 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (display_arm_attribute): Avoid reading off the end of the buffer when processing a Tag_nodefaults. 2014-11-10 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (ia64_process_unwind): Replace assertion with an error message. Add range checking for group section indicies. (hppa_process_unwind): Replace assertion with an error message. (process_syminfo): Likewise. (decode_arm_unwind_bytecode): Add range checking. (dump_section_as_strings): Add more string range checking. (display_tag_value): Likewise. (display_arm_attribute): Likewise. (display_gnu_attribute): Likewise. (display_tic6x_attribute): Likewise. (display_msp430x_attribute): Likewise. 2014-11-10 Nick Clifton <nickc@redhat.com> PR binutils/17552 * objcopy.c (copy_archive): Clean up temporary files even if an error occurs. 2014-11-07 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_data): Avoid allocating memory when we know that the read will fail. (find_section_by_type): New function. (get_unwind_section_word): Check for invalid symbol indicies. Check for invalid reloc types. (get_32bit_dynamic_section): Add range checks. (get_64bit_dynamic_section): Add range checks. (process_dynamic_section): Check for a corrupt time value. (process_symbol_table): Add range checks. (dump_section_as_strings): Add string length range checks. (display_tag_value): Likewise. (display_arm_attribute): Likewise. (display_gnu_attribute): Likewise. (display_tic6x_attribute): Likewise. (display_msp430x_attribute): Likewise. (process_mips_specific): Add range check. 2014-11-06 Nick Clifton <nickc@redhat.com> PR binutils/17552, binutils/17533 * bucomm.c (is_valid_archive_path): New function. Returns false for absolute pathnames and pathnames that include /../. * bucomm.h (is_valid_archive_path): Add prototype. * ar.c (extract_file): Use new function to check for valid pathnames when extracting files from an archive. * objcopy.c (copy_archive): Likewise. * doc/binutils.texi: Update documentation to mention the limitation on pathname of archive members. 2014-11-05 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (printable_section_name): New function. (printable_section_name_from_index): New function. (dump_relocations): Use new function. (process_program_headers, get_32bit_elf_symbols, (get_64bit_elf_symbols, process_section_headers, (process_section_groups, process_relocs, ia64_process_unwind, (hppa_process_unwind, get_unwind_section_word, decode_arm_unwind, (arm_process_unwind, process_version_sections, (process_symbol_table, apply_relocations, get_section_contents, (dump_section_as_strings, dump_section_as_bytes, (display_debug_section, process_attributes, process_mips_specific, (process_mips_specific process_gnu_liblist): Likewise. (get_unwind_section_word): Check for a missing symbol table. Replace aborts with error messages. (arm_process_unwind): Check for a missing string table. (process_attributes): Check for an attribute length that is too small. (process_mips_specific): Check for a corrupt GOT symbol offset. 2014-11-05 Nick Clifton <nickc@redhat.com> PR binutils/17533 * bucomm.c (is_valid_archive_path): New function. * bucomm.h (is_valid_archive_path): Prototype it. * ar.c (extract_file): Call is_valid_archive_path to verify a member filename before extracting it. * objcopy.c (copy_archive): Likewise. 2014-11-04 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_data): If the reason parameter is null, do not print any error messages. (get_32bit_section_headers): Verify section header entry size before reading in the section headers. (get_64bit_section_headers): Likewise. (process_section_headers): Pass FALSE to get_section_headers. (get_file_header): Pass TRUE to get_section_headers. (process_dynamic_section): Change an assert to an error message. (process_symbol_table): Handle corrupt histograms. (get_32bit_program_headers): Verify program header entry size before reading in the program headers. (get_64bit_program_headers): Likewise. (get_unwind_section_word): Do nothing if no section was provided. Fail if the offset is outside of the section. (print_dynamic_symbol): Catch out of range symbol indicies. (process_mips_specific): Likewise. (process_attributes): Make sure that there is enough space left in the section before attempting to read the length of the next attribute. 2014-11-03 Nick Clifton <nickc@redhat.com> PR binutils/17512 * objdump.c (slurp_symtab): Fail gracefully if the table could not be read. (dump_relocs_in_section): Likewise. 2014-11-14 Nick Clifton <nickc@redhat.com> PR binutils/17597 * opncls.c (bfd_get_debug_link_info): Avoid reading off the end of the section. (bfd_get_alt_debug_link_info): Likewise. 2014-11-14 Nick Clifton <nickc@redhat.com> PR binutils/17512 * ieee.c (ieee_archive_p) Skip processing if no bytes are read at all. (ieee_object_p): Likewise. 2014-11-13 H.J. Lu <hongjiu.lu@intel.com> * coffcode.h (coff_slurp_line_table): Add cast to unsigned int. 2014-11-13 H.J. Lu <hongjiu.lu@intel.com> * coffcode.h (coff_pointerize_aux_hook): Fix a typo. 2014-11-13 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_ptr_struct): Add is_sym field. (coff_new_section_hook): Set the is_sym field. (coff_pointerize_aux_hook): Check the is_sym field. (coff_print_aux): Likewise. (coff_compute_section_file_positions): Likewise. (coff_write_object_contents): Likewise. (coff_slurp_line_table): Likewise. (coff_slurp_symbol_table): Likewise. (CALC_ADDEND): Likewise. * coffgen.c (coff_renumber_symbols): Likewise. (coff_mangle_symbols): Likewise. (coff_fix_symbol_name): Likewise. (coff_write_symbol): Likewise. (coff_write_alien_symbol): Likewise. (coff_write_native_symbol): Likewise. (coff_write_symbols): Likewise. (coff_write_linenumbers): Likewise. (coff_pointerize_aux): Likewise. (coff_get_normalized_symtab): Likewise. (coff_get_symbol_info): Likewise. (bfd_coff_get_syment): Likewise. (bfd_coff_get_auxent): Likewise. (coff_print_symbol): Likewise. (coff_find_nearest_line_with_names): Likewise. (bfd_coff_set_symbol_class): Likewise. (coff_make_empty_symbol): Set the is_sym field. (coff_bfd_make_debug_symbol): Likewise. * peicode.h (pe_ILF_make_a_symbol): Likewise. * libcoff.h: Regenerate. * libcoff-in.h: Regenerate. 2014-11-12 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Set the line number of corrupt entries to -1. (coff_slurp_symbol_table): Alway initialise the value of the symbol. * coffgen.c (coff_print_symbol): Check that the combined pointer is valid. (coff_print_symbol): Do not print negative line numbers. * peXXigen.c (pe_print_idata): Add range checking displaying member names. 2014-11-12 Alan Modra <amodra@gmail.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Drop line number info not preceded by a valid function entry. Revert last change. 2014-11-11 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Initialise the parts of the line number cache that would not be initialised by the copy from the new line number table. (coff_classify_symbol): Allow for _bfd_coff_internal_syment_name returning NULL. * coffgen.c (coff_get_normalized_symbols): Get the external symbols before allocating space for the internal symbols, in case the get fails. * elf.c (_bfd_elf_slurp_version_tables): Only allocate a verref array if one is needed. Likewise with the verdef array. * peXXigen.c (_bfd_XXi_swap_sym_in): Replace abort()'s with error messages. (_bfd_XXi_swap_aux_in): Make sure that all fields of the aux structure are initialised. (pe_print_edata): Avoid reading off the end of the data buffer. 2014-11-11 Alan Modra <amodra@gmail.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Use updated lineno_count when building func_table. 2014-11-11 Alan Modra <amodra@gmail.com> PR binutils/17512 * coffcode.h (coff_slurp_line_table): Don't bfd_zalloc, just memset the particular bits we need. Update src after hitting loop "continue". Don't count lineno omitted due to invalid symbols in nbr_func, and update lineno_count. Init entire terminating lineno. Don't both allocating terminator in n_lineno_cache. Redirect sym->lineno pointer to where n_lineno_cache will be copied, and free n_lineno_cache. * pe-mips.c (NUM_HOWTOS): Typo fix. 2014-11-10 Nick Clifton <nickc@redhat.com> PR binutils/17521 * coff-i386.c (NUM_HOWTOS): New define. (RTYPE2HOWTO): Use it. (coff_i386_rtype_to_howto): Likewise. (coff_i386_reloc_name_lookup): Likewise. (CALC_ADDEND): Check that reloc r_type field is valid. * coff-x86_64.c (NUM_HOWTOS): New define. (RTYPE2HOWTO): Use it. (coff_amd64_rtype_to_howto): Likewise. (coff_amd64_reloc_name_lookup): Likewise. (CALC_ADDEND): Check that reloc r_type field is valid. * coffcode.h (coff_slurp_line_table): Check for symbol table indexing underflow. (coff_slurp_symbol_table): Use zalloc to ensure that all table entries are initialised. * coffgen.c (_bfd_coff_read_string_table): Initialise unused bits in the string table. Also ensure that the table is 0 terminated. (coff_get_normalized_symtab): Check for symbol table indexing underflow. * opncls.c (bfd_alloc): Catch the case where a small negative size can result in only 1 byte being allocated. (bfd_alloc2): Use bfd_alloc. * pe-mips.c (NUM_HOWTOS): New define. (coff_mips_reloc_name_lookup): Use it. (CALC_ADDEND): Check that reloc r_type field is valid. * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Initialise unused entries in the DataDirectory. (pe_print_idata): Avoid reading beyond the end of the data block wen printing strings. (pe_print_edata): Likewise. Check for table indexing underflow. * peicode.h (pe_mkobject): Initialise the pe_opthdr field. (pe_bfd_object_p): Allocate and initialize enough space to hold a PEAOUTHDR, even if the opt_hdr field specified less. 2014-11-08 Alan Modra <amodra@gmail.com> * peXXigen.c (pe_print_idata): Revert last patch, cast lhs instead. 2014-11-07 H.J. Lu <hongjiu.lu@intel.com> * peXXigen.c (pe_print_idata): Cast to unsigned long in range checks. 2014-11-07 Alan Modra <amodra@gmail.com> * tekhex.c (tekhex_set_arch_mach): Ignore unknown arch errors. 2014-11-07 Alan Modra <amodra@gmail.com> * tekhex.c (CHUNK_SPAN): Define. (struct data_struct <chunk_init>): Use one byte per span, update all code accessing this field. (find_chunk): Add create param, don't create new entry unless set. (insert_byte): Don't save zeros. (first_phase): Set section SEC_CODE or SEC_DATA flag depending on symbol type. Create an alternate section if both types of symbol are given. Attach type '2' and '6' symbols to absolute section. (move_section_contents): Fix caching of chunk. Don't create chunk when reading, or for writing zeros. (tekhex_set_section_contents): Don't create initial chunks. (tekhex_write_object_contents): Use CHUNK_SPAN. 2014-11-07 Alan Modra <amodra@gmail.com> * aoutx.h (aout_get_external_symbols): Tidy allocation of symbol buffer. 2014-11-07 Alan Modra <amodra@gmail.com> * archive.c (_bfd_slurp_extended_name_table): Revert bfd_get_size check. * coffcode.h (coff_set_alignment_hook): Likewise. (coff_slurp_line_table): Likewise. * coffgen.c (coff_get_normalized_symtab): Likewise. (_bfd_coff_get_external_symbols): Likewise. * elf.c (bfd_elf_get_str_section): Likewise. * tekhex.c (first_phase): Likewise. 2014-11-06 Nick Clifton <nickc@redhat.com> * aoutx.h (slurp_symbol_table): Revert previous delta. (slurp_reloc_table): Likewise. * compress.c (bfd_get_full_section_contents): Remove file size test. * coffgen.c (coff_get_normalized_symtab): Allow zero-sized symtabs and do not complain about linker generated files. 2014-11-04 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT. Replace another abort with an error message. (coff_slurp_line_table): Add more range checking. * peXXigen.c (pe_print_debugdata): Add range checking. 2014-11-05 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_set_alignment_hook): Warn if the file lies about the number of relocations it contains. (coff_sort_func_alent): Return 0 if the pointers are NULL. (coff_slurp_line_table): Add more range checks. Do not free new tables created when sorting line numbers. * peXXigen.c (pe_print_idata): Add range checks. (pe_print_edata): Likewise. (rsrc_print_resource_entries): Likewise. Avoid printing control characters. Terminate priniting if corruption is detected. (rsrc_print_resource_directory): Terminate printing if an unknown directory type is encountered. (pe_print_debugdata): Fix off-by-one error. (rsrc_count_entries): Add range checking. (rsrc_parse_entry): Likewise. 2014-11-04 Nick Clifton <nickc@redhat.com> PR binutils/17512 * compress.c (bfd_get_full_section_contents): Improve test for linker created objects. PR binutils/17533 * archive.c (_bfd_slurp_extended_name_table): Handle archives with corrupt extended name tables. 2014-11-03 Nick Clifton <nickc@redhat.com> PR binutils/17512 * aoutx.h (slurp_symbol_table): Check that computed table size is not bigger than the file from which is it being read. (slurp_reloc_table): Likewise. * coffcode.h (coff_slurp_line_table): Remove unneeded local 'warned'. Do not try to print the details of a symbol with an invalid index. * coffgen.c (make_a_sectiobn_from_file): Check computed string index against length of string table. (bfd_coff_internal_syment_name): Check read in string offset against length of string table. (build_debug_section): Return a pointer to the section used. (_bfd_coff_read_string_table): Store the length of the string table in the coff_tdata structure. (bfd_coff_free_symbols): Set the length of the string table to zero when it is freed. (coff_get_normalized_symtab): Check offsets against string table or data table lengths as appropriate. * cofflink.c (_bfd_coff_link_input_bfd): Check offset against length of string table. * compress.c (bfd_get_full_section_contents): Check computed size against the size of the file. * libcoff-in.h (obj_coff_strings_len): Define. (struct coff_tdata): Add strings_len field. * libcoff.h: Regenerate. * peXXigen.c (pe_print_debugdata): Do not attempt to print the data if the debug section is too small. * xcofflink.c (xcoff_link_input_bfd): Check offset against length of string table. 2014-10-31 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffgen.c (_bfd_coff_get_external_symbols): Do not try to load a symbol table bigger than the file. * elf.c (bfd_elf_get_str_section): Do not try to load a string table bigger than the file. * tekhex.c (first_phase): Check that the section range is sane. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 282 ++++++++++++ bfd/aoutx.h | 24 +- bfd/archive.c | 5 +- bfd/coff-i386.c | 17 +- bfd/coff-x86_64.c | 11 +- bfd/coffcode.h | 170 +++++--- bfd/coffgen.c | 168 ++++++-- bfd/cofflink.c | 5 +- bfd/elf.c | 24 +- bfd/ieee.c | 6 +- bfd/libcoff-in.h | 3 + bfd/libcoff.h | 16 +- bfd/opncls.c | 41 +- bfd/pe-mips.c | 9 +- bfd/peXXigen.c | 220 +++++++--- bfd/peicode.h | 15 +- bfd/tekhex.c | 112 +++-- bfd/xcofflink.c | 5 +- binutils/ChangeLog | 199 +++++++++ binutils/ar.c | 9 + binutils/bucomm.c | 26 ++ binutils/bucomm.h | 12 +- binutils/doc/binutils.texi | 3 +- binutils/dwarf.c | 209 +++++++--- binutils/objcopy.c | 23 +- binutils/objdump.c | 27 +- binutils/rdcoff.c | 9 +- binutils/rddbg.c | 40 ++- binutils/readelf.c | 1039 ++++++++++++++++++++++++++++++++------------ binutils/stabs.c | 30 +- gas/ChangeLog | 10 + gas/config/obj-coff.c | 1 + 32 files changed, 2109 insertions(+), 661 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3 (commit) from de84aee38c50fd306876cdbf92007afaacbfab4d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3 commit 6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3 Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 18 14:40:05 2014 +0000 More fixes for illegal memory accesses exposed by fuzzed binaries. PR binutils/17512 * peXXIgen.c (pe_print_pdata): Fail if the section's virtual size is larger than its real size. (rsrc_print_section): Fix off-by-one error checking for overflow. * pei-x86_64.c (pex64_bfd_print_pdata): Handle empty unwind sections. * dwarf.c (get_encoded_value): Warn and return if the encoded value is more than 64-bits long. (SAFE_BYTE_GET): Do not attempt to read more than 64-bits. (process_extended_line_op): Add more range checks. (decode_location_expression): Use the return value from display_block. Add more range checks. (read_debug_line_header): Add range check. (display_debug_lines_raw): Add range checks. (display_debug_frames): Silently skip multiple zero terminators. Add range checks. (process_cu_tu_index): Check for non-existant or empty sections. Use SAFE_BYTE_GET instead of byte_get. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 9 +++ bfd/peXXigen.c | 10 +++- bfd/pei-x86_64.c | 7 ++ binutils/ChangeLog | 16 +++++ binutils/dwarf.c | 162 +++++++++++++++++++++++++++++++++++++++------------ 5 files changed, 165 insertions(+), 39 deletions(-)
Alright - the bugs exposed by those latest fuzzed binaries should be fixed now.
Nick, did you see attachment 7937 [details]? Still crashes nm with latest git, this is in the ihex parser.
Created attachment 7947 [details] AFL crashers for `objdump -x` With AFL... Files: 3 Errors: 3 Invalid write of size ... 3 Process terminating with default action of signal 11 (SIGSEGV)
Hi Hanno, > did you see attachment 7937 [details]? Still crashes nm with latest git, this > is in the ihex parser. I did. but I cannot make nm fail locally. What command line are you using to invoke nm ? Also for which target have you compiled the binutils ? Cheers Nick
(In reply to Nick Clifton from comment #100) > I did. but I cannot make nm fail locally. What command line are you using > to invoke nm ? Also for which target have you compiled the binutils ? Nothing special at all. 64 bit system, "./configure --disable-shared" What's different: The buffer overflow is detected by default (no asan/valgrind/etc. probably normal gcc-fortify-source): *** buffer overflow detected ***: nm-plain terminated ======= Backtrace: ========= /lib64/libc.so.6(+0x73ceb)[0x7fdd416a8ceb] /lib64/libc.so.6(__fortify_fail+0x37)[0x7fdd4172dae7] /lib64/libc.so.6(+0xf6b80)[0x7fdd4172bb80] /lib64/libc.so.6(+0xf6039)[0x7fdd4172b039] /lib64/libc.so.6(_IO_default_xsputn+0x81)[0x7fdd416abf21] /lib64/libc.so.6(_IO_vfprintf+0x499e)[0x7fdd4167e48e] /lib64/libc.so.6(__vsprintf_chk+0x88)[0x7fdd4172b0c8] /lib64/libc.so.6(__sprintf_chk+0x85)[0x7fdd4172b025] nm-plain[0x41bd7f] nm-plain[0x41c4a1] nm-plain[0x40fe95] nm-plain[0x404ec7] nm-plain[0x402f86] /lib64/libc.so.6(__libc_start_main+0xf0)[0x7fdd41654fa0] nm-plain[0x403017]
Hi Alexander, > Files: 3 > Errors: > 3 Invalid write of size ... > 3 Process terminating with default action of signal 11 (SIGSEGV) I cannot reproduce these failures. :-( What host/target are you using ? Cheers Nick
(In reply to Nick Clifton from comment #60) > Created attachment 7898 [details] > Proposed patch to fix valgrind's complaints about using uninitialised memory > > (In reply to comment #57) > > Hi Alexnder, > > I still cannot reproduce the valgrind problem, but the log you provided > does give me a clue. Please could you try out the uploaded patch (which has > *not* been applied to the master branch) and see if it works for you ? > > Cheers > Nick Sorry for the delay with checking it. FWIW I don't see valgrind problems with the sample 140849-0.004.exe any more. I guess they were fixed in some other way.
Created attachment 7956 [details] Patch to fix a crash inside _bfd_coff_read_string_table in bfd/coffgen.c Hi Nick, (In reply to Nick Clifton from comment #102) > > Files: 3 > > Errors: > > 3 Invalid write of size ... > > 3 Process terminating with default action of signal 11 (SIGSEGV) > > I cannot reproduce these failures. :-( > > What host/target are you using ? I can reproduce it only under valgrind and with ulimit -v 1000000. Patch attached.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via cd11f78f810cf12b04046ac954ceb6528b00956c (commit) from 3cfdb7812cda6ca610be8bf65ffaf5138dc0d379 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cd11f78f810cf12b04046ac954ceb6528b00956c commit cd11f78f810cf12b04046ac954ceb6528b00956c Author: Alexander Cherepanov <cherepan@mccme.ru> Date: Fri Nov 21 11:19:49 2014 +0000 Fix a snafu setting up the string table read in from a COFF file. PR binutils/17512 * coffgen.c (_bfd_coff_read_string_table): Test allocation of string table before clearing the first few bytes. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 6 ++++++ bfd/coffgen.c | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-)
Hi Alexander, > Created attachment 7956 [details] > Patch to fix a crash inside _bfd_coff_read_string_table in bfd/coffgen.c Doh! Thanks for that. I have applied your patch to the sources. Cheers Nick
Hi Nick, (In reply to Nick Clifton from comment #106) > Doh! Thanks for that. I have applied your patch to the sources. Thanks!
Created attachment 7959 [details] First bunch of crashers for multiarch `objdump -afphxgGtTrRwW --special-syms` Confugured binutils with --enable-targets=all and generated more samples with objcopy. Crashes are still being sorted out but the first bunch is here. Nick, if you prefer to deal with crashes in multiarch objdump separately or later plese say so. Then I will see which of these crashes affect ordinary objdump. Files: 60 Errors: 15 Conditional jump or move depends on uninitialised value(s) 3 Invalid free() / delete / delete[] / realloc() 55 Invalid read of size ... 18 Invalid write of size ... 2 Jump to the invalid address stated on the next line 34 Process terminating with default action of signal 11 (SIGSEGV) 1 Process terminating with default action of signal 8 (SIGFPE) 2 Source and destination overlap in memcpy... 5 Use of uninitialised value of size ...
Created attachment 7960 [details] objdump-x-fuzzing.tar.xz Here are some more results from american fuzzy lop with objdump -x (nm issues from attachmend #7937 seem fixed now). I grouped them in three directories: * heap overflows (quick look seems they all trigger similar code, but afl considered them as distinct code paths) * endless loops (I don't know if they're really endless, but they run at least some minutes, something definitely wrong) * memory exhaustion (not sure if they qualify as real bugs, but probably something worth fixing anyway)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 0a9d414aa114b7b7e609cbcbc285f79031bbe608 (commit) from 5974eba65b82912621ac68f2c0ff844efbd02b25 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0a9d414aa114b7b7e609cbcbc285f79031bbe608 commit 0a9d414aa114b7b7e609cbcbc285f79031bbe608 Author: Nick Clifton <nickc@redhat.com> Date: Fri Nov 21 21:44:04 2014 +0000 Fixes for memory access violations exposed by fuzzinf various binaries. PR binutils/17512 * dwarf.c (get_encoded_value): Check for an encoded size of 0. (display_debug_lines_raw): Check for an invalid line range value. (display_debug_frames): Check for corrupt augmentation data. * coffgen.c (coff_get_normalized_symtab): Check for an excessive number of auxillary entries. * ieee.c (next_byte): Convert to a function. Return FALSE if the next byte is beyond the end of the buffer. (parse_int): Test the return value of next_byte. (parse_expression): Convert to boolean. Return FALSE if the parsing failed. Test the return value of next_byte. (ieee_seek): Convert to a function. Return FALSE if the seek goes beyond the end of the buffer. (ieee_slurp_external_symbols): Test the return value of ieee_seek and next_byte. (ieee_slurp_sections): Convert to boolean. Return FALSE if the operation failed. Test the return value of ieee_seek and next_byte. (ieee_archive_p): Test the return value of ieee_seek and next_byte. (do_one): Likewise. (ieee_slurp_section_data): Likewise. (ieee_object_p): Likewise. Store the size of the buffer in the total_amt field in the header. * libieee.h (common_header_type): Add amt field. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the reloc's value is within range. (bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the operation fails. * pei-x86_64.c (pex64_xdata_print_uwd_codes): Replace abort with an error message. (pex64_dump_xdata): Check for buffer overflows. * versados.c (process_otr): Check that the section exists before taking its size. (versados_object_p): Make sure that enough data was read for the header to be checked. * vms-alpha.c (vms_get_remaining_object_record): Change read_so_far parameter to an unsigned int. Check that the amount read is in range. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 39 ++++++++ bfd/coffgen.c | 17 +++- bfd/ieee.c | 261 +++++++++++++++++++++++++++++++++++----------------- bfd/libieee.h | 1 + bfd/mach-o.c | 22 +++-- bfd/pei-x86_64.c | 37 ++++++-- bfd/versados.c | 21 ++++- bfd/vms-alpha.c | 15 ++- binutils/ChangeLog | 7 ++ binutils/dwarf.c | 24 +++++ 10 files changed, 333 insertions(+), 111 deletions(-)
(In reply to Alexander Cherepanov from comment #108) > First bunch of crashers for multiarch `objdump -afphxgGtTrRwW > --special-syms` Great - these should be fixed now. > Nick, if you prefer to deal with crashes in multiarch objdump > separately or later plese say so. Nope, here is good. Cheers Nick
Created attachment 7965 [details] Next crashers for multiarch `objdump -afphxgGtTrRwW --special-syms` Files: 37 Errors: 12 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 20 Conditional jump or move depends on uninitialised value(s) 11 Invalid read of size ... 4 Invalid write of size ... 11 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via a11652892c18324bf3abb8b25c01475e5a18632a (commit) from 0cfd832fc7d4f1b5633248754dcc75fa90b5475b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a11652892c18324bf3abb8b25c01475e5a18632a commit a11652892c18324bf3abb8b25c01475e5a18632a Author: Nick Clifton <nickc@redhat.com> Date: Wed Nov 26 14:11:23 2014 +0000 More fixes for memory access errors triggered by attemps to examine corrupted binaries. PR binutils/17512 * dwarf.c (display_block): Do nothing if the block starts after the end of the buffer. (read_and_display_attr_value): Add range checks. (struct Frame_Chunk): Make the ncols and ra fields unsigned. (frame_need_space): Test for an ncols of zero. (read_cie): Fail if the augmentation data extends off the end of the buffer. (display_debug_frames): Add checks for read_cie failing. Add range checks. * coff-h8300.c (rtype2howto): Replace abort with returning a NULL value. * coff-h8500.c (rtype2howto): Likewise. * coff-tic30.c (rtype2howto): Likewise. * coff-z80.c (rtype2howto): Likewise. * coff-z8k.c (rtype2howto): Likewise. * coff-ia64.c (RTYPE2HOWTO): Always return a valid howto. * coff-m68k.c (m68k_rtype2howto): Return a NULL howto if none could be found. * coff-mcore.c (RTYPE2HOWTO): Add range checking. * coff-w65.c (rtype2howto): Likewise. * coff-we32k.c (RTYPE2HOWTO): Likewise. * pe-mips.c (RTYPE2HOWTO): Likewise. * coff-x86_64.c (coff_amd64_reloc): Likewise. Replace abort with an error return. * coffcode.h (coff_slurp_reloc_table): Allow the rel parameter to be unused. * coffgen.c (make_a_section_from_file): Check the length of a section name before testing to see if it is a debug section name. (coff_object_p): Zero out any uninitialised bytes in the opt header. * ecoff.c (_bfd_ecoff_slurp_symbolic_info): Test for the raw source being empty when there are values to be processed. (_bfd_ecoff_slurp_symbol_table): Add range check. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Likewise. (bfd_mach_o_mangle_sections): Move test for too many sections to before the allocation of the section table. (bfd_mach_o_read_symtab_strtab): If the read fails, free the memory and nullify the symbol pointer. * reloc.c (bfd_generic_get_relocated_section_contents): Add handling of a bfd_reloc_notsupported return value. * versados.c (EDATA): Add range checking. (get_record): Likewise. (process_otr): Check for contents being available before updating them. (versados_canonicalize_reloc): Add range check. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 40 +++++++++++++++++++++++ bfd/coff-h8300.c | 2 +- bfd/coff-h8500.c | 2 +- bfd/coff-ia64.c | 2 +- bfd/coff-m68k.c | 1 + bfd/coff-mcore.c | 16 +++++---- bfd/coff-tic30.c | 2 +- bfd/coff-w65.c | 29 ++++++++++------- bfd/coff-we32k.c | 9 ++++- bfd/coff-x86_64.c | 13 +++++++- bfd/coff-z80.c | 2 +- bfd/coff-z8k.c | 2 +- bfd/coffcode.h | 2 +- bfd/coffgen.c | 7 +++- bfd/ecoff.c | 8 ++++ bfd/mach-o.c | 26 +++++++++++---- bfd/pe-mips.c | 7 +++- bfd/reloc.c | 9 +++++ bfd/versados.c | 45 ++++++++++++++++--------- binutils/ChangeLog | 13 +++++++ binutils/dwarf.c | 91 ++++++++++++++++++++++++++++++++++++++------------- 21 files changed, 250 insertions(+), 78 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 1036838a771b96ad9428e8fc7ecc45d3d8e056ce (commit) from 608ce2f3c8b1fb309f50b6426389282ec6031323 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1036838a771b96ad9428e8fc7ecc45d3d8e056ce commit 1036838a771b96ad9428e8fc7ecc45d3d8e056ce Author: Nick Clifton <nickc@redhat.com> Date: Thu Nov 27 12:19:10 2014 +0000 Fixes a few more memory access violations exposed by fuzzed binaries. PR binutils/17512 * ecoff.c (_bfd_ecoff_slurp_symbol_table): Warn about and correct a discrepancy between the isymMax and ifdMax values in the symbolic header. * elf.c (_bfd_elf_print_private_bfd_data): Fix the range check scanning the external dynamic entries. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 9 +++++++++ bfd/ecoff.c | 15 +++++++++++++++ bfd/elf.c | 4 +++- 3 files changed, 27 insertions(+), 1 deletions(-)
Created attachment 7978 [details] More crashes for `objdump -afphxgGtTrRwW --special-syms` Files: 41 Errors: 20 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 18 Conditional jump or move depends on uninitialised value(s) 47 Invalid read of size ... 5 Invalid write of size ... 10 Process terminating with default action of signal 11 (SIGSEGV) 4 Source and destination overlap in memcpy... 4 Use of uninitialised value of size ...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 06614111d1be94b43ea8dd83805184d4e177bcea (commit) from 30b5e341f3bcb219718ad32cd0065670fd37e637 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=06614111d1be94b43ea8dd83805184d4e177bcea commit 06614111d1be94b43ea8dd83805184d4e177bcea Author: Nick Clifton <nickc@redhat.com> Date: Mon Dec 1 16:43:46 2014 +0000 More fixes for memory access violations exposed by fuzzed binaries. PR binutils/17512 * dwarf.h (struct dwarf_section): Add user_data field. * dwarf.c (frame_need_space): Check for an over large register number. (display_debug_frames): Check the return value from frame_need_space. Check for a CFA expression that is so long the start address wraps around. (debug_displays): Initialise the user_data field. * objdump.c (load_specific_debug_section): Save the BFD section pointer in the user_data field of the dwarf_section structure. (free_debug_section): Update BFD section data when freeing section contents. * readelf.c (load_specific_debug_section): Initialise the user_data field. * archive.c (do_slurp_coff_armap): Add range checks to prevent running off the end of the string table. * compress.c (bfd_get_full_section_contents): Return a NULL pointer for zero sized sections. Do not attempt to copy a buffer onto itself. * elf-attrs.c (_bfd_elf_parse_attributes): Check for an empty header. Add range checks to avoid running off the end of the section. * elf.c (bfd_elf_get_str_section): Seek before allocating so that if the seek fails, no memory is allocated. (bfd_elf_string_from_elf_section): Do not allocate a string from a non string section. It only leads to trouble later on. (_bfd_elf_print_private_bfd_data): Check for there being too little external dynamic data. (bfd_section_from_shdr): Replace assertion with a failure mode. (bfd_section_from_shdr): When walking a loaded group section use the internal structure size, not the external size. Check for the group section being empty. * elf32-i386.c (elf_i386_rtype_to_howto): Replace assertion with a failure mode. * elfcode.h (elf_slurp_reloc_table): Likewise. * reloc.c (bfd_perform_relocation): Avoid seg-fault if the howto parameter is NULL. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 27 ++++++++++++ bfd/archive.c | 11 ++++- bfd/compress.c | 13 ++++- bfd/elf-attrs.c | 16 ++++++- bfd/elf.c | 36 ++++++++++++---- bfd/elf32-i386.c | 4 +- bfd/elfcode.h | 4 +- bfd/reloc.c | 4 ++ binutils/ChangeLog | 17 +++++++ binutils/dwarf.c | 118 ++++++++++++++++++++++++++++++++-------------------- binutils/dwarf.h | 2 + binutils/objdump.c | 17 +++++++ binutils/readelf.c | 1 + 13 files changed, 207 insertions(+), 63 deletions(-)
Hi Alexander, Thanks for the continued testing. In case it is not obvious, I am not too concerned by the "silly argument to malloc" warnings from valgrind. I night fix them one day, but for now they do not represent actual memory access violations, so I am ignoring them. Cheers Nick
Created attachment 7990 [details] Crashes for `objdump -afphxgGtTrRwW --special-syms` Files: 11 Errors: 9 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 2 Invalid read of size ... 2 Process terminating with default action of signal 11 (SIGSEGV)
(In reply to Nick Clifton from comment #117) > In case it is not obvious, I am not too concerned by the "silly argument > to malloc" warnings from valgrind. I night fix them one day, but for now > they do not represent actual memory access violations, Such warnings can point to places of possible integer overflow which could lead to actual buffer overruns with other (not yet found) samples. But I haven't looked into specific cases. > so I am ignoring them. It's up to you. I've included them in the today's bunch because it was easier than to filter them out. They are probably dupes with the previous ones so please ignore them.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via db6b071a97893d5c7bf34e7fb171a0b710ea736d (commit) from 4759c34e128035e57b06a7b3d7c58f135061c6da (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=db6b071a97893d5c7bf34e7fb171a0b710ea736d commit db6b071a97893d5c7bf34e7fb171a0b710ea736d Author: Nick Clifton <nickc@redhat.com> Date: Wed Dec 3 19:50:48 2014 +0000 Fix memory access problems exposed by fuzzed binaries. PR binutils/17512 * objdump.c (free_debug_section): Reset the compress_status as well. * compress.c (bfd_get_full_section_contents): Fail if there are no section contents available when the compress_status is COMPRESS_SECTION_DONE. * libbfd.c (bfd_malloc): Refuse to allocate a negative size. (bfd_malloc2): Use bfd_malloc. (bfd_realloc): Refuse to reallocate a negative size. (bfd_realloc2): Use bfd_realloc. (bfd_realloc_or_free): Use bfd_realloc. (bfd_zmalloc): Use bfd_malloc. (bfd_zmalloc): Use bfd_malloc2. * opncls.c (bfd_alloc): Refuse to allocate a negative size. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 15 ++++++ bfd/compress.c | 2 + bfd/libbfd.c | 127 +++++++++++---------------------------------------- bfd/opncls.c | 14 ++++-- binutils/ChangeLog | 6 +++ binutils/objdump.c | 1 + 6 files changed, 61 insertions(+), 104 deletions(-)
Hi Alexander, > Errors: > 9 Argument 'size' of function malloc has a fishy (possibly negative) > value: ... > 2 Invalid read of size ... > 2 Process terminating with default action of signal 11 (SIGSEGV) These should all be fixed now. Cheers Nick
Created attachment 7993 [details] More crashes for `objdump -afphxgGtTrRwW --special-syms` elfutils seems to have a nice tests... Files: 4 Errors: 1 Conditional jump or move depends on uninitialised value(s) 45 Invalid read of size ... 2 Invalid write of size ... 3 Process terminating with default action of signal 11 (SIGSEGV)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 (commit) from 137d1369ac054744d27f19e95aa8a739e6c0068d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 commit f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 Author: Nick Clifton <nickc@redhat.com> Date: Tue Dec 9 12:42:18 2014 +0000 More fixes for memory access violations triggered by fuzzed binaries. PR binutils/17512 * objdump.c (display_any_bfd): Avoid infinite loop closing and opening the same archive again and again. * archive64.c (bfd_elf64_archive_slurp_armap): Add range checks. * libbfd.c (safe_read_leb128): New function. * libbfd-in.h (safe_read_leb128): Add prototype. * libbfd.h: Regenerate. * elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128. Check for an over-long subsection length. * elf.c (elf_parse_notes): Check that the namedata is long enough for the string comparison that is about to be performed. (elf_read_notes): Zero-terminate the note buffer. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 13 ++++++++++++ bfd/archive64.c | 11 +++++++++- bfd/elf-attrs.c | 15 ++++++++----- bfd/elf.c | 53 ++++++++++++++++++++++++++++----------------------- bfd/libbfd-in.h | 2 + bfd/libbfd.c | 39 ++++++++++++++++++++++++++++++++++++++ bfd/libbfd.h | 2 + binutils/ChangeLog | 6 +++++ binutils/objdump.c | 10 ++++++++- 9 files changed, 119 insertions(+), 32 deletions(-)
(In reply to Alexander Cherepanov from comment #122) > Errors: > 1 Conditional jump or move depends on uninitialised value(s) > 45 Invalid read of size ... > 2 Invalid write of size ... > 3 Process terminating with default action of signal 11 (SIGSEGV) Fixed... Cheers Nick
Created attachment 8003 [details] More crashers for `objdump -afphxgGtTrRwW --special-syms` crashes Files: 7 Errors: 26 Invalid read of size ... 4 Process terminating with default action of signal 11 (SIGSEGV) ---------------------------------------------------------------------- catchsegv Files: 3 Errors: 3 *** Segmentation fault
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via acff96643eb25bc425d108b0576d393ab398f1c5 (commit) from 05a6c3c813d617d9900c5de056f40f958a6c71a5 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=acff96643eb25bc425d108b0576d393ab398f1c5 commit acff96643eb25bc425d108b0576d393ab398f1c5 Author: Nick Clifton <nickc@redhat.com> Date: Thu Dec 11 20:25:05 2014 +0000 Fix a few moere memory access violations. PR binutils/17512 * dwarf.c (display_gdb_index): Add more range checks. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 5 +++++ binutils/dwarf.c | 20 +++++++++++++++----- 2 files changed, 20 insertions(+), 5 deletions(-)
(In reply to Alexander Cherepanov from comment #125) > Files: 3 > Errors: > 3 *** Segmentation fault Fixed. Next. :-)
(In reply to Nick Clifton from comment #127) > (In reply to Alexander Cherepanov from comment #125) > > > Files: 3 > > Errors: > > 3 *** Segmentation fault > > Fixed. Next. :-) fe3b9a79 still crashes `objdump -afphxgGtTrRwW --special-syms` for me (others are fixed). Perhaps the form of my new stats was confusing...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 033539e2685156ad6ad60e5925bc61cef5ced483 (commit) from beed38b8273fa18be574a7e84d5d2ee1f563ed48 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033539e2685156ad6ad60e5925bc61cef5ced483 commit 033539e2685156ad6ad60e5925bc61cef5ced483 Author: Nick Clifton <nickc@redhat.com> Date: Tue Dec 16 14:17:15 2014 +0000 Fix a memory access violation triggeed by a fuzzed binary. PR binutils/17512 * format.c (bfd_check_format_matches): Check for a matching vector before using match priorities. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Fix off-by-one errors with previous delta. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 8 ++++++++ bfd/format.c | 2 +- bfd/mach-o.c | 6 ++++-- 3 files changed, 13 insertions(+), 3 deletions(-)
Hi Alexander, > fe3b9a79 still crashes `objdump -afphxgGtTrRwW --special-syms` for me > (others are fixed). Perhaps the form of my new stats was confusing... Intriguing - the fault only happens with an x86_66-pc-linux-gnu toolchain. I was using one configured for all targets (including x86_64-pc-linux-gnu), and for some reason the fault was not triggered there. Anyway I have checked a patch to fix the fault for real this time, so please have another try. Cheers Nick
(In reply to Nick Clifton from comment #130) > Intriguing - the fault only happens with an x86_66-pc-linux-gnu toolchain. > I was using one configured for all targets (including x86_64-pc-linux-gnu), > and for some reason the fault was not triggered there. Sorry for the confusion, it turned out I mistyped the option to ./configure and lost multiarchness. Thanks for mentioning it! > Anyway I have checked a patch to fix the fault for real this time, so please > have another try. Ok, I've found several more non-multiarch crashes meantime. I'll upload them shortly and will come back to multiarch.
Created attachment 8022 [details] More crashers for multiarch `objdump -afphxgGtTrRwW --special-syms` crashes (valgrind) Files: 13 Errors: 4 Conditional jump or move depends on uninitialised value(s) 39 Invalid read of size ... 4 Invalid write of size ... 9 Process terminating with default action of signal 11 (SIGSEGV) ---------------------------------------------------------------------- aborts (gdb) Files: 1 Errors: 1 No assertion info in gdb backtrace.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 5860e3f883597cf6b8a937547015394edc1e8784 (commit) from e30880c2eeee3b43897161344bbbffd03f3a1c91 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5860e3f883597cf6b8a937547015394edc1e8784 commit 5860e3f883597cf6b8a937547015394edc1e8784 Author: Nick Clifton <nickc@redhat.com> Date: Mon Dec 22 20:59:00 2014 +0000 More fixes for memory access violations exposed by fuzzed binaries. PR binutils/17512 * archive.c (do_slurp_bsd_armap): Return if the parsed_size is zero. (bfd_slurp_armap): Zero terminate the name. (bfd_generic_stat_arch_elt): If there is no header, fail. * elf32-arc.c (arc_info_to_howto_rel): Replace BFD_ASSERT with error message. * elf32-avr.c (avr_info_to_howto_rela): Likewise. * elf32-cr16c.c (elf_cr16c_info_to_howto_rel): Likewise. * elf32-cris.c (cris_info_to_howto_rela): Likewise. * elf32-d10v.c (d10v_info_to_howto_rel): Likewise. * elf32-d30v.c (d30v_info_to_howto_rel): Likewise. * elf32-dlx.c (dlx_rtype_to_howto): Likewise. * elf32-epiphany.c (epiphany_info_to_howto_rela): Likewise. * elf32-fr30.c (fr30_info_to_howto_rela): Likewise. * elf32-frv.c (frv_info_to_howto_rela): Likewise. * elf32-i960.c (elf32_i960_info_to_howto_rel): Likewise. * elf32-ip2k.c (ip2k_info_to_howto_rela): Likewise. * elf32-iq2000.c (iq2000_info_to_howto_rela): Likewise. * elf32-lm32.c (lm32_info_to_howto_rela): Likewise. * elf32-m32c.c (m32c_info_to_howto_rela): Likewise. * elf32-m32r.c (m32r_info_to_howto_rel): Likewise. * elf32-m68hc11.c (m68hc11_info_to_howto_rel): Likewise. * elf32-m68hc12.c (m68hc11_info_to_howto_rel): Likewise. * elf32-mep.c (mep_info_to_howto_rela): Likewise. * elf32-metag.c (metag_info_to_howto_rela): Likewise. * elf32-moxie.c (moxie_info_to_howto_rela): Likewise. * elf32-msp430.c (msp430_info_to_howto_rela): Likewise. * elf32-mt.c (mt_info_to_howto_rela): Likewise. * elf32-nds32.c (nds32_info_to_howto_rel): Likewise. * elf32-or1k.c (or1k_info_to_howto_rela): Likewise. * elf32-rl78.c (rl78_info_to_howto_rela): Likewise. * elf32-rx.c (rx_info_to_howto_rela): Likewise. * elf32-v850.c (v850_elf_info_to_howto_rel): Likewise. * elf32-visium.c (visium_info_to_howto_rela): Likewise. * elf32-xgate.c (xgate_info_to_howto_rel): Likewise. * elf32-xtensa.c (elf_xtensa_info_to_howto_rela): Likewise. * elf64-mmix.c (mmix_info_to_howto_rela): Likewise. * elf64-x86-64.c (elf_x86_64_reloc_type_lookup): Likewise. * elfnn-aarch64.c (elfNN_aarch64_bfd_reloc_from_type): Likewise. * elf64-sparc.c (elf64_sparc_slurp_one_reloc_table): Add range checking of reloc symbol index. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): If no symbols have been provided then set the reloc's symbol to undefined. * reloc.c (bfd_generic_get_relocated_section_contents): Add range checking of the reloc to be applied. * versados.c (process_otr): Add more range checks. (versados_canonicalize_reloc): If the section is unknown, set the symbol to undefined. * vms-alpha.c (_bfd_vms_slurp_eisd): Add range checks. (alpha_vms_object_p): Likewise. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++ bfd/archive.c | 9 ++++++- bfd/elf32-arc.c | 6 ++++- bfd/elf32-avr.c | 6 ++++- bfd/elf32-cr16c.c | 6 ++++- bfd/elf32-cris.c | 6 ++++- bfd/elf32-d10v.c | 6 ++++- bfd/elf32-d30v.c | 12 +++++++++- bfd/elf32-dlx.c | 6 ++++- bfd/elf32-epiphany.c | 5 ++++ bfd/elf32-fr30.c | 6 ++++- bfd/elf32-frv.c | 5 ++++ bfd/elf32-i960.c | 8 ++++++- bfd/elf32-ip2k.c | 5 ++++ bfd/elf32-iq2000.c | 5 ++++ bfd/elf32-lm32.c | 6 ++++- bfd/elf32-m32c.c | 6 ++++- bfd/elf32-m32r.c | 6 ++++- bfd/elf32-m68hc11.c | 6 ++++- bfd/elf32-m68hc12.c | 6 ++++- bfd/elf32-mep.c | 5 ++++ bfd/elf32-metag.c | 6 ++++- bfd/elf32-moxie.c | 6 ++++- bfd/elf32-msp430.c | 12 +++++++++- bfd/elf32-mt.c | 5 ++++ bfd/elf32-nds32.c | 6 ++++- bfd/elf32-or1k.c | 6 ++++- bfd/elf32-rl78.c | 6 ++++- bfd/elf32-rx.c | 6 ++++- bfd/elf32-v850.c | 6 ++++- bfd/elf32-visium.c | 5 ++++ bfd/elf32-xgate.c | 6 ++++- bfd/elf32-xtensa.c | 6 ++++- bfd/elf64-mmix.c | 6 ++++- bfd/elf64-sparc.c | 4 ++- bfd/elf64-x86-64.c | 2 +- bfd/elfnn-aarch64.c | 8 +++++++ bfd/mach-o.c | 2 + bfd/reloc.c | 4 +++ bfd/versados.c | 30 ++++++++++++++++++++------- bfd/vms-alpha.c | 7 +++++- 41 files changed, 279 insertions(+), 40 deletions(-)
Hi Alexander, > Files: 13 > Errors: > 4 Conditional jump or move depends on uninitialised value(s) > 39 Invalid read of size ... > 4 Invalid write of size ... > 9 Process terminating with default action of signal 11 (SIGSEGV) These should all be fixed now. Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The annotated tag, hjl/linux/release/2.25.51.0.1 has been created at 02458b5b7894e10794a1e1b87e4f8e36b3198b10 (tag) tagging a0890eb04228a6b921697b1192285b57e5f46e97 (commit) replaces hjl/linux/release/2.24.51.0.4 tagged by H.J. Lu on Wed Dec 24 16:43:46 2014 -0800 - Log ----------------------------------------------------------------- Linux binutils 2.25.51.0.1 Ajit Kumar Agarwal (2): Microblaze: Reject invalid target descriptions Microblaze: Replace microblaze-expedite from pc to rpc Alan Modra (122): daily update Regen gold POTFILES.in daily update daily update daily update Do away with hash table line lookup in dwarf2dbg.c daily update daily update daily update daily update daily update daily update daily update Discard zero address range eh_frame FDEs daily update daily update daily update daily update daily update daily update daily update daily update daily update Run eh_frame optimisation for relocatable link daily update sparc-aout and sparc-coff breakage Correct fscanf char field count Avoid undefined behaviour with signed expressions daily update ChangeLog typo fix Define bfd_find_line entry of BFD_JUMP_TABLE_SYMBOLS using NAME. Merge bfd_find_nearest_line variants daily update PR17488, powerpc64-linux-ld segfault Fix 17492, ld segfault with --oformat=binary daily update daily update Fix PR17493, attempted output of *GAS `reg' section* symbol PowerPC64 ELFv1 function symbol definition vs LTO and discarded sections daily update daily update daily update Add gcc-4.9 libgomp symbols requiring --plt-thread-safe for power7 Relax ppc64_elf_tls_optimize assertion [GOLD] Add gcc-4.9 libgomp symbols requiring --plt-thread-safe for power7 daily update daily update daily update daily update daily update daily update daily update daily update daily update daily update daily update daily update daily update daily update Provide stat function for spu overlay manager iovec Regenerate spu overlay and icache manager files Use frag_now_fix_octets in gas d10v, d30v Don't use register keyword daily update Use obstack_blank_fast to shrink obstacks Cast result of obstack_next_free daily update daily update Revert bfd_get_size checks aoutx.h tidy tekhex buffer management and symbol types tekhex architecure daily update Correct buffer overrun test daily update daily update daily update ld -r abort in _bfd_elf_write_section_eh_frame Avoid coff OOM coff coff daily update Fix x86 non-ELF build breakage Fix z80-coff build breakage Throw away dodgy coff line number info earlier daily update daily update Default powerpc64 to --plt-thread-safe for Go ppc476 workaround sizing PPC gold doesn't check for overflow properly PPC gold doesn't check for overflow properly PowerPC64 --plt-align [GOLD] PowerPC relaxation corner case Retry powerpc gold stub grouping when groups prove too large _bfd_elf_slurp_version_tables tidy Fix build breakage on 32-bit targets with 64-bit bfd Don't deprecate powerpc mftb insn Sanity checks on version section Don't output symbol version definitions for non-DT_NEEDED libs Power4 should treat mftb as extended mfspr mnemonic ppc64_elf_edit_opd revamp powerpc gold, fix pr17566 powerpc gold, work around pr17670 Sort relocs output by ld -r PowerPC gold, fix 32-bit branch address arithmetic ChangeLog typo fix ppc64_elf_edit_opd revamp, take 2 Don't sort ld -r relocs for mips Don't access elf tdata in dwarf.c without first checking for an ELF bfd Don't return DW_AT_name for function name in C++ Don't always build coffgen.o Use autoconf check for long long in binutils Copy relocations against protected symbols Set bfd_error in _bfd_elf_adjust_dynamic_copy PowerPC register numbers in DWARF Move support code for linker script DEFINED to ldexp.c Correct logic for "defined by object" Don't PROVIDE over top of common symbols Use a symbol flag bit to mark linker defined symbols Report an error for script multiply defined symbols Yet another DEFINED testcase Fix generic linker symbol output when weak is overridden by strong Don't create .eh_frame_hdr on shared lib bfd Alexander Cherepanov (2): Fix a snafu setting up the string table read in from a COFF file. This patch fixes a snafu where the -D and -U short versions of the Andreas Arnez (58): Replace 'core_regset_sections' by iterator method Add 'regset' parameter to 'iterate_over_regset_sections_cb' Add multi-arch capable 'fbsd_make_corefile_notes' variant AARCH64: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' ALPHA: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' ARM: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' FRV: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' HPPA: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' X86: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' M32R: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' M68K: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' IA64: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' M88K: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' MIPS: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' MN10300: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'. NIOS2: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' PPC: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' SCORE: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' SH: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' SPARC: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' TILEGX: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' VAX: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' XTENSA: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections' Drop target method 'fbsd_make_corefile_notes' Linux targets: drop fall back to target method for 'make_corefile_notes' Drop 'regset_from_core_section' gdbarch method Remove non-address bits for longjmp resume breakpoint Eliminate literal line numbers in so-impl-ld.exp Eliminate literal line numbers in dbx.exp Eliminate literal line numbers in call-ar-st.exp Eliminate literal line numbers in call-rt-st.exp Eliminate literal line numbers in ending-run.exp Eliminate literal line numbers in foll-exec.exp Eliminate literal line numbers in jump.exp Eliminate literal line numbers in shlib-call.exp Eliminate literal line numbers in mi-console.exp 'callfuncs' test case: Fixes in conditionally compiled code Perform all tests in callfuncs.exp with and without C function prototypes callfuncs.exp: Indent perform_all_tests() Drop non-prototype C function header variants: solib1.c Drop non-prototype C function header variants: 'break' test case Drop non-prototype C function header variants: 'list' test case Drop non-prototype C function header variants: 'sepdebug' test case GDB testsuite: drop non-prototype C function header variants GDB testsuite: Fix warnings with -std=gnu11 Drop remaining references to removed source lines in break1.c and ur1.c Eliminate literal line numbers in mi-until.exp GDB testsuite: More fixes for warnings with -std=gnu11 Use 2-byte instead of 4-byte NOP on S390 in 'bp-permanent' test case S390: Fix 'expedite' for s390-te-linux64 execl-update-breakpoints.exp: Move whole segment instead of .text section gdbserver: Rephrase loops in regsets_fetch/store_inferior_registers gdbserver: Prevent stale/random values in register cache gdbserver: Support read-only regsets in linux-low.c S390: Fix gdbserver support for TDB Add new GDB command "maint print user-registers" Provide completer for "info registers" Fix indentation of "maint print user-registers" Andreas From (1): Add myself as write after approval maintainer Andreas Schwab (1): * configure.tgt (targ_extra_obj) [aarch64*-*]: Define. Andrew Bennett (1): [MIPS] When calculating a relocation using an undefined weak symbol don't check for overflow. Andrew Burgess (9): When relaxing, update symbols at the very end of the section. When relaxing, update size of symbols. Merge include/* files from GCC commit 77cab4753. Merge include/* files from GCC commit 69a2f316d3. Add string representation of ELF e_flags for AVR. AVR: Only set link-relax elf flag when appropriate. AVR/ld: Propagate link-relax elf header flag correctly. AVR: Assembler now prepares for linker relaxation by default. AVR: Document linker relaxation related options. Andrew Pinski (2): [AARCH64] Add thunderx support to gas Add forgotten changelog entry. Andrew Stubbs (1): Clarify strip docs. Anthony Green (4): Add zex instructions for moxie port Add zex instruction support for moxie port Add mul.x and umul.x instructions to moxie port Add support for moxie's mul.x and umul.x instructions Cary Coutant (12): Fix race condition causing assert in Eh_frame_hdr::do_sized_write(). Add PR reference to ChangeLog entry. Fix problem where TLS common symbols are not allocated properly during LTO. Fix handling of relocations against TLS section symbols. Fix error from previous patch where tosize and tovalue were redefined Add "typename" keyword to satisfy GCC 4.2. Fix corrupted .eh_frame section with LTO and --gc-sections. Add file size to ELF symbol labelling start of a binary file. Update list of debug sections for --strip-debug-xxx options. Fix extraneous warning about executable stack. Fix internal error in gold when -Map and --compress-debug-sections are used gold/ Catalin Udma (2): Fix info mem command for 32 bits host/64 bits target aarch64/gdbserver: fix floating point registers display Chen Gang (3): Fix memory overflow issue about strncat Ensure zero termination of tic4x insn buffer Fix windres memory leak Daniel Colascione (1): Warn users about mismatched PID namespaces Denis Chertykov (5): * avrtiny.sc: Apply avr.sc fixes. * MAINTAINERS: Fix my email address. * configure.ac: Add od-elf32_avr to build. * od-elf32_avr.c: Forgot to add a new file. * od-elf32_avr.c (elf32_avr_dump_mem_usage): Fix device initialization. Dennis Brueni (1): Thix fixes an obvious coding error that led to a GDB crash on AIX or HPUX. Dmitriy Ivanov (1): Add support for -z global. Don Breazeal (2): Refactor native follow-fork. Follow-fork message printing improvements Doug Evans (104): gdb.base/structs.c (main): Don't run forever. Remove some code duplication in py-objfile.c, py-progspace.c. fix file paths in previous commit Fix dw2-op-out-param.S CU offset values. Change name of file name test in py-objfile.exp. PR python/17364 Add gdb.Objfile.progspace attribute. New python event "clear_objfiles". linux-nat.c (linux_nat_wait_1): Make local prev_mask non-static. Fix some comments to say minus_one_ptid instead of PID == -1. Remove second (nested) copy of local var child_die. symtab.c (lookup_symbol_aux_quick): Set block_found upon success. symtab.c: forward decl cleanup Clean up some function comments in symtab.[ch]. Move block_found decl to symtab.h. block.c (allocate_block): Use OBSTACK_ZALLOC instead of obstack_alloc. * block.h (ALL_BLOCK_SYMBOLS): Fix comment. Rename parameter "kind" to "block_index" in quick lookup functions. symtab.c (lookup_symbol_aux_local): Fix typo in comment. Add ability to add attributes to gdb.Objfile and gdb.Progspace objects. valops.c: Fix some whitespace. objfiles.h: Remove some unused macros. xcoffread.c (process_linenos): Delete unnecessary code. mdebugread.c (parse_procedure): Delete unnecessary forward decl. Update description of ownership of files in include/ solib_global_lookup: Fetch arch from objfile, not target_gdbarch. Delete TYPE_CODE_CLASS, it's just an alias of TYPE_CODE_STRUCT. Forgotten ChangeLog entry for previous commit. Use ALL_PRIMARY_SYMTABS instead of ALL_SYMTABS in some places. Move lookup_block_symbol to block.c, rename to block_lookup_symbol. New macro ALL_BLOCK_SYMBOLS_WITH_NAME. Rename lookup_symbol_static to lookup_symbol_in_static_block, lookup_symbol_in_block: Renamed from lookup_symbol_aux_block. Rename some "aux" functions. symtab.c (basic_lookup_symbol_nonlocal): Add comment. Rename lookup_symbol_global to lookup_global_symbol. symtab.h (lookup_global_symbol): Improve function comment. PR 17564: Fix objfile search order for static symbols. source.c (select_source_symtab): Rewrite to use ALL_SYMTABS. symmisc.c: Remove trailing whitespace. dwarf2read.c (update_enumeration_type_from_children): Avoid infinite loop. PR symtab/17591 expand_symtab_containing_pc: Renamed from find_pc_sect_symtab_via_partial. PR symtab/17559 Add copyright headers. The result of symtab expansion is always a primary symtab. Split up end_symtab_from_static_block into two. Use SYMBOL_OBJFILE more. Fix memory leak in watch_main_source_file_lossage. SYMTAB_OBJFILE: New macro. SYMTAB_DIRNAME: New macro. symtab.h (SYMTAB_LINETABLE): Renamed from LINETABLE. All uses updated. buildsym API cleanup symtab.h (SYMTAB_BLOCKVECTOR): Renamed from BLOCKVECTOR. All uses updated. Split struct symtab into two: struct symtab and compunit_symtab. psymtab.c (psymtab_search_name): Fix whitespace. cp-namespace.c (cp_lookup_symbol_nonlocal): Fix comment. symtab.c: Comment and whitespace improvements. Fix dumping of function arguments. gdb.dwarf2/dw2-op-out-param.S: Fix comment. python/py-infthread.c: Whitespace fixes. New python events: infcall, register/memory changed. revert previous patch so that I can re-commit with correct author Remove remnant of Chill support. dwarf2read.c (peek_die_abbrev): Improve error message text. PR symtab/17591 PR symtab/17602 Remove cplus_specific from general_symbol_info. New python attribute gdb.Objfile.build_id. New python method gdb.Objfile.add_separate_debug_file. Revert: linespec.c (iterate_name_matcher): Fix arguments to symbol_name_cmp. New "owner" attribute for gdb.Objfile. python/py-objfile.c (objfpy_get_owner): Increment refcount of result. cp_lookup_symbol_imports: Make static. cp-namespace.c (lookup_symbol_file): Move next to only caller. cp_lookup_symbol_nonlocal: Move definition closer to its subroutines. symtab.c (domain_name) <MODULE_DOMAIN>: Add missing case. (lookup_global_symbol_from_objfile): Simplify. cp-namespace.c (cp_lookup_nested_symbol): Fix comments. New python function gdb.lookup_objfile. Give quick_symbol_functions "methods" a consistent naming scheme. Rename cp_is_anonymous to cp_is_in_anonymous. value_maybe_namespace_elt: Remove unnecessary test of result != NULL. utils.c (make_hex_string): Fix off-by-one error. symtab.h (struct symbol_search) <symtab>: Delete, unnecessary. cp_find_type_baseclass_by_name: Renamed from find_type_baseclass_by_name. cp_lookup_symbol_via_imports: Renamed from cp_lookup_symbol_imports. boards/stabs.exp: New file. Make buildsym set-up/tear-down more consistent, and document it. New parameter "debug symbol-lookup". value_maybe_namespace_elt: Remove redundant call to lookup_static_symbol. Fix file name in earlier entry. language_lookup_primitive_type: Renamed from language_lookup_primitive_type_by_name. infcmd.c (jump_command): Minor simplification. cp-namespace.c: Whitespace cleanup. cp-namespace.c (cp_lookup_symbol_in_namespace): Simplify. cp-namespace.c (cp_lookup_nested_symbol_1): New function. cp-namespace.c (cp_lookup_symbol_via_imports): New arg "search_scope_first". cp-namespace.c (cp_lookup_symbol_via_all_imports): New function. Replace some symbol accessor macros with functions. Add langdef arg to la_lookup_symbol_nonlocal. initialize_objfile_symbol: Renamed from initialize_symbol. symtab.h (SYMBOL_DOMAIN_BITS): New macro. Look up primitive types as symbols. Dr Philipp Tomsich (1): Remove the artificial limit on code alignment through the use of the Eric Botcazou (6): Update from upstream config repo Add Visium support to opcodes Add Visium support to bfd Add Visium support to binutils Add Visium support to gas Add Visium support to ld Espen Grindhaug (1): Fixes an infinite loop in readelf parsing a corrupt binary, and other minor corrections. Evgeniy Dushistov (1): Fix race condition when using --threads with linker plugins. GDB Administrator (36): Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Automatic date update in version.in Gary Benson (4): Remove spurious exceptions.h inclusions Include cleanups.h in common-defs.h Include common-exceptions.h in common-defs.h Do not include unnecessary files in fbsd-tdep.c H.J. Lu (100): Fix build for OLD_FREEBSD_ABI_LABEL Convert mov to lea only if r_offset >= 2 X32: Add REX prefix to encode R_X86_64_GOTTPOFF Merge remote-tracking branch 'origin/master' into hjl/linux/master Cast to unsigned long in range checks Cast time value to unsigned long to print Merge remote-tracking branch 'origin/master' into hjl/linux/master Fix a typo in gas/ChangeLog Add assembler support for @gotplt Mark R_X86_64_GOTPLT64 obsolete Rename symbbol to symbol Merge remote-tracking branch 'origin/master' into hjl/linux/master Add cast to unsigned int Merge remote-tracking branch 'origin/master' into hjl/linux/master Correct x86 assembler manual Merge remote-tracking branch 'origin/master' into hjl/linux/master Don't make PLT entry for R_X86_64_GOTPLT64 Merge remote-tracking branch 'origin/master' into hjl/linux/master Always run mpx3 and mpx4 tests in 64-bit Merge remote-tracking branch 'origin/master' into hjl/linux/master Check PC-relative offset overflow in PLT entry Run IFUNC run-time tests only if IFUNC is supported Add ifunc-main IFUNC tests Always load function pointer into a stack variable Add function and function pointer tests Merge remote-tracking branch 'origin/master' into hjl/linux/master Update plt-main tests for x32 Don't run pr17618 test on x32 Merge remote-tracking branch 'origin/master' into hjl/linux/master Add binutils-pltgot.patch Run plt-main test with -pie Add function and function pointer tests for i386 Merge remote-tracking branch 'origin/master' into hjl/linux/master Add i386 .plt.got support Check PC-relative offset overflow in PLT entry Optimize PC-relative offset overflow check Merge remote-tracking branch 'origin/master' into hjl/linux/master Merge remote-tracking branch 'origin/master' into hjl/linux/master Check pointer_equality_needed instead of non_got_ref Check branch displacement overflow in x86-64 PLT entry Assert size of elf_x86_64_{bnd|legacy}_plt2_entry Update libtool.m4 from GCC trunk Optimize out i386/x86-64 JUMP_SLOT relocation Merge remote-tracking branch 'origin/master' into hjl/linux/master Remove binutils-pltgot.patch Update binutils-sharable.patch for master Display symbol version when dumping dynrelocs Use get_symbol_version_string in BFD_JUMP_TABLE_SYMBOLS Merge remote-tracking branch 'origin/master' into hjl/linux/master Remove binutils-pr16496.patch Update ld-alpha tests for secureplt Update mips tests with symbol version string Add tests for PR ld/16452 and PR ld/16457 Merge remote-tracking branch 'origin/master' into hjl/linux/master Properly check for an out of range row index Merge remote-tracking branch 'origin/master' into hjl/linux/master X86-64: Allow copy relocs for building PIE Discard space for relocs against symbols with copy relocs Check info->executable for symbols which need copy relocs Merge remote-tracking branch 'origin/master' into hjl/linux/master Reformat elf_x86_64_create_dynamic_sections Merge remote-tracking branch 'origin/master' into hjl/linux/master Update binutils-sharable.patch against master Replace copyreloc-main.c with copyreloc-main.S Merge remote-tracking branch 'origin/master' into hjl/linux/master Compile pie_copyrelocs_test.cc with -fno-exceptions -fno-asynchronous-unwind-tables Add _bfd_elf_ifunc_get_synthetic_symtab Merge remote-tracking branch 'origin/master' into hjl/linux/master Define bfd_elf32_get_synthetic_symtab for x32 Merge remote-tracking branch 'origin/master' into hjl/linux/master Handle weak alias for PIE with copy reloc Merge remote-tracking branch 'origin/master' into hjl/linux/master Update binutils-sharable.patch against master Compress debug sections for Linux/x86 by default Merge remote-tracking branch 'origin/master' into hjl/linux/master Cast current_group_size to unsigned long Merge remote-tracking branch 'origin/master' into hjl/linux/master Mention --compress-debug-sections default in NEWS Check corrupt input Merge remote-tracking branch 'origin/master' into hjl/linux/master Apply binutils-pr17729.patch Apply binutils-pr14675.patch Merge remote-tracking branch 'origin/master' into hjl/linux/master Change SometimesInlineFunction to "return i * i * 3;" Merge remote-tracking branch 'origin/master' into hjl/linux/master Merge remote-tracking branch 'origin/master' into hjl/linux/master Cast size to long to warn Merge remote-tracking branch 'origin/master' into hjl/linux/master Update binutils-pr14675.patch Merge remote-tracking branch 'origin/master' into hjl/linux/master Update binutils-pr14675.patch Update binutils-lto-mixed.patch against master Merge remote-tracking branch 'origin/master' into hjl/linux/master Add cast to unsigned long Merge remote-tracking branch 'origin/master' into hjl/linux/master Merge remote-tracking branch 'origin/hjl/linux/master' into hjl/linux/applied Update binutils-lto-mixed.patch for avrelf.em/ppc32elf.em Merge remote-tracking branch 'origin/hjl/linux/master' into hjl/linux/applied Fix ld/emultempl/avrelf.em and ld/emultempl/ppc32elf.em Update release note for 2.25.51.0.1 Han Shen (3): Here we have the patch for gold aarch64 backend to support relaxation. Misc about gold for aarch64 backend. Fix for gold linking tlsdesc into an executable with -pie. Hans-Peter Nilsson (10): ld.texinfo: Clarify that sysroot affects "=" expansion. ld.texinfo: "=" path-prefix forces sysroot in scripts not only SEARCH_DIR lib/ld-lib.exp (check_sysroot_available): New proc. Add sysroot-prefix ld linker tests. If "=" is the first character in a ldscript input file, force a sysroot prefix. Allow unquoted = as the first character in ldscript input_list names Implement --print-sysroot in ld. Implement --print-sysroot in ld. Fix ld tests with sysroot=/ and --enable-targets=all and test --print-sysroot Fix %lx format used with bfd_size_type mismatch in readelf.c Iain Buclaw (3): Sync libiberty with upstream GCC. Remove d-support.c and use gdb_demangle for demangling D symbols. Add dlang demangling support to c++filt. Igor Zamyatin (1): Add -z bndplt to generate BND prefix in PLT entries Ilya Tocar (4): Add clwb instruction Add pcommit instruction Add AVX512IFMA instructions Add AVX512VBMI instructions James Hogan (1): Clean up after generated c files for MIPS DSP targets Jan Beulich (4): aarch64: move bogus assertion ppc: enable msgclr and msgsnd on Power8 gas: avoid bogus warnings in false branches of conditional aarch64: allow adding/removing just feature flags via .arch_extension Jan Kratochvil (19): Fix library-list.dtd -> library-list-svr4.dtd Use gdb_test_sequence in gdb.base/save-bp.exp. Fix "save breakpoints" for "disable $bpnum" command. Fix "save breakpoints" for "catch" command NEWS: Fix typo. Reindent code (resolve_dynamic_type_internal). Fix add-auto-load-safe-path typo. Add add-auto-load-scripts-directory. Accelerate lookup_symbol_aux_objfile 85x Remove const from many struct objfile * Unify lookup_symbol_in_objfile_symtabs add dummy frame destructor add infcall_mmap and gcc_target_options gdbarch methods introduce call_function_by_hand_dummy export dwarf2_reg_to_regnum_or_error add linux_infcall_mmap add s390_gcc_target_options Fix 7.8 regression: resolve_dynamic_struct: Assertion `TYPE_NFIELDS (type) > 0' (PR 17642) Fix MinGW compilation Jan-Benedict Glaw (7): 2014-11-05 Jan-Benedict Glaw <jbglaw@lug-owl.de> Update from upstream Automake Update `move-if-change' from gnulib Update config.{guess,sub} from upstream config repo Sync libiberty from GCC Fix signedness warning Fix date in ChangeLog entry Jason Merrill (1): * Makefile.in (check-gdb.%): Restore. Jing Yu (2): Add aarch64 to list of targets that support gold. Give informative error message for stub-group-size Jiong Wang (4): [AArch64] Cortex-A53 erratum 835769 linker workaround treate -specs as both cflags & ldflags [AArch64] Warn on load pair to same register [AArch64] Cortex-A53 Erratum 835769 -- sort maps Joel Brobecker (23): [Ada] Error adding/subtracting pointer value to/from integral. Use strtod instead of strtold in libiberty/d-demangle.c ARM: stricter __stack_chk_guard check during prologue analysis Document the GDB 7.8.1 release in gdb/ChangeLog common-defs.h: include <stdarg.h> before <stdio.h> [gdbserver/lynx] spurious failure to write in inferior memory varsize-limit error printing element of packed array... [Ada] Ignore __XA types when redundant. [Ada] gdb.ada/complete.exp failure on x86_64-windows [Ada] XA type is not redundant if the ranges' subtypes do not match Handling of empty Ada ranges with a negative upper bound. Always consider infcall breakpoints as non-permanent. gdb_realpath: Rework comment about handling on Windows. callback.h:struct host_callback_struct compilation error on Windows hosts. Lift DWARF unwinder restriction in dwarf2-frame.c::dwarf2_frame_cfa configure gdb/gnulib with --disable-largefile if largefile support disabled. Add ChangeLog entries missing from the previous commit. Add missing ChangeLog entry for PR backtrace/16215. Fix ARI warnings in gdb/compile/compile-object-load.c. Avoid use of sprintf in gdb/utils.c:make_hex_string Internal error trying to print uninitialized string. Use PTRACE_SINGLESTEP_ONE when single-stepping one thread. [Linux] Ask kernel to kill inferior when GDB terminates Joel Sherrill (3): s/immediatly/immediately/ in sim/sh/ChangeLog entry. sim/igen/: Change immediatly to immediately sim/ppc/*: Change immediatly to immediately Jose E. Marchesi (3): This is a series of patches that add support for the SPARC M7 cpu to opcodes: fix several misplaced hwcap entries. opcodes, elf: annotate instructions with HWCAP2_VIS3B. Keith Seitz (1): This commit causes hundreds of core file regressions in gdb: Kito Cheng (1): Fix SysV-style hash table when --hash-style=both. Kwok Cheung Yeung (1): Fix the gdb.dwarf2/dw2-dir-file-name.exp test on MIPS Luis Machado (5): MIPS bit field failures in gdb.base/store.exp Fix mingw32 failures due to incorrect directory separator in pattern Fix ARM machine state testcase failures Skip tests that use cd for remote hosts I caught a few mingw32-specific failures for some of the gdb.reverse Maciej W. Rozycki (11): Avoid software breakpoint's instruction shadow inconsistency Also mark ELF solib trampoline minimal symbols special MIPS: Correct MUSTBE32 interpretation in delay slot handling MIPS: Correct heuristic prologue termination conditions MIPS: Rewrite `add_offset_16' to match its name gdb.dwarf2: Testsuite 64-bit pointer truncation fixes MIPS/GAS: Correct file option settings with `.insn' MIPS: Add support for microMIPS Linux signal trampolines Correct invalid assumptions made by (mostly) DWARF-2 tests MIPS: Keep the ISA bit in compressed code addresses MIPS: Define aliases for MSYMBOL_TARGET_FLAG macros Marcus Shawcroft (2): [AArch64] Remove example processors from GAS. [AArch64] Enable CRC feature in GAS for cortex-a53 and cortex-a57. Mark Wielaard (3): Recognize new DWARFv5 C11, C++11 and C++14 DW_LANG constants. dwarf.c handle new DWARFv5 C11, C++11 and C++14 DW_LANG constants. Display DW_LANG_C11 as (C11). Markus Trippelsdorf (1): BFD: Add support for more than one plugin in lib/bfd-plugins Martin Galvan (1): frame.c: Fix the check for FID_STACK_INVALID in frame_id_eq() Matthew Fortune (12): Fix bad @value references in MIPS documentation Show information about unknown ASEs and extensions in .MIPS.abiflags MIPS Documentation fixes Fix -Wshadow warning Update .MIPS.abiflags to support MIPS R6 Fix segfault when creating a dso with discarded .dynsym section. Add in a JALRC alias and fix the NAL instruction. Fix octeon3 testsuite fallout Fix undefined weak symbol reloc tests Fix all failing FPXX tests for tx39-elf. Fix octeon3 tests for targets with default abi != n32 Rework the alignment check for BFD_RELOC_MIPS_18_PCREL_S3. Max Filippov (1): Fix trampolines search code for conditional branches Mihail-Marian Nistor (1): gdb/17394: cannot put breakpoint only in selected ASM file. Naveen H.S (1): MIPS: Add Octeon 3 support Nick Bull (1): New python events: inferior call, register/memory changed. Nick Clifton (61): This patch closes a potential security hole in applications that use Fix a seg-fault in strings and other binutuils when parsing a corrupt PE This fixes more seg-faults in tools like "strings" and "objdump" when This patch fixes a flaw in the SREC parser which could cause a stack overflow More fixes for corrupt binaries crashing the binutils. Updated/new translations provided by the Translations Project. Fixes another memory corruption bug introduced by patches for PR 17512. Fix error message strings so that they can be translated properly. Closes another memory corruption, this time due to heap overrun. Fixes a seg-fault in the ihex parser when it encounters a malformed ihex file. In response to a public outcry the strings program now defaults to using the oops - changelog omitted from previous delta. Avoid allocating over-large buffers when parsing corrupt binaries. Fix an (almost) infinite loop in the tekhex parser. Fixes a snafu checking the size of 20-bit immedaite values. Import updated translations supplied by the Translation Project. More fixes for buffer overruns instigated by corrupt binaries. Fixes for crashes running readelf. Fix a seg-fault triggered by reading a mal-formed archive. More fixes for memory corruption when readelf processes corrupt files. Fix problem with linker created sections being mistakenly flagged More fixes for processing corrupt files. More fixes for reading corrupt ELF files. More fixes for memory problems uncovered by file fuzzers. Revert changes in previous deltas that introduced new failures into Prevent archive memebers with illegal pathnames from being extracted from an archive. Add more fixes for inavlid memory accesses triggered by corrupt files. More fixes for problems exposed by valgrind and the address sanitizer Fix objcopy and strip so that they remove their temporary files even if an error occurs. More fixes for assertion failures and out-of-bounds reads by readelf. More fixes for invalid memory accesses, uncovered by valgrind and binary fuzzers. Prevent a buffer overrun whilst displaying corrupt ARM tags. Updated French and Ukranian translations supplied by the Translation Project. oops - missed the French translation. Fix invalid memory accesses for more corrupt binary files. Fix more memory faults uncovered by fuzzing various executables. More fixes for readelf problems reading corrupt files. More fixes for memory access violations whilst scanning corrupt binaries. More fixes for invalid memory accesses triggered by corrupt binaries. Fix a null pointer dereference when reading the debug link info from a corrupt file. Fix memort access problems exposed by fuzzed binaries. More fixes for illegal memory accesses exposed by fuzzed binaries. Fixes a seg-fault when displaying the time data for a corrupt archive. Resolve more problems with readelf uncovered by fuzzing binary files. Fixes for memory access violations exposed by fuzzinf various binaries. More fixes for memory access errors triggered by attemps to examine corrupted binaries. Fixes a few more memory access violations exposed by fuzzed binaries. Add checks for memory access violations exposed by fuzzed archives. More fixes for memory access violations exposed by fuzzed binaries. Replace calls to abort (in readelf) with informative error messages. Fix memory access problems exposed by fuzzed binaries. More fixes for invalid memory accesses triggered by fuzzed binaries. More fixes for memory access violations triggered by fuzzed binaries. Fix a few moere memory access violations. Fix a memory access violation triggeed by a fuzzed binary. More fixes for memory access violations exposed by fuzzed binaries. More fixes for invalid memory accesses exposed by fuzzed binaries. Updated translations for the gas and gprof tools. Reformat the objdump.1 man output to avoid overlong lines. This patch add support for cpu marvell-whitney. Reverts an "enhancement" made in a previous delta which complained of Oleg Endo (1): Correct fabs and fneg insns in simulator Patrick Palka (4): checkpoint: print index of new checkpoint in response message Fix the processing of Meta-key commands in TUI Specify SA_RESTART when registering the SIGWINCH signal handler Add myself as write-after-approval GDB maintainer Pedro Alves (66): infrun.c: comment/typo fixes breakpoint.c: debug output when we skip inserting a breakpoint infrun.c:user_visible_resume_ptid: Don't check singlestep_breakpoints_inserted_p Aarch64: Make CPSR a 32-bit register again in the target description Fix features/i386/64bit-avx512.xml features/Makefile: Add a "clean" rule. gdb/regformats: Don't build .dat files that aren't used by GDBserver Regenerate AVX512 target description C files features/Makefile: Make 'make cfiles' default to generating all C files Add read-only markers to generated gdb/regformats/ .dat files Really fail inserting software breakpoints on read-only regions Reduce Hg packet (select remote general thread) bouncing PR17431: following execs with "breakpoint always-inserted on" Fix non-stop regressions caused by "breakpoints always-inserted off" changes gdb.threads/manythreads.exp: clean up and add comment infrun.c:normal_stop: Fix typo in comment Split vDSO range lookup to a gdbarch hook PR symtab/14466: Work around PR libc/13097 "linux-vdso.so.1" Cache the vsyscall/vDSO range per-inferior Delete IRIX support Delete gdb/regformats/microblaze.dat gdbserver/win32: Rewrite debug registers handling Decide whether we may have removed breakpoints based on step_over_info Rewrite non-continuable watchpoints handling infrun.c: add for_each_just_stopped_thread Put single-step breakpoints on the bp_location chain Remove deprecated_insert_raw_breakpoint and friends thread.c: cleanup breakpoint deletion Make single-step breakpoints be per-thread Non-stop + software single-step archs: don't force displaced-stepping for all single-steps Merge remote thread listing methods Push pruning old threads down to the target remote: get rid of all the T packets when syncing the thread list DEC threads: Simplify updating the thread list Fix build without libexpat Delete Tru64 support Make common code handle target_terminal_* idempotency PR gdb/17472: With annotations, input while executing in the foreground crashes readline/GDB PR gdb/17300: Input after "c -a" crashes readline/GDB PR gdb/17471: Repeating a background command makes it foreground NEWS: Clarify removed targets Remove Vax Ultrix and VAX BSD support stepi/nexti: skip signal handler if "handle nostop" signal arrives Workaround remote targets that report an empty list to qfThreadInfo update bug numbers (GNATS -> Bugzilla) in a few signal related tests gdb.base/sigstep.exp: cleanup and make it easier to extend Test for PR gdb/17511, spurious SIGTRAP after stepping into+in signal handler PR gdb/12623: non-stop crashes inferior, PC adjustment and 1-byte insns PR tui/16138, PR tui/17519, and misc failures to initialize the terminal TUI: don't let exceptions escape while handling readline key bindings PR tui/16138 is about failure to initialize curses resulting in GDB Fix uninitialized value access when very first GDB command entered is <RET> PR python/17372 - Python hangs when displaying help() PR 17408 - assertion failure in switch_back_to_stepped_thread This PR shows that GDB can easily trigger an assertion here, in garbage collect gdb/breakpoint.c:breakpoint_thread_match Revert old nexti prologue check and eliminate in_prologue gdb.base/sigstep.exp: xfail gdb/17511 on i?86 Linux add a default method for gdbarch_skip_permanent_breakpoint make "permanent breakpoints" per location and disableable fix skipping permanent breakpoints Garbage collect the infwait_state global GDBserver: ctrl-c after leader has exited GDBserver: don't resume all threads if the Hc thread disapears GDBserver: clean up 'cont_thread' handling handle 'iconv's that define EILSEQ to ENOENT Petr Machata (1): dwarf.exp: In 64-bit units, emit also abbrev offset as a 64-bit field Philipp Tomsich (2): [AArch64] Add xgene1. [AArch64] Add xgene2. Pierre Muller (3): [RFA] Stabs: Ignore N_BNSYM/N_ENSYM entry types Fix amd64 dwarf register number mapping (MMX register and higher) This patch adds support for printing out the pdata section of PE objects. Rainer Orth (1): Fix gnu11 fallout on Solaris 10+ Richard Earnshaw (2): [AArch64] Fix mis-detection of unpredictable load/store operations with FP regs. * config/tc-arm.c (rotate_left): Avoid undefined behaviour when N = 0. Richard Henderson (1): Set ppc COMMONPAGESIZE to 64k Richard Sandiford (1): bfd/ Samuel Thibault (1): [Hurd] Fix deallocation after proc_getprocinfo call Sandra Loosemore (7): Refactoring/cleanup of nios2 opcodes and assembler code. Update Nios II prologue analysis to remove detection of long-obsolete Add mach parameter to nios2_find_opcode_hash. Refactor Nios II GDB support to use helper functions for disassembly and Fix Nios II GDB epilogue detection to handle multiple stack adjustments. Fix Nios II prologue analyzer to handle multiple stack adjustments. Remove broken nios2 assembler dwim support. Sergio Durigan Junior (6): PR tdep/9390: Fix typo on xstorxstormy16-tdep.c Explicitly use language_c when evaluating a SDT probe argument Only call {set,clear}_semaphore probe function if they are not NULL Partial fix for PR breakpoints/10737: Make syscall info be per-arch instead of global Fix build breakage from previous commit Merge dg-extract-results.{sh,py} from GCC upstream Simon Marchi (18): Don't prune program spaces when doing "maintenance info program-spaces" Exit code of exited inferiors in -list-thread-groups Small fixes to the Python API doc tui: Fix newterm call for older ncurses Fix test always passing in python/py-linetable.exp Fix prints in tests for Python 3 Fix Python help() test for Python 3 Remove duplicate comment Fix comment typo Fix make_cleanup_dtor signature to match declaration Restore terminal state in mi_thread_exit (PR gdb/17627) Introduce target_is_gdbserver Only leave dprintf inserted if it is marked as persistent (PR breakpoints/17012) python extended prompt: Use os.getcwd() instead of os.getcwdu() Fix build with Python 3.4 (PR python/16784) testsuite: expect possible pagination when starting gdb Introduce utility function find_inferior_ptid A few comment cleanups Siva Chandra (8): Non trivial return value tests. Fix gnuv3_pass_by_reference to lookup copy c-tors with qualified args. Add new non-trial return value tests. Fix gnuv3_pass_by_reference to treat dynamic classes as non-trivial. Guard a call to TYPE_TARGET_TYPE in gnuv3_pass_by_reference. Fix evaluation of method calls under EVAL_SKIP. Enable chained function calls in C++ expressions. Check that thread stack temps are not already enabled before enabling them. Sriraman Tallam (1): 2014-09-29 Sriraman Tallam <tmsriram@google.com> Stan Shebs (1): Add Yao Qi as global maintainer Steve Ellcey (1): 2014-12-05 Steve Ellcey <sellcey@mips.com> Terry Guo (4): 2014-09-29 Terry Guo <terry.guo@arm.com> Enable to link ARM object file that hasn't attribute section. Support ARM Cortex-M7 Calculate ARM arch attribute after relaxation Tom Tromey (8): introduce ui_file_write_for_put add gcc/gdb interface files add some missing ops to DWARF assembler add make_unqualified_type add gnu_triplet_regexp gdbarch method split dwarf2_fetch_cfa_info from dwarf2_compile_expr_to_ax make dwarf_expr_frame_base_1 public the "compile" command Tristan Gingold (4): Add NEWS markers for 2.25. src-release.sh: configure using --target. Bump bfd version. Darwin: sanitize %gs and %fs values. Ulrich Weigand (4): Work around GCC bug 63748 Remove (dead-code) native core file sniffers on Linux targets Use core regset iterators on GNU Hurd Use core regset iterators on Sparc Solaris Victor Kamensky (4): ARM: plt_size functions need to read instructions in right byte order ARM: extract_arm_insn function need to read instrs correctly in be8 case ARM: arm_breakpoint should be little endian form in case for arm BE8 read_pieced_value do big endian processing only in case of valid gdb_regnum Will Newton (3): include/elf/aarch64.h: Add reloc numbers from ABI release 1.0 ld/testsuite/ld-unique: Fix running unique tests on ARM bfd/elf-attrs.c: Fix possible infinite loop parsing attributes Yao Qi (66): Fix typo in thumb_in_function_epilogue_p Skip dlopen-libpthread.exp in cross testing Error in build_executable_own_libs for non-native target Remove unused local variable No longer pull thread list explicitly Clean up server-kill.exp Get GDBserver pid on remote target Enable qTStatus packet in case it is disabled Use mi_varobj_update in mi-var-child.exp and mi2-var-child.exp Fix fail in mi-var-child.exp and mi-var-display.exp Clean up gdb.python/ tests Fix file name matching on remote host. Fix py-parameter.exp for remote host Don't check noargs in remotetimeout.exp Don't check target_info exists noargs in commands.exp Copy xml files to host Skip testing argv[0] on target argv[0] isn't available Don't remove files copied to host Rename py-objfile-script-gdb.py.in to py-objfile-script-gdb.py Fix trace file fails on powerpc64 Fix skipping stack protector on arm Close the file in fileio.exp test Prepare directory in case test_system fails Don't replace '\' with '\\' in before_prompt_hook Match the working directory on remote host Add missing changelog entries New proc _handle_attribute DW attribute macro MACRO_AT_func and MACRO_AT_range Get start and end address of main in dwz.exp Use Dwarf::assemble in implptr-optimized-out.exp Fix implptr-optimized-out.exp fail Fix dw2-ifort-parameter.exp fail with clang Add missing parenthesis Don't set CC in config/i386/go32.mh Make IMPORTED_GNULIB_MODULES in alphabetical order Import alloca explicitly Include alloca.h unconditionally Import memchr explicitly Import wchar and wctype-h explicitly Include wchar.h and wctype.h unconditionally Import errno explicitly [arm] Fix fails in dw2-compdir-oldgcc.exp Use MACRO_AT_func in entry-values.exp Refine read_string Match library name prefixed with sysroot Fix date in changelog Import readlink Use readlink unconditionally Import lstat Use lstat unconditionally Import canonicalize-lgpl Use canonicalize_file_name unconditionally Import rename module [arm] compute framereg and framesize when needed Don't enable gdbtk in testsuite Use standard_testfile in i386-bp_permanent.exp Fix parallel testing issues in gdb.guile tests Revert: Don't enable gdbtk in testsuite Don't scan prologue past epilogue Improve arm_skip_prologue by using arm_analyze_prologue Replace ARG_MAX with ARG_LAST Move NEWS entries to the right section Remove h8300_print_float_info Refactor gdbarch method print_float_info MIPS: Provide FPU info and decode FCSR in `info float' MIPS SDE OS ABI support -----------------------------------------------------------------------
Created attachment 8026 [details] Crasher for `size` Files: 2 Errors: 4 Conditional jump or move depends on uninitialised value(s) 19 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 8027 [details] Crashers for `nm-new -DClpSs --special-syms --synthetic` valgrind Files: 33 Errors: 12 Conditional jump or move depends on uninitialised value(s) 131 Invalid read of size ... 24 Invalid write of size ... 7 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ... ---------------------------------------------------------------------- gdb Files: 18 Errors: 18 No assertion info in gdb backtrace.
Created attachment 8028 [details] Crashers for `coffdump` valgrind Files: 37 Errors: 23 Conditional jump or move depends on uninitialised value(s) 24 Invalid read of size ... 16 Invalid write of size ... 25 Process terminating with default action of signal 11 (SIGSEGV) 7 Use of uninitialised value of size ... ---------------------------------------------------------------------- gdb Files: 2 Errors: 2 No assertion info in gdb backtrace.
Created attachment 8029 [details] More problems with `objdump -afphxgGtTrRwW --special-syms` valgrind Files: 1 Errors: 1 Invalid read of size ... 1 Invalid write of size ... ---------------------------------------------------------------------- gdb Files: 1 Errors: 1 No assertion info in gdb backtrace.
Created attachment 8039 [details] Problems with `srconv` valgrind Files: 19 Errors: 2 Conditional jump or move depends on uninitialised value(s) 16 Invalid read of size ... 8 Invalid write of size ... 16 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ... ---------------------------------------------------------------------- gdb Files: 2 Errors: 2 No assertion info in gdb backtrace.
Created attachment 8040 [details] Problems with `dlltool -e exp.out -l lib.out -z def.out` valgrind Files: 1 Errors: 260 Invalid read of size ... 41 Invalid write of size ... 1 More than 100 errors detected. Subsequent errors 1 More than 1000 different errors detected. I'm not reporting any more. 1 Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 8041 [details] Problems with `nlmconv` valgrind Files: 6 Errors: 1 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 8 Invalid read of size ... 6 Invalid write of size ... 4 Process terminating with default action of signal 11 (SIGSEGV) ---------------------------------------------------------------------- gdb Files: 1 Errors: 1 No assertion info in gdb backtrace.
Created attachment 8042 [details] Problems with `sysdump` valgrind Files: 4 Errors: 34 Conditional jump or move depends on uninitialised value(s) 2 Invalid read of size ... 2 Process terminating with default action of signal 11 (SIGSEGV) 16 Use of uninitialised value of size ... ---------------------------------------------------------------------- gdb Files: 5 Errors: 5 No assertion info in gdb backtrace.
Created attachment 8043 [details] Problems with `strip-new` valgrind Files: 20 Errors: 13 Conditional jump or move depends on uninitialised value(s) 57 Invalid read of size ... 56 Invalid write of size ... 13 Process terminating with default action of signal 11 (SIGSEGV) 1 Process terminating with default action of signal 8 (SIGFPE) 4 Syscall param write(buf) points to uninitialised byte(s) 1 Use of uninitialised value of size ...
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 896ca0981329171639b1fe0b934393a79ef4fdfb (commit) from 82b1b41bcdc6d01fdbd94b246e24a8a8f8c2bddd (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=896ca0981329171639b1fe0b934393a79ef4fdfb commit 896ca0981329171639b1fe0b934393a79ef4fdfb Author: Nick Clifton <nickc@redhat.com> Date: Mon Jan 5 23:13:50 2015 +0000 More fixes for invalid memory accesses triggered by fuzzed binaries. PR binutils/17512 * nm.c (print_symbol): Add 'is_synthetic' parameter. Use it to help initialize the info.elfinfo field. (print_size_symbols): Add 'synth_count' parameter. Use it to set the is_synthetic parameter when calling print_symbol. (print_symbols): Likewise. (display_rel_file): Pass synth_count to printing function. (display_archive): Break loop if the last archive displayed matches the current archive. * size.c (display_archive): Likewise. * archive.c (do_slurp_bsd_armap): Make sure that the parsed sized is at least big enough for the header to be read. * elf32-i386.c (elf_i386_get_plt_sym_val): Skip unknown relocs. * mach-o.c (bfd_mach_o_get_synthetic_symtab): Add range checks. (bfd_mach_o_read_command): Prevetn duplicate error messages about unrecognized commands. * syms.c (_bfd_stab_section_find_nearest_line): Add range checks when indexing into the string table. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 12 +++++++++ bfd/archive.c | 3 +- bfd/elf32-i386.c | 5 ++- bfd/elfcode.h | 3 +- bfd/mach-o.c | 61 +++++++++++++++++++++++++++++++++++--------- bfd/syms.c | 12 +++++++++ binutils/ChangeLog | 13 +++++++++ binutils/nm.c | 71 ++++++++++++++++++++++++++++++++++++--------------- binutils/size.c | 9 ++++++- 9 files changed, 150 insertions(+), 39 deletions(-)
Hi Alexander, > Crasher for `size` > Errors: > 4 Conditional jump or move depends on uninitialised value(s) > 19 Invalid read of size ... > 1 Process terminating with default action of signal 11 (SIGSEGV) > Crashers for `nm-new -DClpSs --special-syms --synthetic` > Errors: > 12 Conditional jump or move depends on uninitialised value(s) > 131 Invalid read of size ... > 24 Invalid write of size ... > 7 Process terminating with default action of signal 11 (SIGSEGV) > 2 Use of uninitialised value of size ... These should be fixed now. I will look at the others tomorrow. Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 533d0af0b8a8127b6f189222fc57aa11ce7aab2c (commit) from 9c90714c2f94b4486f56fcd9dcb70e27d983f7df (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=533d0af0b8a8127b6f189222fc57aa11ce7aab2c commit 533d0af0b8a8127b6f189222fc57aa11ce7aab2c Author: H.J. Lu <hjl.tools@gmail.com> Date: Mon Jan 5 17:43:34 2015 -0800 Return NULL on corrupt input PR binutils/17512 * elf32-i386.c (elf_i386_get_plt_sym_val): Return NULL on corrupt input. * elf64-x86-64.c (elf_x86_64_get_plt_sym_val): Likewise. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 7 +++++++ bfd/elf32-i386.c | 9 ++++++--- bfd/elf64-x86-64.c | 3 +++ 3 files changed, 16 insertions(+), 3 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 85880250e591a51624d24db653aaace0c5ce5943 (commit) from fce10a8494efa8faec67b718f25e06d3d71694b3 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=85880250e591a51624d24db653aaace0c5ce5943 commit 85880250e591a51624d24db653aaace0c5ce5943 Author: Nick Clifton <nickc@redhat.com> Date: Tue Jan 6 16:06:45 2015 +0000 Fixes for memory access violations in the coffdump program. PR binutils/17512 * coffdump.c (dump_coff_section): Check for a symbol being available before printing its name. (main): Check the return value from coff_grok. * coffgrok.c: Reformat and tidy. Add range checks to most functions. (coff_grok): Return NULL if the input bfd is not in a COFF format. * coffgrok.h: Reformat and tidy. (struct coff_section): Change the nrelocs field to unsigned. * srconv.c (main): Check the return value from coff_grok. * coff-i860.c (CALC_ADDEND): Always set an addend value. * tekhex.c (getvalue): Add an end pointer parameter. Use it to avoid reading off the end of the buffer. (getsym): Likewise. (first_phase): Likewise. (pass_over): Pass an end pointer to the invoked function. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 10 ++ bfd/coff-i860.c | 5 +- bfd/tekhex.c | 33 +++--- binutils/ChangeLog | 14 ++ binutils/coffdump.c | 20 ++-- binutils/coffgrok.c | 351 ++++++++++++++++++++++++++++++++++----------------- binutils/coffgrok.h | 255 ++++++++++++++++++------------------- binutils/srconv.c | 10 +- 8 files changed, 421 insertions(+), 277 deletions(-)
Hi Alexander, > Crashers for `coffdump` > Errors: > 23 Conditional jump or move depends on uninitialised value(s) > 24 Invalid read of size ... > 16 Invalid write of size ... > 25 Process terminating with default action of signal 11 (SIGSEGV) > 7 Use of uninitialised value of size ... These should all be fixed now. Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via ec93045b400ec68b0c5716d75f27a87533b57058 (commit) from 60ebc25751744f54ae5c00d1c9198ab64fcc5b33 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ec93045b400ec68b0c5716d75f27a87533b57058 commit ec93045b400ec68b0c5716d75f27a87533b57058 Author: Nick Clifton <nickc@redhat.com> Date: Tue Jan 6 17:54:02 2015 +0000 Fix memory access violations for objdump triggered by fuzzed binaries. PR binutils/17512 * reloc.c (bfd_get_reloc_size): Handle a reloc size of -1. (bfd_perform_relocation): Include the size of the reloc in the test for an out of range relocation. (bfd_generic_get_relocated_section_contents): Remove reloc range test. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 6 ++++++ bfd/reloc.c | 11 ++++++----- 2 files changed, 12 insertions(+), 5 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via e7287c7f647870093b8ab5ffea0732ffdb8c4d66 (commit) from e749cab89d976c723ee01a3dfcfd7ec1a883f890 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e7287c7f647870093b8ab5ffea0732ffdb8c4d66 commit e7287c7f647870093b8ab5ffea0732ffdb8c4d66 Author: Nick Clifton <nickc@redhat.com> Date: Tue Jan 6 22:02:55 2015 +0000 Another fix for an objdump crash when parsing a corrupt binary. PR binutils/17512 * mach-o.c (bfd_mach_o_read_symtab_strtab): Zero terminate the string table. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 3 +++ bfd/mach-o.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletions(-)
Hi Alexander, > More problems with `objdump -afphxgGtTrRwW --special-syms` > Errors: > 1 Invalid read of size ... > 1 Invalid write of size ... Fixed. Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 6f25f22356dcf9ddf6b375c8e967486f10855dfd (commit) from 7b496d07dfbb696ea597d3f3ec3a3dfc0646cb86 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6f25f22356dcf9ddf6b375c8e967486f10855dfd commit 6f25f22356dcf9ddf6b375c8e967486f10855dfd Author: H.J. Lu <hjl.tools@gmail.com> Date: Tue Jan 6 16:46:36 2015 -0800 Skip unknown relocation PR binutils/17512 * elf32-i386.c (elf_i386_get_plt_sym_val): Skip unknown relocation. * elf64-x86-64.c (elf_x86_64_get_plt_sym_val): Likewise. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 6 ++++++ bfd/elf32-i386.c | 4 ++-- bfd/elf64-x86-64.c | 3 ++- 3 files changed, 10 insertions(+), 3 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via c88f5b8e495889f5d281a17bd56340d9a0e4cff6 (commit) from ea42d6f8d1e24403e533e5dfea18e94c47ac534b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c88f5b8e495889f5d281a17bd56340d9a0e4cff6 commit c88f5b8e495889f5d281a17bd56340d9a0e4cff6 Author: Nick Clifton <nickc@redhat.com> Date: Wed Jan 7 16:41:25 2015 +0000 Fix memory access violations exposed by running the srconv tool on fuzzed binaries. PR binutils/17512 * objdump.c (display_any_bfd): Add a depth limit to nested archive display in order to avoid infinite loops. * srconv.c: Replace calls to abort with calls to fatal with an error message. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 8 ++++++++ binutils/objdump.c | 9 ++++++++- binutils/srconv.c | 28 +++++++++++++++------------- 3 files changed, 31 insertions(+), 14 deletions(-)
Hi Alexander, > Problems with `srconv` > Errors: > 2 Conditional jump or move depends on uninitialised value(s) > 16 Invalid read of size ... > 8 Invalid write of size ... > 16 Process terminating with default action of signal 11 (SIGSEGV) > 2 Use of uninitialised value of size ... These should be fixed now. Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via d7b24d2941fd7c99ba5843331989e6023075f0d0 (commit) from c88f5b8e495889f5d281a17bd56340d9a0e4cff6 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d7b24d2941fd7c99ba5843331989e6023075f0d0 commit d7b24d2941fd7c99ba5843331989e6023075f0d0 Author: Nick Clifton <nickc@redhat.com> Date: Wed Jan 7 17:33:17 2015 +0000 Fix memory access violations uncovered by running the dlltool on fuzzed binaries. PR binutils/17512 * dlltool.c (scan_obj_file): Break loop if the last archive displayed matches the current archive. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 3 +++ binutils/dlltool.c | 3 +++ 2 files changed, 6 insertions(+), 0 deletions(-)
Hi Alexander, > Problems with `dlltool -e exp.out -l lib.out -z def.out` > Errors: > 260 Invalid read of size ... > 41 Invalid write of size ... > 1 More than 100 errors detected. Subsequent errors > 1 More than 1000 different errors detected. I'm not reporting any > more. > 1 Process terminating with default action of signal 11 (SIGSEGV) These should be fixed now. Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 3565cf8fedf2bae2b383fae66dde62c3bdae51c9 (commit) from 025ac41482555f6273dee37988734a9f88633dbc (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3565cf8fedf2bae2b383fae66dde62c3bdae51c9 commit 3565cf8fedf2bae2b383fae66dde62c3bdae51c9 Author: Nick Clifton <nickc@redhat.com> Date: Thu Jan 8 12:37:46 2015 +0000 Fixes for memory access violations triggered by running nlmconv on fuzzed binaries. PR binutils/17512 * nlmconv.c (i386_mangle_relocs): Skip relocs without an associated symbol. (powerpc_mangle_relocs): Skip unrecognised relocs. Check address range before applying a reloc. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 8 ++++++++ binutils/nlmconv.c | 30 ++++++++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-)
Hi Alexander, > Problems with `nlmconv` > Errors: > 1 Argument 'size' of function malloc has a fishy (possibly negative) > value: ... > 8 Invalid read of size ... > 6 Invalid write of size ... > 4 Process terminating with default action of signal 11 (SIGSEGV) These should be fixed now. Cheers Nick
Hi Alexander, > Problems with `sysdump` > Errors: > 34 Conditional jump or move depends on uninitialised value(s) > 2 Invalid read of size ... > 2 Process terminating with default action of signal 11 (SIGSEGV) > 16 Use of uninitialised value of size ... These should be fixed now. Cheers Nick
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 848cde35d61874521ad6c88a50f983d5ee7d2307 (commit) from 2279a12a44ede7a0a6d7375d90d33676fa8771ad (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=848cde35d61874521ad6c88a50f983d5ee7d2307 commit 848cde35d61874521ad6c88a50f983d5ee7d2307 Author: Nick Clifton <nickc@redhat.com> Date: Thu Jan 8 13:52:42 2015 +0000 Fix memory access violations triggered by running sysdump on fuzzed binaries. PR binutils/17512 * sysdump.c (getINT): Fail if reading off the end of the buffer. Replace call to abort with a call to fatal. (getCHARS): Prevetn reading off the end of the buffer. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 4 ++++ binutils/sysdump.c | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 063bb0250defafcc55544474a2961ecbc153882e (commit) from 848cde35d61874521ad6c88a50f983d5ee7d2307 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063bb0250defafcc55544474a2961ecbc153882e commit 063bb0250defafcc55544474a2961ecbc153882e Author: Nick Clifton <nickc@redhat.com> Date: Thu Jan 8 15:39:49 2015 +0000 Fix memory access violations exposed by running strip on fuzzed binaries. PR binutils/17512 * coffcode.h (coff_slurp_symbol_table): Return false if we failed to load the line table. * elf.c (_bfd_elf_map_sections_to_segments): Enforce a minimum maxpagesize of 1. * peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Fail if the Data Directory Size is too large. * objcopy.c (copy_object): Free the symbol table if no symbols could be loaded. (copy_file): Use bfd_close_all_done to close files that could not be copied. ----------------------------------------------------------------------- Summary of changes: bfd/ChangeLog | 10 ++++++++++ bfd/coffcode.h | 7 ++++--- bfd/elf.c | 5 +++++ bfd/peXXigen.c | 10 ++++++++++ binutils/ChangeLog | 5 +++++ binutils/objcopy.c | 14 +++++++++++++- 6 files changed, 47 insertions(+), 4 deletions(-)
Hi Alexander, > Problems with `strip-new` > Errors: > 13 Conditional jump or move depends on uninitialised value(s) > 57 Invalid read of size ... > 56 Invalid write of size ... > 13 Process terminating with default action of signal 11 (SIGSEGV) > 1 Process terminating with default action of signal 8 (SIGFPE) > 4 Syscall param write(buf) points to uninitialised byte(s) > 1 Use of uninitialised value of size ... These should be fixed now. Cheers Nick
Created attachment 8062 [details] Problems with `objdump -afphxgGtTrRwW --special-syms` valgrind Files: 8 Errors: 8 Invalid read of size ... 4 Invalid write of size ... 1 Jump to the invalid address stated on the next line 6 Process terminating with default action of signal 11 (SIGSEGV) 1 Process terminating with default action of signal 4 (SIGILL) 1 valgrind: Unrecognised instruction at address 0x565e5e2. ---------------------------------------------------------------------- catchsegv Files: 1 Errors: 1 *** Segmentation fault
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cd21f5daad4335b50366b838664ade64bec29957 commit cd21f5daad4335b50366b838664ade64bec29957 Author: Nick Clifton <nickc@redhat.com> Date: Thu Jan 15 16:22:55 2015 +0000 Fix memory access violations triggered by running objdump on fuzzed binaries. PR binutils/17512 * elf-m10300.c (mn10300_info_to_howto): Replace assertion with an error message. Never return an invalid howto pointer. * elf32-cr16.c (cr16_info_to_howto): Likewise. * elf32-crx.c (elf_crx_info_to_howto): Likewise. * elf32-i370.c (i370_elf_info_to_howto): Likewise. * elf32-mcore.c (mcore_elf_info_to_howto): Likewise. * elf32-microblaze.c (microblaze_elf_info_to_howto): Likewise. * elf32-mips.c (mips_elf32_rtype_to_howto): Likewise. * elf32-pj.c (pj_elf_info_to_howto): Likewise. * elf32-ppc.c (ppc_elf_info_to_howto): Likewise. * elf32-spu.c (spu_elf_info_to_howto): Likewise. * elf32-v850.c (v850_elf_info_to_howto_rela): Likewise. * elf32-vax.c (rtype_to_howto): Likewise. * elf64-alpha.c (elf64_alpha_info_to_howto): Likewise. * elf64-mips.c (mips_elf64_rtype_to_howto): Likewise. * elfn32-mips.c (sh_elf_info_to_howto): Likewise. * elf32-sh.c (sh_elf_info_to_howto): Likewise. (sh_elf_reloc): Check that the reloc is in range. * reloc.c (bfd_perform_relocation): Check that the section is big enough for the entire reloc. (bfd_generic_get_relocated_section_contents): Report unexpected return values from perform_reloc.
Hi Alexander, > Problems with `objdump -afphxgGtTrRwW --special-syms` > Errors: > 8 Invalid read of size ... > 4 Invalid write of size ... > 1 Jump to the invalid address stated on the next line > 6 Process terminating with default action of signal 11 (SIGSEGV) > 1 Process terminating with default action of signal 4 (SIGILL) > 1 valgrind: Unrecognised instruction at address 0x565e5e2. Fixed. Cheers Nick
Created attachment 8067 [details] Problems with `coffdump` valgrind Files: 3 Errors: 2 Invalid read of size ... 2 Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 8069 [details] Problems with `strip-new` Files: 3 Errors: 10 Conditional jump or move depends on uninitialised value(s) 1 Invalid read of size ... 2 Process terminating with default action of signal 11 (SIGSEGV) 1 Syscall param write(buf) points to uninitialised byte(s)
Created attachment 8070 [details] Problems with `nlmconv` Files: 4 Errors: 1 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 3 Invalid read of size ... 3 Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 8071 [details] Problems with `dlltool -e /dev/null -l /dev/null -z /dev/null` Files: 2 Errors: 21 Invalid read of size ...
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5b7d62376fc942a803d174789fe4464b26f09a02 commit 5b7d62376fc942a803d174789fe4464b26f09a02 Author: Nick Clifton <nickc@redhat.com> Date: Wed Jan 21 10:33:19 2015 +0000 This patch fixes some illegal memory accesses triggered by running coffdump on fuzzed binaries. PR binutils/17512 * coffgrok.c (do_type): Check that computed ref exists. (doit): Add range checks when computing section for scope.
Hi Alexander, > Problems with `coffdump` > Errors: > 2 Invalid read of size ... > 2 Process terminating with default action of signal 11 (SIGSEGV) These should be fixed now. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=86eafac0aad7edbc1ccea6daf53480a36339250a commit 86eafac0aad7edbc1ccea6daf53480a36339250a Author: Nick Clifton <nickc@redhat.com> Date: Wed Jan 21 17:37:23 2015 +0000 Fix memory access violations triggered by running strip on fuzzed binaries. PR binutils/17512 * coffcode.h (coff_set_arch_mach_hook): Check return value from bfd_malloc. (coff_slurp_line_table): Return FALSE if the line number information was corrupt. (coff_slurp_symbol_table): Return FALSE if the symbol information was corrupt. * mach-o.c (bfd_mach_o_bfd_copy_private_header_data): Always initialise the fields of the dyld_info structure. (bfd_mach_o_build_exec_seg_command): Replace assertion with an error message and a return value. (bfd_mach_o_layout_commands): Change the function to boolean. Return FALSE if the function fails. (bfd_mach_o_build_commands): Fail if bfd_mach_o_layout_commands fails. (bfd_mach_o_read_command): Fail if an unrecognised command is encountered. * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Set bfd_error if the read fails. (slurp_symtab): Check the return from bfd_malloc. (_bfd_XX_bfd_copy_private_bfd_data_common): Fail if the copy encountered an error. (_bfd_XXi_final_link_postscript): Fail if a section could not be copied. * peicode.h (pe_bfd_object_p): Fail if the header could not be swapped in. * tekhex.c (first_phase): Fail if the section is too big. * versados.c (struct esdid): Add content_size field. (process_otr): Use and check the new field. (versados_get_section_contents): Check that the section exists and that the requested data is available. PR binutils/17512 * addr2line.c (main): Call bfd_set_error_program_name. * ar.c (main): Likewise. * coffdump.c (main): Likewise. * cxxfilt.c (main): Likewise. * dlltool.c (main): Likewise. * nlmconv.c (main): Likewise. * nm.c (main): Likewise. * objdump.c (main): Likewise. * size.c (main): Likewise. * srconv.c (main): Likewise. * strings.c (main): Likewise. * sysdump.c (main): Likewise. * windmc.c (main): Likewise. * windres.c (main): Likewise. * objcopy.c (main): Likewise. (copy_relocations_in_section): Check for relocs without associated symbol pointers.
Hi Alexander, > Problems with `strip-new` > Errors: > 10 Conditional jump or move depends on uninitialised value(s) > 1 Invalid read of size ... > 2 Process terminating with default action of signal 11 (SIGSEGV) > 1 Syscall param write(buf) points to uninitialised byte(s) These should be fixed now. Cheers Nick
Hi Alexander, > Problems with `nlmconv` > Errors: > 1 Argument 'size' of function malloc has a fishy (possibly negative) > value: ... > 3 Invalid read of size ... > 3 Process terminating with default action of signal 11 (SIGSEGV) These should be fixed now. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4e5cb37e7f3403d5398a323566ff9c995f0c9a81 commit 4e5cb37e7f3403d5398a323566ff9c995f0c9a81 Author: Nick Clifton <nickc@redhat.com> Date: Thu Jan 22 12:06:04 2015 +0000 Fixes memory access violations triggered by running dlltool on fuzzed binaries. PR binutils/17512 * coffcode.h (handle_COMDAT): When searching for the section symbol, make sure that there is space left in the symbol table. * vms-alpha.c (_bfd_vms_slurp_ehdr): Add range checks.
Hi Alexander, > Problems with `dlltool -e /dev/null -l /dev/null -z /dev/null` > Errors: > 21 Invalid read of size ... These should be fixed now. Cheers Nick
Created attachment 8081 [details] Problems with `dlltool -I` valgrind Files: 2 Errors: 19 Invalid read of size ... 1 Invalid write of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) ---------------------------------------------------------------------- gdb Files: 1 Errors: 1 No assertion info in gdb backtrace.
Created attachment 8084 [details] Problems with `addr2line -ie @@ 0` Files: 7 Errors: 1 Conditional jump or move depends on uninitialised value(s) 6 Invalid read of size ... 6 Process terminating with default action of signal 11 (SIGSEGV)
Created attachment 8085 [details] Problems with `windres` Files: 27 Errors: 8 Conditional jump or move depends on uninitialised value(s) 29 Invalid read of size ... 13 Process terminating with default action of signal 11 (SIGSEGV) 1 Process terminating with default action of signal 8 (SIGFPE) 1 Stack overflow in thread ... 1 Syscall param read(buf) points to unaddressable byte(s) 2 Use of uninitialised value of size ...
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=37e3922eed415bbedd2dd6e46308fe9e03417770 commit 37e3922eed415bbedd2dd6e46308fe9e03417770 Author: Nick Clifton <nickc@redhat.com> Date: Tue Jan 27 11:30:15 2015 +0000 Fix memory access violations triggered by running dlltool on corrupt binaries. PR binutils/17512 * dlltool.c (identify_search_archive): If the last archive was the same as the current archive, terminate the loop. * pdp11.c (aout_get_external_symbols): Return false if there are no symbols.
Hi Alexander, > Problems with `dlltool -I` > Errors: > 19 Invalid read of size ... > 1 Invalid write of size ... > 1 Process terminating with default action of signal 11 (SIGSEGV) These should be fixed now. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=877a8638ba563c667eb5358240334c473d0573a1 commit 877a8638ba563c667eb5358240334c473d0573a1 Author: Nick Clifton <nickc@redhat.com> Date: Tue Jan 27 15:49:12 2015 +0000 Fixes for memory access violations triggered by running addr2line on fuzzed binaries. PR binutils/17512 * addr2line.c (slurp_symtab): If the symcount is zero, free the symbol table pointer. * dwarf2.c (concat_filename): Check for an empty directory table. (scan_unit_for_symbols): Check for reading off the end of the unit. (parse_comp_unit): Check for a DW_AT_comp_dir attribute with a non-string form. * elf64-ppc.c (opd_entry_value): Fail if there are no relocs available.
Hi Alexander, > Problems with `addr2line -ie @@ 0` > Errors: > 1 Conditional jump or move depends on uninitialised value(s) > 6 Invalid read of size ... > 6 Process terminating with default action of signal 11 (SIGSEGV) Fixed. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0897ec15810bca3420ea7b8a91e491ed45780202 commit 0897ec15810bca3420ea7b8a91e491ed45780202 Author: Nick Clifton <nickc@redhat.com> Date: Tue Jan 27 17:32:23 2015 +0000 Fixes for invalid memory accesses triggered by running windres on corrupt binaries. PR binutils/17512 * rcparse.y: Add checks to avoid integer divide by zero. * rescoff.c (read_coff_rsrc): Add check on the size of the resource section. (read_coff_res_dir): Add check on the nesting level. Check for resource names overrunning the buffer. * resrc.c (write_rc_messagetable): Update formatting. Add check of 'elen' being zero.
Hi Alexander, > Problems with `windres` > Errors: > 8 Conditional jump or move depends on uninitialised value(s) > 29 Invalid read of size ... > 13 Process terminating with default action of signal 11 (SIGSEGV) > 1 Process terminating with default action of signal 8 (SIGFPE) > 1 Stack overflow in thread ... > 1 Syscall param read(buf) points to unaddressable byte(s) > 2 Use of uninitialised value of size ... These should be fixed now. Cheers Nick
Created attachment 8094 [details] Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) More problems found with 32-bit binutils: built with -m32 on 64-bit host. ---------------------------------------------------------------------- valgrind Files: 118 Errors: 2 Argument 'size' of function malloc has a fishy (possibly negative) value: ... 1 Conditional jump or move depends on uninitialised value(s) 2 Invalid free() / delete / delete[] / realloc() 221 Invalid read of size ... 344 Invalid write of size ... 59 Process terminating with default action of signal 11 (SIGSEGV) ---------------------------------------------------------------------- gdb Files: 46 Errors: 46 No assertion info in gdb backtrace.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=64d2901806c171c0d949f8fb1b29b4e5ba8cf04d commit 64d2901806c171c0d949f8fb1b29b4e5ba8cf04d Author: Nick Clifton <nickc@redhat.com> Date: Tue Feb 3 14:34:54 2015 +0000 More fixes for illegal memory accesses triggered by running objdump on fuzzed binaries. PR binutils/17512 * objdump.c (display_any_bfd): Fail if archives nest too deeply. * ecoff.c: Use bfd_alloc2 to allocate space for structure arrays. (_bfd_ecoff_slurp_symbol_table): Check for a negative symbol index or an out of range fdr index. * elf-m10300.c (mn10300_info_to_howto): Fix typo in error message. * elf32-arc.c (arc_info_to_howto_rel): Likewise. * elf32-avr.c (avr_info_to_howto_rela): Likewise. * elf32-cr16.c (elf_cr16_info_to_howto): Likewise. * elf32-cr16c.c (elf_cr16c_info_to_howto_rel): Likewise. * elf32-cris.c (cris_info_to_howto_rela): Likewise. * elf32-crx.c (elf_crx_info_to_howto): Likewise. * elf32-d10v.c (d10v_info_to_howto_rel): Likewise. * elf32-d30v.c (d30v_info_to_howto_rel): Likewise. * elf32-epiphany.c (epiphany_info_to_howto_rela): Likewise. * elf32-fr30.c (fr30_info_to_howto_rela): Likewise. * elf32-frv.c (frv_info_to_howto_rela): Likewise. * elf32-i370.c (i370_elf_info_to_howto): Likewise. * elf32-i960.c (elf32_i960_info_to_howto_rel): Likewise. * elf32-ip2k.c (ip2k_info_to_howto_rela): Likewise. * elf32-iq2000.c (iq2000_info_to_howto_rela): Likewise. * elf32-lm32.c (lm32_info_to_howto_rela): Likewise. * elf32-m32c.c (m32c_info_to_howto_rela): Likewise. * elf32-m32r.c (m32r_info_to_howto_rel): Likewise. * elf32-m68hc11.c (m68hc11_info_to_howto_rel): Likewise. * elf32-m68hc12.c (m68hc11_info_to_howto_rel): Likewise. * elf32-mcore.c (mcore_elf_info_to_howto): Likewise. * elf32-mep.c (mep_info_to_howto_rela): Likewise. * elf32-metag.c (metag_info_to_howto_rela): Likewise. * elf32-microblaze.c (microblaze_elf_info_to_howto): Likewise. * elf32-moxie.c (moxie_info_to_howto_rela): Likewise. * elf32-msp430.c (msp430_info_to_howto_rela): Likewise. * elf32-mt.c (mt_info_to_howto_rela): Likewise. * elf32-nds32.c (nds32_info_to_howto_rel): Likewise. * elf32-or1k.c (or1k_info_to_howto_rela): Likewise. * elf32-pj.c (pj_elf_info_to_howto): Likewise. * elf32-ppc.c (ppc_elf_info_to_howto): Likewise. * elf32-rl78.c (rl78_info_to_howto_rela): Likewise. * elf32-rx.c (rx_info_to_howto_rela): Likewise. * elf32-sh.c (sh_elf_info_to_howto): Likewise. * elf32-spu.c (spu_elf_info_to_howto): Likewise. * elf32-v850.c (v850_elf_perform_relocation): Likewise. * elf32-vax.c (rtype_to_howto): Likewise. * elf32-visium.c (visium_info_to_howto_rela): Likewise. * elf32-xgate.c (xgate_info_to_howto_rel): Likewise. * elf32-xtensa.c (elf_xtensa_info_to_howto_rela): Likewise. * elf64-alpha.c (elf64_alpha_info_to_howto): Likewise. * elf64-mmix.c (mmix_info_to_howto_rela): Likewise. * mach-o.c: Use bfd_alloc2 to allocate space for structure arrays. (bfd_mach_o_canonicalize_one_reloc): Fix check on out of range symbol indicies. (bfd_mach_o_canonicalize_relocs): Check for out of range alloc. (bfd_mach_o_canonicalize_dynamic_reloc): Likewise. (bfd_mach_o_build_dysymtab): Likewise. (bfd_mach_o_write_symtab_content): Set the string table size to zero upon error. (bfd_mach_o_read_symtab_symbols): Reset the nsyms value if the read fails. * peXXigen.c (pe_print_edata): Check for numeric overflow in edt fields. * tekhex.c (first_phase): Check for src pointer reaching end of buffer.
Hi Alexander, > Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) > More problems found with 32-bit binutils: built with -m32 on 64-bit host. > Errors: > 2 Argument 'size' of function malloc has a fishy (possibly negative) > value: ... > 1 Conditional jump or move depends on uninitialised value(s) > 2 Invalid free() / delete / delete[] / realloc() > 221 Invalid read of size ... > 344 Invalid write of size ... > 59 Process terminating with default action of signal 11 (SIGSEGV) These should all be fixed now. Cheers Nick
Created attachment 8098 [details] Problems with `nm-new -DClpSs --special-syms --synthetic` (32-bit) valgrind Files: 73 Errors: 2 Invalid free() / delete / delete[] / realloc() 101 Invalid read of size ... 220 Invalid write of size ... 38 Process terminating with default action of signal 11 (SIGSEGV) ---------------------------------------------------------------------- gdb Files: 33 Errors: 33 No assertion info in gdb backtrace.
Hi Alexander, > Problems with `nm-new -DClpSs --special-syms --synthetic` (32-bit) > Errors: > 2 Invalid free() / delete / delete[] / realloc() > 101 Invalid read of size ... > 220 Invalid write of size ... > 38 Process terminating with default action of signal 11 (SIGSEGV) I could not reproduce these failures. :-{ Maybe they have already been fixed ? Please could you try again, and if the problems are still there, please could you tell me more about how you configured and built the toolchain that you are using. Cheers Nick
(In reply to Nick Clifton from comment #191) > > Problems with `nm-new -DClpSs --special-syms --synthetic` (32-bit) > I could not reproduce these failures. :-{ Maybe they have already been > fixed ? Yes, everything is fixed!
Created attachment 8104 [details] Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) Several more crashes without valgrind only. ---------------------------------------------------------------------- catchsegv Files: 7 Errors: 7 *** Segmentation fault
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5929c344f957f93253efa4c3495a996789d48ae7 commit 5929c344f957f93253efa4c3495a996789d48ae7 Author: Nick Clifton <nickc@redhat.com> Date: Fri Feb 6 11:12:02 2015 +0000 Fixes illegal memory accesses triggereb by running a 32-bit binary version of objdump compiled on a 64-bit host. PR binutils/17512 * dwarf.c (display_debug_frames): Fix range checks to work on 32-bit binaries complied on a 64-bit host. * peXXigen.c (rsrc_print_resource_entries): Add range check for addresses that wrap around the address space. (rsrc_parse_entry): Likewise.
Hi Alexander, > Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) > Several more crashes without valgrind only. These should be fixed now. Cheers Nick
Created attachment 8109 [details] Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) -- ubsan Similar to https://sourceware.org/bugzilla/show_bug.cgi?id=17531#c82 but for objdump. ---------------------------------------------------------------------- ubsan Files: 6 Errors: 1 ../../../source/bfd/coffcode.h:1195:32: runtime error: negation of ... cannot be represented in type 'long int'; cast to an unsigned type to negate this value to itself 1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int' 1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable length array bound evaluates to non-positive value ... 1 peigen.c:2227:22: runtime error: signed integer overflow: ... + ... cannot be represented in type 'long int'
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77ef86547510cee3a2bff27bea9f19f0b2715bae commit 77ef86547510cee3a2bff27bea9f19f0b2715bae Author: Nick Clifton <nickc@redhat.com> Date: Tue Feb 10 14:11:00 2015 +0000 Fix memory access violations triggered by running objdump compiled with out-of-bounds sanitization checking. PR binutils/17512 * dwarf.c (eh_addr_size): Use an unsigned type. (size_of_encoded_value): Return an unsigned type. (read_leb128): Break if the shift becomes too big. (process_extended_line_op): Do not read the address if the length is too long. (read_cie): Warn and fail if the pointer size or segment size are too big. * dwarf.h (DWARF2_External_LineInfo): Delete unused and incorrect structure definition. (DWARF2_External_PubNames): Likewise. (DWARF2_External_CompUnit): Likewise. (DWARF2_External_ARange): Likewise. (DWARF2_Internal_LineInfo): Use dwarf_vma type for li_prologue_length. (eh_addr_size): Update prototype. * coffcode.h (styp_to_sec_flags): Use an unsigned long type to hold the flag bits. * peXXigen.c (pe_print_reloc): Use unsigned types to hold the size and number of relocs. (pe_print_debugdata): Use a 32-bit aligned buffer to store the codeview record. * versados.c (process_otr): Check the esdid value before using it to access the EDATA.
Hi Alexander, > Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) -- ubsan > Errors: > 1 ../../../source/bfd/coffcode.h:1195:32: runtime error: negation of > ... cannot be represented in type 'long int'; cast to an unsigned type to > negate this value to itself > 1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable > length array bound evaluates to non-positive value ... > 1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift > exponent ... is too large for 64-bit type 'long long unsigned int' > 1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable > length array bound evaluates to non-positive value ... > 1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable > length array bound evaluates to non-positive value ... > 1 peigen.c:2227:22: runtime error: signed integer overflow: ... + ... > cannot be represented in type 'long int' These should all be fixed now. Cheers Nick
Created attachment 8123 [details] Problems with `addr2line -ie @@ -- ...` (32-bit) The exact (long) command line is in cmd.txt. ---------------------------------------------------------------------- valgrind Files: 5 Errors: 28 Invalid read of size ... 3 Process terminating with default action of signal 11 (SIGSEGV) 1 Process terminating with default action of signal 8 (SIGFPE) ---------------------------------------------------------------------- catchsegv Files: 5 Errors: 5 *** Segmentation fault
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dbb3fbbb1a3b387a0d33dfd5764cf92bc3da7f41 commit dbb3fbbb1a3b387a0d33dfd5764cf92bc3da7f41 Author: Nick Clifton <nickc@redhat.com> Date: Thu Feb 12 16:45:11 2015 +0000 Fix memory access violations triggered by running addr2line on fuzzed binaries. PR binutils/17512 * dwarf.c (read_1_byte, read_1_signed_byte, read_2_bytes) (read_4_bytes, read_8_bytes, read_n_bytes, read_string) (read_indirect_string, read_alt_indirect_string) (read_alt_indirect_ref, read_address, read_abbrevs) (read_attribute_value, read_attribute, decode_line_info) (find_abstract_instance_name, read_rangelist) (scan_unit_for_symbols, parse_comp_unit) (_bfd_dwarf2_find_nearest_line): Harden DWARF reading code. Pass end pointers to reading functions and check for offsets taking pointers out of range. Replace calls to read_*_leb128 with calls to safe_read_leb128. (* elf64-ppc.c (opd_entry_value): Add a check for an overlarge offset. * syms.c (_bfd_stab_section_find_nearest_line): Add checks for computed file_name address being before the start of the string table.
Hi Alexander, > Problems with `addr2line -ie @@ -- ...` (32-bit) > Files: 5 > Errors: > 28 Invalid read of size ... > 3 Process terminating with default action of signal 11 (SIGSEGV) > 1 Process terminating with default action of signal 8 (SIGFPE) Fun - a whole new area of the BFD library that needed hardening... These problems should be fixed now. Cheers Nick
Created attachment 8125 [details] Problems with `srconv @@ /dev/null` (32-bit) valgrind Files: 1 Errors: 1 Invalid read of size ... 1 Invalid write of size ... ---------------------------------------------------------------------- ubsan Files: 3 Errors: 1 ../../../source/binutils/coffgrok.c:431:27: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int' 1 ../../../source/binutils/coffgrok.c:518:22: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/coffgrok.c:672:36: runtime error: signed integer overflow: ... + ... cannot be represented in type 'int'
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=451dfd384383160be5bc60f50a7920975e66f593 commit 451dfd384383160be5bc60f50a7920975e66f593 Author: Alan Modra <amodra@gmail.com> Date: Fri Feb 13 10:16:16 2015 +1030 PowerPC64 offset check should test entire 64-bit value is in section PR binutils/17512 * elf64-ppc.c (opd_entry_value): Tighten offset check. Remove now redundant assert.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=951eaaec17411eba4debe19781f6b8b54306256e commit 951eaaec17411eba4debe19781f6b8b54306256e Author: Nick Clifton <nickc@redhat.com> Date: Fri Feb 13 12:14:05 2015 +0000 Fix illegal memory access errors triggered by running srconv on fuzzed binaries. PR binutils/17512 * dwarf.c (read_leb128): Fix test for shift becoming too large. * coffgrok.c (do_define): Add check for type size overflow. * srconv.c (walk_tree_sfile): Check that enough sections are available before parsing. (prescan): Likewise.
Hi Alexander, > Problems with `srconv @@ /dev/null` (32-bit) > Files: 1 > Errors: > 1 Invalid read of size ... > 1 Invalid write of size ... Fixed. Cheers Nick
(In reply to Nick Clifton from comment #205) > > Problems with `srconv @@ /dev/null` (32-bit) > > Files: 1 > > Errors: > > 1 Invalid read of size ... > > 1 Invalid write of size ... > > Fixed. Not sure if it is supposed to be fixed but undefined behavior (other 3 samples) is not yet fixed.
Created attachment 8130 [details] Problems with `windres` (32-bit) valgrind Files: 1 Errors: 8 Conditional jump or move depends on uninitialised value(s) 1 Invalid read of size ... 1 Process terminating with default action of signal 11 (SIGSEGV) 2 Use of uninitialised value of size ...
Created attachment 8135 [details] Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms` (32-bit) ubsan Files: 6 Errors: 1 ../../../source/binutils/dwarf.c:4722:31: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:5924:6: runtime error: variable length array bound evaluates to non-positive value ... 1 ../../../source/binutils/dwarf.c:6474:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6480:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6503:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:6512:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int' 1 ../../../source/binutils/dwarf.c:7029:37: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int' 1 ../../../source/binutils/readelf.c:15081:46: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int' 1 ../../../source/binutils/readelf.c:15113:38: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int'
Created attachment 8136 [details] Problems with `strip-new -o /dev/null` (32-bit) valgrind Files: 14 Errors: 5 Invalid read of size ... 9 Syscall param write(buf) points to uninitialised byte(s) ---------------------------------------------------------------------- ubsan Files: 12 Errors: 1 ../../../source/bfd/coffcode.h:3435:57: runtime error: negation of ... cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself 1 ../../../source/bfd/elf.c:2761:40: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int' 1 ../../../source/bfd/elf.c:4694:34: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int' 1 ../../../source/bfd/elf.c:4831:30: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int' 1 ../../../source/bfd/elf.c:5042:10: runtime error: signed integer overflow: ... + ... cannot be represented in type 'long long int' 1 ../../../source/bfd/elf.c:5045:10: runtime error: signed integer overflow: ... + ... cannot be represented in type 'long long int' 1 ../../../source/bfd/elf.c:5224:38: runtime error: signed integer overflow: ... - ... cannot be represented in type 'long long int' 1 ../../../source/bfd/mach-o.c:2695:18: runtime error: shift exponent ... is negative 1 ../../../source/bfd/mach-o.c:2695:18: runtime error: shift exponent ... is too large for 64-bit type 'long long int' 1 ../../../source/bfd/mach-o.c:2701:24: runtime error: shift exponent ... is negative 1 ../../../source/bfd/mach-o.c:2701:24: runtime error: shift exponent ... is too large for 64-bit type 'long long int' 1 ../../../source/bfd/mach-o.c:2702:32: runtime error: shift exponent ... is negative 1 ../../../source/bfd/mach-o.c:2702:32: runtime error: shift exponent ... is too large for 64-bit type 'long long int' 1 ../../../source/bfd/mach-o.c:2735:22: runtime error: shift exponent ... is too large for 64-bit type 'long long int' 1 ../../../source/bfd/mach-o.c:2819:21: runtime error: shift exponent ... is negative 1 ../../../source/bfd/mach-o.c:2819:21: runtime error: shift exponent ... is too large for 64-bit type 'long long int' 1 ../../../source/bfd/mach-o.c:2823:23: runtime error: shift exponent ... is negative 1 ../../../source/bfd/mach-o.c:2823:23: runtime error: shift exponent ... is too large for 64-bit type 'long long int' 1 ../../../source/bfd/mach-o.c:2829:21: runtime error: shift exponent ... is negative 1 ../../../source/bfd/mach-o.c:2829:21: runtime error: shift exponent ... is too large for 64-bit type 'long long int'
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e3ee40059d4a4e04d10e2b5c46bacd2a810355ca commit e3ee40059d4a4e04d10e2b5c46bacd2a810355ca Author: Nick Clifton <nickc@redhat.com> Date: Thu Feb 26 12:23:18 2015 +0000 Fixes a resource exhaustion problem when running windres on a corrupt binary. PR binutils/17512 * resrc.c (write_rc_messagetable): Tighten check for invalid message lengths.
Hi Alexander, (In reply to Alexander Cherepanov from comment #207) > Problems with `windres` (32-bit) > Errors: > 8 Conditional jump or move depends on uninitialised value(s) > 1 Invalid read of size ... > 1 Process terminating with default action of signal 11 (SIGSEGV) > 2 Use of uninitialised value of size ... These should be fixed now. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c8071705c69a13d237aeca4709bf91deaff7e5cb commit c8071705c69a13d237aeca4709bf91deaff7e5cb Author: Nick Clifton <nickc@redhat.com> Date: Thu Feb 26 14:21:54 2015 +0000 Fix undefined arithmetic operations detected by -fsanitize=undefined when running readelf on fuzzed binaries. PR binutils/17512 * dwarf.c (display_debug_loc): Pacify the undefined behaviour sanitizer by simplifying address difference calculation. (struct Frame_Chunk): Change type of cfa_offset to dwarf_vma in order to avoid arithmetic overflows. (frame_display_row): Cast cfa_offset before printing it. (display_debug_frames): Likewise. Check for an unexpected segment size. Chnage type of 'l' local to dwarf_vma and cast it back to an int when printing. (process_cu_tu_index): Tighten check for an invalid ncols value. * readelf.c (process_corefile_note_segment): Check for inote.descdata extending beyond the end of the section. (process_v850_notes): Likewise.
Hi Alexander, (In reply to Alexander Cherepanov from comment #208) > Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms` (32-bit) Fixed. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c86934ceee0971a04bbfc145c7b9a53357c25c91 commit c86934ceee0971a04bbfc145c7b9a53357c25c91 Author: Nick Clifton <nickc@redhat.com> Date: Thu Feb 26 21:32:04 2015 +0000 Fixes illegal memory access errors and arithmetic overflows when running strip on fuzzed binaries. PR binutils/17512 * coffcode.h (coff_compute_section_file_positions): Report negative page sizes. * elf.c (elf_fake_sections): Handle excessive alignmment powers. (assign_file_positions_for_non_load_sections): Replace assertion with an error message. (rewrite_elf_program_header): Handle excessive segment alignments. * mach-o.c (bfd_mach_o_read_section_32): Likewise. (bfd_mach_o_read_section_64): Likewise. * peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Use %B to print a bfd name, not %A.
Hi Alexander, (In reply to Alexander Cherepanov from comment #209) > Problems with `strip-new -o /dev/null` (32-bit) > Errors: > 5 Invalid read of size ... > 9 Syscall param write(buf) points to uninitialised byte(s) These should all be fixed now. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d93c7787a0dd4261b8ac65a92a33196b62ef57b4 commit d93c7787a0dd4261b8ac65a92a33196b62ef57b4 Author: Nick Clifton <nickc@redhat.com> Date: Thu Feb 26 22:16:16 2015 +0000 Fix arithmetic overflows running srconv on fuzzed binaries. PR binutils/17512 * coffgrok.c (do_type): Check for an out of range tag index. Check for integer overflow computing array dimension. (do_define): Likewise.
Hi Alexander, (In reply to Alexander Cherepanov from comment #206) > > > Problems with `srconv @@ /dev/null` (32-bit) > Not sure if it is supposed to be fixed but undefined behavior (other 3 > samples) is not yet fixed. Oops - sorry about this. The undefined behaviours should now be fixed as well. Cheers Nick
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1dead8aee09e9ba148f6f44040122f62b5e4acea commit 1dead8aee09e9ba148f6f44040122f62b5e4acea Author: Nick Clifton <nickc@redhat.com> Date: Tue Mar 24 10:30:34 2015 +0000 Import security fixes for readelf from the master branch: 2015-02-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * readelf.c (process_corefile_note_segment): Check for inote.descdata extending beyond the end of the section. (process_v850_notes): Likewise. 2015-02-24 Mike Frysinger <vapier@gentoo.org> PR binutils/17531 * readelf.c (process_symbol_table): Declare chained. Increment it in every loop. Abort when chained is larger than nchains. Move error check outside of chain loop. 2015-02-10 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (dump_relocations): Handle printing offsets which are MIN_INT. (process_corefile_note_segment): Add range check of the namesz field. 2015-02-06 Nick Clifton <nickc@redhat.com> * readelf.c (process_mips_specific): Fail if an option has an invalid size. 2015-02-03 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_data): Change parameter types from size_t to bfd_size_type. Add checks for loss of accuracy when casting from bfd_size_type to size_t. (get_dynamic_data): Likewise. (process_section_groups): Limit number of error messages. 2015-01-05 Nick Clifton <nickc@redhat.com> * readelf.c (slurp_ia64_unwind_table): Warn if the reloc could not be indentified. (dynamic_section_mips_val): Warn if the timestamp is invalid. (print_mips_got_entry): Add a data_end parameter. Warn if a read would go beyond the end of the data, and return an error value. (process_mips_specific): Do not read options from beyond the end of the section. Correct code to display optional data at the end of an option. Warn if there are too many GOT symbols. Update calls to print_mips_got_entry, and handle error returns. 2014-12-08 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (dump_ia64_unwind): Add range checks. (slurp_ia64_unwind_table): Change to a boolean function. Add range checks. (process_version_sections): Add range checks. (get_symbol_version_string): Add check for missing section headers. 2014-12-03 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_machine_flags): Replace call to abort with a warning message and a return value. (get_elf_section_flags): Likewise. (get_symbol_visibility): Likewise. (get_ia64_symbol_other): Likewise. (get_ia64_symbol_other): Likewise. (is_32bit_abs_reloc): Likewise. (apply_relocations): Likewise. (display_arm_attribute): Likewise. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.h (struct dwarf_section): Add user_data field. * dwarf.c (frame_need_space): Check for an over large register number. (display_debug_frames): Check the return value from frame_need_space. Check for a CFA expression that is so long the start address wraps around. (debug_displays): Initialise the user_data field. * objdump.c (load_specific_debug_section): Save the BFD section pointer in the user_data field of the dwarf_section structure. (free_debug_section): Update BFD section data when freeing section contents. * readelf.c (load_specific_debug_section): Initialise the user_data field. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (process_archive): Add range checks. 2014-11-28 Alan Modra <amodra@gmail.com> * readelf.c (get_32bit_elf_symbols): Cast bfd_size_type values to unsigned long for %lx. (get_64bit_elf_symbols, process_section_groups): Likewise. 2014-11-27 Espen Grindhaug <espen@grindhaug.org> Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_data): Move excessive length check to earlier on in the function and allow for wraparound in the arithmetic. (get_32bit_elf_symbols): Terminate early if the section size is zero. Check for an invalid sh_entsize. Check for an index section with an invalid size. (get_64bit_elf_symbols): Likewise. (process_section_groups): Check for an invalid sh_entsize. 2014-11-21 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (process_version_sections): Prevent an infinite loop processing corrupt version need data. (process_corefile_note_segment): Handle corrupt notes. 2014-11-18 Nick Clifton <nickc@redhat.com> PR binutils/17531 * readelf.c (get_unwind_section_word): Skip reloc processing if there are no relocs associated with the section. (decode_tic6x_unwind_bytecode): Warn and return if the stack pointer adjustment falls off the end of the buffer.
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=304a2b6fe67786b45889a784bf71aabf2a9d26fd commit 304a2b6fe67786b45889a784bf71aabf2a9d26fd Author: Nick Clifton <nickc@redhat.com> Date: Tue Mar 24 11:31:37 2015 +0000 Import fixes for invalid memory access issues in the binutils DWARF parser from the trunk sources. PR binutils/17512 * dwarf.c (display_debug_loc): Pacify the undefined behaviour sanitizer by simplifying address difference calculation. (struct Frame_Chunk): Change type of cfa_offset to dwarf_vma in order to avoid arithmetic overflows. (frame_display_row): Cast cfa_offset before printing it. (display_debug_frames): Likewise. Check for an unexpected segment size. Chnage type of 'l' local to dwarf_vma and cast it back to an int when printing. (process_cu_tu_index): Tighten check for an invalid ncols value. * readelf.c (process_corefile_note_segment): Check for inote.descdata extending beyond the end of the section. (process_v850_notes): Likewise. 2015-02-13 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (read_leb128): Fix test for shift becoming too large. PR binutils/17531 * dwarf.c (display_debug_aranges): Add check for an excessive ar_length value. (process_cu_tu_index): Check for a row * columns sum being too large. 2015-02-13 Alan Modra <amodra@gmail.com> * dwarf.c: Formatting, whitespace. (process_debug_info): Style fix. 2015-02-11 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Work around compiler bug checking address ranges. (display_debug_frames): Likewise. (display_gdb_index): Likewise. (process_cu_tu_index): Add range check on the ncols value. 2015-02-10 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (eh_addr_size): Use an unsigned type. (size_of_encoded_value): Return an unsigned type. (read_leb128): Break if the shift becomes too big. (process_extended_line_op): Do not read the address if the length is too long. (read_cie): Warn and fail if the pointer size or segment size are too big. * dwarf.h (DWARF2_External_LineInfo): Delete unused and incorrect structure definition. (DWARF2_External_PubNames): Likewise. (DWARF2_External_CompUnit): Likewise. (DWARF2_External_ARange): Likewise. (DWARF2_Internal_LineInfo): Use dwarf_vma type for li_prologue_length. (eh_addr_size): Update prototype. PR binutils/17531 * dwarf.c (process_debug_info): Zero the debug information array since correct initialisation cannot be relied upon. (process_cu_tu_index): Improve range checks. PR binutils/17531 * dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for offset. 2015-02-06 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (display_debug_frames): Fix range checks to work on 32-bit binaries complied on a 64-bit host. PR binutils/17531 * dwarf.c (xcmalloc): Fail if the arguments are too big. (xcrealloc): Likewise. (xcalloc2): Likewise. * readelf.c (process_mips_specific): Fail if an option has an invalid size. 2015-02-05 Alan Modra <amodra@gmail.com> PR binutils/17926 * dwarf.c (dwarf_select_sections_by_letters): Don't refer to optarg. 2015-02-04 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (read_and_display_attr_value): Test for a block length being so long that it wraps around to before the start of the block. (process_debug_info): Test for section_begin wrapping around to before the start of the section. (display_gdb_index): Test for num_cus being so large that the end address wraps around to before the start of the section. (process_cu_tu_index): Test for j being so large that the section index pool wraps around to before the start of the section. 2015-02-03 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (process_debug_info): Add range check. (display_debug_pubnames_worker): Likewise. (display_gdb_index): Fix range check. (process_cu_tu_index): Add range check. * readelf.c (get_data): Change parameter types from size_t to bfd_size_type. Add checks for loss of accuracy when casting from bfd_size_type to size_t. (get_dynamic_data): Likewise. (process_section_groups): Limit number of error messages. 2015-01-12 H.J. Lu <hongjiu.lu@intel.com> * dwarf.c (process_debug_info): Properly check abbrev size. 2015-01-12 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (process_debug_info): Check for abbrev_base being larger than the section size. (process_cu_tu_index): Use xcalloc2 to allocate the CU and TU arrays. (xcalloc2): New function. Like xcalloc, but checks for overflow. (display_debug_addr): Use xcalloc to allocate the debug_addr_info array. Check for an address_base that is too large. * dwarf.h (xcalloc2): Prototype. 2015-01-05 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (alloc_num_debug_info_entries): New variable. (process_debug_info): Set it. Use it to avoid displaying attributes for which there is no info. (display_debug_abbrev): Check that the debug_info_entry index is valid before using it. (display_loc_list_dwo): Likewise. (process_cu_tu_index): Add range check for an overlarge dw_sect value. (free_debug_memory): Reset alloc_num_debug_info_entries. 2014-12-22 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (decode_location_expression): Check for an out of range value for a DW_OP_GNU_entry_value expression. (display_debug_lines_raw): Check for a partial .debug_line. section being encountered without a prior, full .debug.line section. (display_debug_lines_decoded): Likewise. Also check for li_line_range being zero. (display_debug_pubnames_worker): Check for an invalid pn_length field. (read_cie): Add range checks. 2014-12-11 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (display_gdb_index): Add more range checks. 2014-12-08 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (display_debug_frames): Check for a negative augmentation data length. (display_gdb_index): Check for invalid offsets. 2014-12-01 H.J. Lu <hongjiu.lu@intel.com> * dwarf.c (process_cu_tu_index): Properly check for an out of range row index. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.h (struct dwarf_section): Add user_data field. * dwarf.c (frame_need_space): Check for an over large register number. (display_debug_frames): Check the return value from frame_need_space. Check for a CFA expression that is so long the start address wraps around. (debug_displays): Initialise the user_data field. * objdump.c (load_specific_debug_section): Save the BFD section pointer in the user_data field of the dwarf_section structure. (free_debug_section): Update BFD section data when freeing section contents. * readelf.c (load_specific_debug_section): Initialise the user_data field. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17531 * dwarf.c (process_cu_tu_index): Check for an out of range row index. * elfcomm.c (adjust_relative_path): Change name_len parameter to an unsigned long. Check for path length overflow. (process_archive_index_and_symbols): Check for invalid header size. (setup_archive): Add checks for invalid archives. (get_archive_member_name): Add range checks. * elfcomm.h (adjust_relative_path): Update prototyoe. * readelf.c (process_archive): Add range checks. 2014-11-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (display_block): Do nothing if the block starts after the end of the buffer. (read_and_display_attr_value): Add range checks. (struct Frame_Chunk): Make the ncols and ra fields unsigned. (frame_need_space): Test for an ncols of zero. (read_cie): Fail if the augmentation data extends off the end of the buffer. (display_debug_frames): Add checks for read_cie failing. Add range checks. 2014-11-21 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (get_encoded_value): Check for an encoded size of 0. (display_debug_lines_raw): Check for an invalid line range value. (display_debug_frames): Check for corrupt augmentation data. 2014-11-19 Jan-Benedict Glaw <jbglaw@lug-owl.de> * dwarf.c (process_extended_line_op): Fix signedness warning. 2014-11-18 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf.c (get_encoded_value): Warn and return if the encoded value is more than 64-bits long. (SAFE_BYTE_GET): Do not attempt to read more than 64-bits. (process_extended_line_op): Add more range checks. (decode_location_expression): Use the return value from display_block. Add more range checks. (read_debug_line_header): Add range check. (display_debug_lines_raw): Add range checks. (display_debug_frames): Silently skip multiple zero terminators. Add range checks. (process_cu_tu_index): Check for non-existant or empty sections. Use SAFE_BYTE_GET instead of byte_get.
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4f9583e9c45482e111d30f94df650a3f2cf36b99 commit 4f9583e9c45482e111d30f94df650a3f2cf36b99 Author: Nick Clifton <nickc@redhat.com> Date: Tue Mar 24 12:25:25 2015 +0000 Import fixes from trunk sources to correct invalid memory access issues with various binutils programs. Apply from master: 2015-02-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffgrok.c (do_type): Check for an out of range tag index. Check for integer overflow computing array dimension. (do_define): Likewise. 2015-02-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * resrc.c (write_rc_messagetable): Tighten check for invalid message lengths. 2015-02-13 Nick Clifton <nickc@redhat.com> * coffgrok.c (do_define): Add check for type size overflow. * srconv.c (walk_tree_sfile): Check that enough sections are available before parsing. (prescan): Likewise. 2015-02-03 Nick Clifton <nickc@redhat.com> PR binutils/17512 * objdump.c (display_any_bfd): Fail if archives nest too deeply. 2015-01-27 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dlltool.c (identify_search_archive): If the last archive was the same as the current archive, terminate the loop. * addr2line.c (slurp_symtab): If the symcount is zero, free the symbol table pointer. * rcparse.y: Add checks to avoid integer divide by zero. * rescoff.c (read_coff_rsrc): Add check on the size of the resource section. (read_coff_res_dir): Add check on the nesting level. Check for resource names overrunning the buffer. * resrc.c (write_rc_messagetable): Update formatting. Add check of 'elen' being zero. 2015-01-23 Nick Clifton <nickc@redhat.com> * nlmconv.c (powerpc_mangle_relocs): Fix build errors introduced by recent delta, when compiling on for a 32-bit host. 2015-01-21 Nick Clifton <nickc@redhat.com> PR binutils/17512 * addr2line.c (main): Call bfd_set_error_program_name. * ar.c (main): Likewise. * coffdump.c (main): Likewise. * cxxfilt.c (main): Likewise. * dlltool.c (main): Likewise. * nlmconv.c (main): Likewise. * nm.c (main): Likewise. * objdump.c (main): Likewise. * size.c (main): Likewise. * srconv.c (main): Likewise. * strings.c (main): Likewise. * sysdump.c (main): Likewise. * windmc.c (main): Likewise. * windres.c (main): Likewise. * objcopy.c (main): Likewise. (copy_relocations_in_section): Check for relocs without associated symbol pointers. 2015-01-21 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffgrok.c (do_type): Check that computed ref exists. (doit): Add range checks when computing section for scope. 2015-01-08 Nick Clifton <nickc@redhat.com> PR binutils/17512 * ojcopy.c (copy_object): Free the symbol table if no symbols could be loaded. (copy_file): Use bfd_close_all_done to close files that could not be copied. * sysdump.c (getINT): Fail if reading off the end of the buffer. Replace call to abort with a call to fatal. (getCHARS): Prevetn reading off the end of the buffer. * nlmconv.c (i386_mangle_relocs): Skip relocs without an associated symbol. (powerpc_mangle_relocs): Skip unrecognised relocs. Check address range before applying a reloc. 2015-01-07 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dlltool.c (scan_obj_file): Break loop if the last archive displayed matches the current archive. * objdump.c (display_any_bfd): Add a depth limit to nested archive display in order to avoid infinite loops. * srconv.c: Replace calls to abort with calls to fatal with an error message. 2015-01-06 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffdump.c (dump_coff_section): Check for a symbol being available before printing its name. (main): Check the return value from coff_grok. * coffgrok.c: Reformat and tidy. Add range checks to most functions. (coff_grok): Return NULL if the input bfd is not in a COFF format. * coffgrok.h: Reformat and tidy. (struct coff_section): Change the nrelocs field to unsigned. * srconv.c (main): Check the return value from coff_grok. 2015-01-05 Nick Clifton <nickc@redhat.com> PR binutils/17512 * nm.c (print_symbol): Add 'is_synthetic' parameter. Use it to help initialize the info.elfinfo field. (print_size_symbols): Add 'synth_count' parameter. Use it to set the is_synthetic parameter when calling print_symbol. (print_symbols): Likewise. (display_rel_file): Pass synth_count to printing function. (display_archive): Break loop if the last archive displayed matches the current archive.
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a57494b3cf09162ed556f4d1da2bd77d2acc4e4 commit 7a57494b3cf09162ed556f4d1da2bd77d2acc4e4 Author: Nick Clifton <nickc@redhat.com> Date: Tue Mar 24 16:32:44 2015 +0000 Import fixes from mainline that address illegal memory accesses when working with COFF/PE based files. Apply from master: 2015-02-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_compute_section_file_positions): Report negative page sizes. 2015-02-10 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (styp_to_sec_flags): Use an unsigned long type to hold the flag bits. 2015-02-06 Nick Clifton <nickc@redhat.com> PR binutils/17512 * peXXigen.c (rsrc_print_resource_entries): Add range check for addresses that wrap around the address space. (rsrc_parse_entry): Likewise. 2015-02-03 Nick Clifton <nickc@redhat.com> PR binutils/17512 * ecoff.c: Use bfd_alloc2 to allocate space for structure arrays. (_bfd_ecoff_slurp_symbol_table): Check for a negative symbol index or an out of range fdr index. * peXXigen.c (pe_print_edata): Check for numeric overflow in edt fields. 2015-01-22 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (handle_COMDAT): When searching for the section symbol, make sure that there is space left in the symbol table. 2015-01-21 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_set_arch_mach_hook): Check return value from bfd_malloc. (coff_slurp_line_table): Return FALSE if the line number information was corrupt. (coff_slurp_symbol_table): Return FALSE if the symbol information was corrupt. * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Set bfd_error if the read fails. (slurp_symtab): Check the return from bfd_malloc. (_bfd_XX_bfd_copy_private_bfd_data_common): Fail if the copy encountered an error. (_bfd_XXi_final_link_postscript): Fail if a section could not be copied. * peicode.h (pe_bfd_object_p): Fail if the header could not be swapped in. 2015-01-08 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffcode.h (coff_slurp_symbol_table): Return false if we failed to load the line table. 2015-01-06 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coff-i860.c (CALC_ADDEND): Always set an addend value. 2014-11-27 Nick Clifton <nickc@redhat.com> PR binutils/17512 * ecoff.c (_bfd_ecoff_slurp_symbol_table): Warn about and correct a discrepancy between the isymMax and ifdMax values in the symbolic header. 2014-11-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coff-h8300.c (rtype2howto): Replace abort with returning a NULL value. * coff-h8500.c (rtype2howto): Likewise. * coff-tic30.c (rtype2howto): Likewise. * coff-z80.c (rtype2howto): Likewise. * coff-z8k.c (rtype2howto): Likewise. * coff-ia64.c (RTYPE2HOWTO): Always return a valid howto. * coff-m68k.c (m68k_rtype2howto): Return a NULL howto if none could be found. * coff-mcore.c (RTYPE2HOWTO): Add range checking. * coff-w65.c (rtype2howto): Likewise. * coff-we32k.c (RTYPE2HOWTO): Likewise. * pe-mips.c (RTYPE2HOWTO): Likewise. * coff-x86_64.c (coff_amd64_reloc): Likewise. Replace abort with an error return. * coffcode.h (coff_slurp_reloc_table): Allow the rel parameter to be unused. * coffgen.c (make_a_section_from_file): Check the length of a section name before testing to see if it is a debug section name. (coff_object_p): Zero out any uninitialised bytes in the opt header. * ecoff.c (_bfd_ecoff_slurp_symbolic_info): Test for the raw source being empty when there are values to be processed. (_bfd_ecoff_slurp_symbol_table): Add range check. 2014-11-21 Nick Clifton <nickc@redhat.com> PR binutils/17512 * coffgen.c (coff_get_normalized_symtab): Check for an excessive number of auxillary entries. 2014-11-21 Alexander Cherepanov <cherepan@mccme.ru> PR binutils/17512 * coffgen.c (_bfd_coff_read_string_table): Test allocation of string table before clearing the first few bytes.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fc42baf3cdc41bc8cf12e35ae78e4529c1470118 commit fc42baf3cdc41bc8cf12e35ae78e4529c1470118 Author: Nick Clifton <nickc@redhat.com> Date: Tue Mar 24 17:20:00 2015 +0000 Fixes a bug introduced by the new ranges checks on COFF symbol tables. PR binutils/17512 * coffgen.c (coff_get_normalized_symtab): Fix test for out of range auxillary sections.
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a539f2c77280d67248128aa993e5f606419a46e6 commit a539f2c77280d67248128aa993e5f606419a46e6 Author: Nick Clifton <nickc@redhat.com> Date: Wed Mar 25 14:20:36 2015 +0000 Import patches from the master sources which fix illegal memory accesses found by running the binutils on fuzzed binaries. 2015-03-25 Nick Clifton <nickc@redhat.com> Apply from master: 2015-02-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * mach-o.c (bfd_mach_o_read_section_32): Likewise. (bfd_mach_o_read_section_64): Likewise. 2015-02-10 Nick Clifton <nickc@redhat.com> PR binutils/17512 * versados.c (process_otr): Check the esdid value before using it to access the EDATA. 2015-02-03 Nick Clifton <nickc@redhat.com> PR binutils/17512 * mach-o.c: Use bfd_alloc2 to allocate space for structure arrays. (bfd_mach_o_canonicalize_one_reloc): Fix check on out of range symbol indicies. (bfd_mach_o_canonicalize_relocs): Check for out of range alloc. (bfd_mach_o_canonicalize_dynamic_reloc): Likewise. (bfd_mach_o_build_dysymtab): Likewise. (bfd_mach_o_write_symtab_content): Set the string table size to zero upon error. (bfd_mach_o_read_symtab_symbols): Reset the nsyms value if the read fails. * tekhex.c (first_phase): Check for src pointer reaching end of buffer. 2015-01-27 Nick Clifton <nickc@redhat.com> PR binutils/17512 * pdp11.c (aout_get_external_symbols): Return false if there are no symbols. 2015-01-22 DJ Delorie <dj@redhat.com> * elf32-m32c.c (m32c_apply_reloc_24): New. (m32c_elf_howto_table): Use it for R_M32C_24. (m32c_elf_relocate_section): Handle R_M32C_24 specially. 2015-01-21 Nick Clifton <nickc@redhat.com> PR binutils/17512 * mach-o.c (bfd_mach_o_bfd_copy_private_header_data): Always initialise the fields of the dyld_info structure. (bfd_mach_o_build_exec_seg_command): Replace assertion with an error message and a return value. (bfd_mach_o_layout_commands): Change the function to boolean. Return FALSE if the function fails. (bfd_mach_o_build_commands): Fail if bfd_mach_o_layout_commands fails. (bfd_mach_o_read_command): Fail if an unrecognised command is encountered. * tekhex.c (first_phase): Fail if the section is too big. * versados.c (struct esdid): Add content_size field. (process_otr): Use and check the new field. (versados_get_section_contents): Check that the section exists and that the requested data is available. 2015-01-19 Alan Modra <amodra@gmail.com> * bfd-in.h (bfd_get_section_limit_octets): New define, extracted from.. (bfd_get_section_limit): ..here. * reloc.c (bfd_perform_relocation): Correct bfd_reloc_outofrange check. (bfd_install_relocation, _bfd_final_link_relocate): Add same check here. * bfd-in2.h: Regenerate. * cpu-ns32k.c (_bfd_do_ns32k_reloc_contents): Return bfd_reloc_ok on zero size relocs. * ecoff.c (ecoff_reloc_link_order): Likewise. * elf32-nds32.c (nds32_relocate_contents): Likewise. * elfxx-aarch64.c (_bfd_aarch64_elf_put_addend): Likewise. * reloc.c (_bfd_relocate_contents): Don't bomb on zero size relocs. (_bfd_clear_contents): Likewise. * elfxx-mips.c (mips_elf_obtain_contents): Likewise. (mips_elf_perform_relocation): Likewise. * aoutx.h (aout_link_reloc_link_order): Allow for NULL return from malloc on zero size alloc. * cofflink.c (_bfd_coff_reloc_link_order): Likewise. * elflink.c (elf_reloc_link_order): Likewise. * linker.c (_bfd_generic_reloc_link_order): Likewise. * pdp11.c (aout_link_reloc_link_order): Likewise. * xcofflink.c (xcoff_reloc_link_order): Likewise. * aoutx.h (howto_table_ext): Ensure NONE relocs have size 3, bitsize 0, and complain_overflow_dont. * coff-sparc.c (coff_sparc_howto_table): Likewise. * elf-hppa.h (elf_hppa_howto_table): Likewise. * elf-m10200.c (elf_mn10200_howto_table): Likewise. * elf-m10300.c (elf_mn10300_howto_table): Likewise. * elf32-arc.c (elf_arc_howto_table): Likewise. * elf32-arm.c (elf32_arm_howto_table_1): Likewise. * elf32-avr.c (elf_avr_howto_table): Likewise. * elf32-bfin.c (bfin_howto_table): Likewise. * elf32-cr16.c (cr16_elf_howto_table): Likewise. * elf32-cris.c (cris_elf_howto_table): Likewise. * elf32-crx.c (crx_elf_howto_table): Likewise. * elf32-d10v.c (elf_d10v_howto_table): Likewise. * elf32-d30v.c (elf_d30v_howto_table): Likewise. * elf32-dlx.c (dlx_elf_howto_table): Likewise. * elf32-epiphany.c (epiphany_elf_howto_table): Likewise. * elf32-fr30.c (fr30_elf_howto_table): Likewise. * elf32-frv.c (elf32_frv_howto_table): Likewise. * elf32-h8300.c (h8_elf_howto_table): Likewise. * elf32-i370.c (i370_elf_howto_raw): Likewise. * elf32-i386.c (elf_howto_table): Likewise. * elf32-i860.c (elf32_i860_howto_table): Likewise. * elf32-i960.c (elf32_i960_relocate): Likewise. * elf32-ip2k.c (ip2k_elf_howto_table): Likewise. * elf32-iq2000.c (iq2000_elf_howto_table): Likewise. * elf32-lm32.c (lm32_elf_howto_table): Likewise. * elf32-m32c.c (m32c_elf_howto_table): Likewise. * elf32-m32r.c (m32r_elf_howto_table): Likewise. * elf32-m68hc11.c (elf_m68hc11_howto_table): Likewise. * elf32-m68hc12.c (elf_m68hc11_howto_table): Likewise. * elf32-m68k.c (howto_table): Likewise. * elf32-mcore.c (mcore_elf_howto_raw): Likewise. * elf32-mep.c (mep_elf_howto_table): Likewise. * elf32-metag.c (elf_metag_howto_table): Likewise. * elf32-microblaze.c (microblaze_elf_howto_raw): Likewise. * elf32-mips.c (elf_mips_howto_table_rel): Likewise. * elf32-moxie.c (moxie_elf_howto_table): Likewise. * elf32-msp430.c (elf_msp430_howto_table): Likewise. * elf32-mt.c (mt_elf_howto_table): Likewise. * elf32-nds32.c (nds32_elf_howto_table): Likewise. * elf32-nios2.c (elf_nios2_howto_table_rel): Likewise. * elf32-or1k.c (or1k_elf_howto_table): Likewise. * elf32-pj.c (pj_elf_howto_table): Likewise. * elf32-ppc.c (ppc_elf_howto_raw): Likewise. * elf32-rl78.c (rl78_elf_howto_table): Likewise. * elf32-rx.c (rx_elf_howto_table): Likewise. * elf32-s390.c (elf_howto_table): Likewise. * elf32-score.c (elf32_score_howto_table): Likewise. * elf32-score7.c (elf32_score_howto_table): Likewise. * elf32-sh-relocs.h (R_SH_NONE): Likewise. * elf32-spu.c (elf_howto_table): Likewise. * elf32-tic6x.c (elf32_tic6x_howto_table): Likewise. * elf32-tilepro.c (tilepro_elf_howto_table): Likewise. * elf32-v850.c (v850_elf_howto_table): Likewise. * elf32-vax.c (howto_table): Likewise. * elf32-xc16x.c (xc16x_elf_howto_table): Likewise. * elf32-xgate.c (elf_xgate_howto_table): Likewise. * elf32-xstormy16.c (xstormy16_elf_howto_table): Likewise. * elf32-xtensa.c (elf_howto_table): Likewise. * elf64-alpha.c (elf64_alpha_howto_table): Likewise. * elf64-mips.c (mips_elf64_howto_table_rel): Likewise. * elf64-mmix.c (elf_mmix_howto_table): Likewise. * elf64-ppc.c (ppc64_elf_howto_raw): Likewise. * elf64-s390.c (elf_howto_table): Likewise. * elf64-sh64.c (sh_elf64_howto_table): Likewise. * elf64-x86-64.c (x86_64_elf_howto_table): Likewise. * elfn32-mips.c (elf_mips_howto_table_rel): Likewise. * elfnn-aarch64.c (elfNN_aarch64_howto_table): Likewise. (elfNN_aarch64_howto_none): Likewise. * elfxx-ia64.c (ia64_howto_table): Likewise. * elfxx-sparc.c (_bfd_sparc_elf_howto_table): Likewise. * elfxx-tilegx.c (tilegx_elf_howto_table): Likewise. * nlm32-sparc.c (nlm32_sparc_howto_table): Likewise. 2015-01-06 Nick Clifton <nickc@redhat.com> PR binutils/17512 * mach-o.c (bfd_mach_o_read_symtab_strtab): Zero terminate the string table. * reloc.c (bfd_get_reloc_size): Handle a reloc size of -1. (bfd_perform_relocation): Include the size of the reloc in the test for an out of range relocation. (bfd_generic_get_relocated_section_contents): Remove reloc range test. * tekhex.c (getvalue): Add an end pointer parameter. Use it to avoid reading off the end of the buffer. (getsym): Likewise. (first_phase): Likewise. (pass_over): Pass an end pointer to the invoked function. 2015-01-05 Nick Clifton <nickc@redhat.com> PR binutils/17512 * archive.c (do_slurp_bsd_armap): Make sure that the parsed sized is at least big enough for the header to be read. * mach-o.c (bfd_mach_o_get_synthetic_symtab): Add range checks. (bfd_mach_o_read_command): Prevetn duplicate error messages about unrecognized commands. * syms.c (_bfd_stab_section_find_nearest_line): Add range checks when indexing into the string table. 2014-12-22 Nick Clifton <nickc@redhat.com> PR binutils/17512 * archive.c (do_slurp_bsd_armap): Return if the parsed_size is zero. (bfd_slurp_armap): Zero terminate the name. (bfd_generic_stat_arch_elt): If there is no header, fail. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): If no symbols have been provided then set the reloc's symbol to undefined. * reloc.c (bfd_generic_get_relocated_section_contents): Add range checking of the reloc to be applied. * versados.c (process_otr): Add more range checks. (versados_canonicalize_reloc): If the section is unknown, set the symbol to undefined. * vms-alpha.c (_bfd_vms_slurp_eisd): Add range checks. (alpha_vms_object_p): Likewise. 2014-12-16 Nick Clifton <nickc@redhat.com> PR binutils/17512 * format.c (bfd_check_format_matches): Check for a matching vector before using match priorities. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Fix off-by-one errors with previous delta. 2014-12-09 Nick Clifton <nickc@redhat.com> PR binutils/17512 * archive64.c (bfd_elf64_archive_slurp_armap): Add range checks. * libbfd.c (safe_read_leb128): New function. * libbfd-in.h (safe_read_leb128): Add prototype. * libbfd.h: Regenerate. 2014-12-03 Nick Clifton <nickc@redhat.com> PR binutils/17512 * compress.c (bfd_get_full_section_contents): Fail if there are no section contents available when the compress_status is COMPRESS_SECTION_DONE. * libbfd.c (bfd_malloc): Refuse to allocate a negative size. (bfd_malloc2): Use bfd_malloc. (bfd_realloc): Refuse to reallocate a negative size. (bfd_realloc2): Use bfd_realloc. (bfd_realloc_or_free): Use bfd_realloc. (bfd_zmalloc): Use bfd_malloc. (bfd_zmalloc): Use bfd_malloc2. * opncls.c (bfd_alloc): Refuse to allocate a negative size. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17512 * archive.c (do_slurp_coff_armap): Add range checks to prevent running off the end of the string table. * compress.c (bfd_get_full_section_contents): Return a NULL pointer for zero sized sections. Do not attempt to copy a buffer onto itself. * reloc.c (bfd_perform_relocation): Avoid seg-fault if the howto parameter is NULL. 2014-11-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Likewise. (bfd_mach_o_mangle_sections): Move test for too many sections to before the allocation of the section table. (bfd_mach_o_read_symtab_strtab): If the read fails, free the memory and nullify the symbol pointer. * reloc.c (bfd_generic_get_relocated_section_contents): Add handling of a bfd_reloc_notsupported return value. * versados.c (EDATA): Add range checking. (get_record): Likewise. (process_otr): Check for contents being available before updating them. (versados_canonicalize_reloc): Add range check. 2014-11-21 Nick Clifton <nickc@redhat.com> PR binutils/17512 * ieee.c (next_byte): Convert to a function. Return FALSE if the next byte is beyond the end of the buffer. (parse_int): Test the return value of next_byte. (parse_expression): Convert to boolean. Return FALSE if the parsing failed. Test the return value of next_byte. (ieee_seek): Convert to a function. Return FALSE if the seek goes beyond the end of the buffer. (ieee_slurp_external_symbols): Test the return value of ieee_seek and next_byte. (ieee_slurp_sections): Convert to boolean. Return FALSE if the operation failed. Test the return value of ieee_seek and next_byte. (ieee_archive_p): Test the return value of ieee_seek and next_byte. (do_one): Likewise. (ieee_slurp_section_data): Likewise. (ieee_object_p): Likewise. Store the size of the buffer in the total_amt field in the header. * libieee.h (common_header_type): Add amt field. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the reloc's value is within range. (bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the operation fails. * versados.c (process_otr): Check that the section exists before taking its size. (versados_object_p): Make sure that enough data was read for the header to be checked. * vms-alpha.c (vms_get_remaining_object_record): Change read_so_far parameter to an unsigned int. Check that the amount read is in range.
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ab50ec071e10f7dc038d05c82bc2c7b388e787f5 commit ab50ec071e10f7dc038d05c82bc2c7b388e787f5 Author: Nick Clifton <nickc@redhat.com> Date: Wed Mar 25 16:08:17 2015 +0000 Import fixes from mainline sources that address illegal memory access problems with the ELF targeted parts of the BFD library. 2015-03-25 Nick Clifton <nickc@redhat.com> Apply from master: 2015-02-26 Nick Clifton <nickc@redhat.com> PR binutils/17512 * elf.c (elf_fake_sections): Handle excessive alignmment powers. (assign_file_positions_for_non_load_sections): Replace assertion with an error message. (rewrite_elf_program_header): Handle excessive segment alignments. 2015-02-13 Alan Modra <amodra@gmail.com> PR binutils/17512 * elf64-ppc.c (opd_entry_value): Tighten offset check. Remove now redundant assert. 2015-02-12 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf2.c (read_1_byte, read_1_signed_byte, read_2_bytes) (read_4_bytes, read_8_bytes, read_n_bytes, read_string) (read_indirect_string, read_alt_indirect_string) (read_alt_indirect_ref, read_address, read_abbrevs) (read_attribute_value, read_attribute, decode_line_info) (find_abstract_instance_name, read_rangelist) (scan_unit_for_symbols, parse_comp_unit) (_bfd_dwarf2_find_nearest_line): Harden DWARF reading code. Pass end pointers to reading functions and check for offsets taking pointers out of range. Replace calls to read_*_leb128 with calls to safe_read_leb128. * elf64-ppc.c (opd_entry_value): Add a check for an overlarge offset. 2015-02-03 Nick Clifton <nickc@redhat.com> PR binutils/17512 * elf-m10300.c (mn10300_info_to_howto): Fix typo in error message. * elf32-arc.c (arc_info_to_howto_rel): Likewise. * elf32-avr.c (avr_info_to_howto_rela): Likewise. * elf32-cr16.c (elf_cr16_info_to_howto): Likewise. * elf32-cr16c.c (elf_cr16c_info_to_howto_rel): Likewise. * elf32-cris.c (cris_info_to_howto_rela): Likewise. * elf32-crx.c (elf_crx_info_to_howto): Likewise. * elf32-d10v.c (d10v_info_to_howto_rel): Likewise. * elf32-d30v.c (d30v_info_to_howto_rel): Likewise. * elf32-epiphany.c (epiphany_info_to_howto_rela): Likewise. * elf32-fr30.c (fr30_info_to_howto_rela): Likewise. * elf32-frv.c (frv_info_to_howto_rela): Likewise. * elf32-i370.c (i370_elf_info_to_howto): Likewise. * elf32-i960.c (elf32_i960_info_to_howto_rel): Likewise. * elf32-ip2k.c (ip2k_info_to_howto_rela): Likewise. * elf32-iq2000.c (iq2000_info_to_howto_rela): Likewise. * elf32-lm32.c (lm32_info_to_howto_rela): Likewise. * elf32-m32c.c (m32c_info_to_howto_rela): Likewise. * elf32-m32r.c (m32r_info_to_howto_rel): Likewise. * elf32-m68hc11.c (m68hc11_info_to_howto_rel): Likewise. * elf32-m68hc12.c (m68hc11_info_to_howto_rel): Likewise. * elf32-mcore.c (mcore_elf_info_to_howto): Likewise. * elf32-mep.c (mep_info_to_howto_rela): Likewise. * elf32-metag.c (metag_info_to_howto_rela): Likewise. * elf32-microblaze.c (microblaze_elf_info_to_howto): Likewise. * elf32-moxie.c (moxie_info_to_howto_rela): Likewise. * elf32-msp430.c (msp430_info_to_howto_rela): Likewise. * elf32-mt.c (mt_info_to_howto_rela): Likewise. * elf32-nds32.c (nds32_info_to_howto_rel): Likewise. * elf32-or1k.c (or1k_info_to_howto_rela): Likewise. * elf32-pj.c (pj_elf_info_to_howto): Likewise. * elf32-ppc.c (ppc_elf_info_to_howto): Likewise. * elf32-rl78.c (rl78_info_to_howto_rela): Likewise. * elf32-rx.c (rx_info_to_howto_rela): Likewise. * elf32-sh.c (sh_elf_info_to_howto): Likewise. * elf32-spu.c (spu_elf_info_to_howto): Likewise. * elf32-v850.c (v850_elf_perform_relocation): Likewise. * elf32-vax.c (rtype_to_howto): Likewise. * elf32-visium.c (visium_info_to_howto_rela): Likewise. * elf32-xgate.c (xgate_info_to_howto_rel): Likewise. * elf32-xtensa.c (elf_xtensa_info_to_howto_rela): Likewise. * elf64-alpha.c (elf64_alpha_info_to_howto): Likewise. * elf64-mmix.c (mmix_info_to_howto_rela): Likewise. 2015-01-27 Nick Clifton <nickc@redhat.com> PR binutils/17512 * dwarf2.c (concat_filename): Check for an empty directory table. (scan_unit_for_symbols): Check for reading off the end of the unit. (parse_comp_unit): Check for a DW_AT_comp_dir attribute with a non-string form. 2015-01-15 Nick Clifton <nickc@redhat.com> PR binutils/17512 * elf-m10300.c (mn10300_info_to_howto): Replace assertion with an error message. Never return an invalid howto pointer. * elf32-cr16.c (cr16_info_to_howto): Likewise. * elf32-crx.c (elf_crx_info_to_howto): Likewise. * elf32-i370.c (i370_elf_info_to_howto): Likewise. * elf32-mcore.c (mcore_elf_info_to_howto): Likewise. * elf32-microblaze.c (microblaze_elf_info_to_howto): Likewise. * elf32-mips.c (mips_elf32_rtype_to_howto): Likewise. * elf32-pj.c (pj_elf_info_to_howto): Likewise. * elf32-ppc.c (ppc_elf_info_to_howto): Likewise. * elf32-spu.c (spu_elf_info_to_howto): Likewise. * elf32-v850.c (v850_elf_info_to_howto_rela): Likewise. * elf32-vax.c (rtype_to_howto): Likewise. * elf64-alpha.c (elf64_alpha_info_to_howto): Likewise. * elf64-mips.c (mips_elf64_rtype_to_howto): Likewise. * elfn32-mips.c (sh_elf_info_to_howto): Likewise. * elf32-sh.c (sh_elf_info_to_howto): Likewise. (sh_elf_reloc): Check that the reloc is in range. * reloc.c (bfd_perform_relocation): Check that the section is big enough for the entire reloc. (bfd_generic_get_relocated_section_contents): Report unexpected return values from perform_reloc. 2015-01-08 Nick Clifton <nickc@redhat.com> PR binutils/17512 * elf.c (_bfd_elf_map_sections_to_segments): Enforce a minimum maxpagesize of 1. 2015-01-06 H.J. Lu <hongjiu.lu@intel.com> PR binutils/17512 * elf32-i386.c (elf_i386_get_plt_sym_val): Skip unknown relocation. * elf64-x86-64.c (elf_x86_64_get_plt_sym_val): Likewise. 2014-12-22 Nick Clifton <nickc@redhat.com> PR binutils/17512 * elf32-arc.c (arc_info_to_howto_rel): Replace BFD_ASSERT with error message. * elf32-avr.c (avr_info_to_howto_rela): Likewise. * elf32-cr16c.c (elf_cr16c_info_to_howto_rel): Likewise. * elf32-cris.c (cris_info_to_howto_rela): Likewise. * elf32-d10v.c (d10v_info_to_howto_rel): Likewise. * elf32-d30v.c (d30v_info_to_howto_rel): Likewise. * elf32-dlx.c (dlx_rtype_to_howto): Likewise. * elf32-epiphany.c (epiphany_info_to_howto_rela): Likewise. * elf32-fr30.c (fr30_info_to_howto_rela): Likewise. * elf32-frv.c (frv_info_to_howto_rela): Likewise. * elf32-i960.c (elf32_i960_info_to_howto_rel): Likewise. * elf32-ip2k.c (ip2k_info_to_howto_rela): Likewise. * elf32-iq2000.c (iq2000_info_to_howto_rela): Likewise. * elf32-lm32.c (lm32_info_to_howto_rela): Likewise. * elf32-m32c.c (m32c_info_to_howto_rela): Likewise. * elf32-m32r.c (m32r_info_to_howto_rel): Likewise. * elf32-m68hc11.c (m68hc11_info_to_howto_rel): Likewise. * elf32-m68hc12.c (m68hc11_info_to_howto_rel): Likewise. * elf32-mep.c (mep_info_to_howto_rela): Likewise. * elf32-metag.c (metag_info_to_howto_rela): Likewise. * elf32-moxie.c (moxie_info_to_howto_rela): Likewise. * elf32-msp430.c (msp430_info_to_howto_rela): Likewise. * elf32-mt.c (mt_info_to_howto_rela): Likewise. * elf32-nds32.c (nds32_info_to_howto_rel): Likewise. * elf32-or1k.c (or1k_info_to_howto_rela): Likewise. * elf32-rl78.c (rl78_info_to_howto_rela): Likewise. * elf32-rx.c (rx_info_to_howto_rela): Likewise. * elf32-v850.c (v850_elf_info_to_howto_rel): Likewise. * elf32-xgate.c (xgate_info_to_howto_rel): Likewise. * elf32-xtensa.c (elf_xtensa_info_to_howto_rela): Likewise. * elf64-mmix.c (mmix_info_to_howto_rela): Likewise. * elf64-x86-64.c (elf_x86_64_reloc_type_lookup): Likewise. * elfnn-aarch64.c (elfNN_aarch64_bfd_reloc_from_type): Likewise. * elf64-sparc.c (elf64_sparc_slurp_one_reloc_table): Add range checking of reloc symbol index. 2014-12-09 Nick Clifton <nickc@redhat.com> PR binutils/17512 * elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128. Check for an over-long subsection length. * elf.c (elf_parse_notes): Check that the namedata is long enough for the string comparison that is about to be performed. (elf_read_notes): Zero-terminate the note buffer. 2014-12-01 Nick Clifton <nickc@redhat.com> PR binutils/17512 * elf-attrs.c (_bfd_elf_parse_attributes): Check for an empty header. Add range checks to avoid running off the end of the section. * elf.c (bfd_elf_get_str_section): Seek before allocating so that if the seek fails, no memory is allocated. (bfd_elf_string_from_elf_section): Do not allocate a string from a non string section. It only leads to trouble later on. (_bfd_elf_print_private_bfd_data): Check for there being too little external dynamic data. (bfd_section_from_shdr): Replace assertion with a failure mode. (bfd_section_from_shdr): When walking a loaded group section use the internal structure size, not the external size. Check for the group section being empty. * elf32-i386.c (elf_i386_rtype_to_howto): Replace assertion with a failure mode. * elfcode.h (elf_slurp_reloc_table): Likewise. 2014-11-27 Nick Clifton <nickc@redhat.com> PR binutils/17512 * elf.c (_bfd_elf_print_private_bfd_data): Fix the range check scanning the external dynamic entries.
*** Bug 19296 has been marked as a duplicate of this bug. ***
Unfortunately, thanks to fixes to this bug, I cannot (can no longer?) run windres on stock binaries shipping with Windows. $ i686-w64-mingw32-windres shell32.dll shell32.rc i686-w64-mingw32-windres: shell32.dll: resource name: address out of bounds (The shell32.dll binary is from Windows 98 SE.)
Created attachment 9402 [details] Proposed patch Hi Felix, > $ i686-w64-mingw32-windres shell32.dll shell32.rc > i686-w64-mingw32-windres: shell32.dll: resource name: address out of bounds Oops - sorry about that. This patch will fix the immediate problem. But running windres now produces this result: version length 928 does not match resource length 936 I assume that this is not the expected result. :-( I am not sure what is causing this though, so it looks like more investigation is needed. Cheers Nick
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4931146e91c3c8208f1e0b8462b8f33e70da506a commit 4931146e91c3c8208f1e0b8462b8f33e70da506a Author: Nick Clifton <nickc@redhat.com> Date: Thu Jul 28 15:37:16 2016 +0100 Fix decoding of Windows resources. PR binutils/17512 * rescoff.c (read_coff_res_dir): Fix detection of buffer overrun. * resbin.c (bin_to_res_version): Allow for the padded length of a version block to be longer than the recorded length. Skip padding bytes.
Hi Felix, Right - I have checked in an extended version of my previous patch and now decoding the resources in shell32.dll should work. Cheers Nick
(In reply to cvs-commit@gcc.gnu.org from comment #228) > The master branch has been updated by Nick Clifton <nickc@sourceware.org>: > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; > h=4931146e91c3c8208f1e0b8462b8f33e70da506a > > commit 4931146e91c3c8208f1e0b8462b8f33e70da506a > Author: Nick Clifton <nickc@redhat.com> > Date: Thu Jul 28 15:37:16 2016 +0100 > > Fix decoding of Windows resources. > > PR binutils/17512 > * rescoff.c (read_coff_res_dir): Fix detection of buffer overrun. > * resbin.c (bin_to_res_version): Allow for the padded length of a > version block to be longer than the recorded length. Skip padding > bytes. Hi Nick, Since you committed this patch, I've noticed build failures when binutils are configured with: --enable-64-bit-bfd=yes --target arm-wince-pe, in a i386 chroot. The error messages are: ../../binutils/resbin.c: In function 'bin_to_res_version': ../../binutils/resbin.c:967:5: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'rc_uint_type' [-Werror=format=] verlen, length); ^ ../../binutils/resbin.c:967:5: error: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'rc_uint_type' [-Werror=format=]
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2d5bddc1eb5d2c04ed142c7ba6fc13e2e3a28079 commit 2d5bddc1eb5d2c04ed142c7ba6fc13e2e3a28079 Author: Nick Clifton <nickc@redhat.com> Date: Tue Aug 2 11:06:28 2016 +0100 Avoid compile time warning when building on 32-bit host. PR binutils/17512 * resbin.c (bin_to_res_version): Cast variables to correct type for printing in error message.
(In reply to Christophe Lyon from comment #230) Hi Christophe, > ../../binutils/resbin.c:967:5: error: format '%lu' expects argument of type > 'long unsigned int', but argument 2 has type 'rc_uint_type' [-Werror=format=] > verlen, length); Sorry about that. For some reason my 32-bit builds are not showing up this kind of problem. I think it is because my host machine is still 64-bits. Anyway, I have checked in a simple patch to fix the problem. Cheers Nick
If I may say so, I believe the issue of synthetic symbols is not being handled correctly by the patch here. The 'is_synthetic' flag was added to 'print_symbol()'. The flag itself is set in 'print_size_symbols()' and 'print_symbols()' by just deciding that the last 'synth_count' symbols in the list are synthetic. However, since there are 2 different methods of sorting these symbols, either with the 'qsort()' or the call to 'sort_symbols_by_size()', it is unlikely that the last 'synth_count' symbols of each sort will all be synthetic. There is also the added call to 'filter_symbols()' before the sorts, which may or may not remove synthetic symbols, while not adjusting the 'synth_count' value. (If no synthetic symbols are filtered, then there is no harm - I haven't looked at the filter function yet) In my opinion, it makes more sense to remove the 'from >= fromsynth' from the calls to 'print_symbol()' and 'print_size_symbols()', since the last 'synth_count' symbols are not going to be synthetic. Likewise, 'print_symbols()' can drop the 'is_synthetic' argument. Instead, the symbol's flag can be tested to see if BSF_SYNTHETIC is set. By doing that, the position of the symbol in the sorted list is irrelevant. I am assuming that only synthetic symbols are being created with the BSF_SYNTHETIC flag set. That seems to match the code in the bfd directory.
The master branch has been updated by Mark Wielaard <mark@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39e224f6f9ee3f6123d4c9ddb7c0955e0604c1b4 commit 39e224f6f9ee3f6123d4c9ddb7c0955e0604c1b4 Author: Mark Wielaard <mark@klomp.org> Date: Mon Mar 20 15:32:34 2017 +0100 readelf: Don't error on .debug files with NOBITS .dynamic section. The fix for PR binutils/17512 added a check for the dynamic segment being inside the actual ELF file. If not an error message would be produced: readelf: Error: the dynamic segment offset + size exceeds the size of the file Unfortunately for separate debuginfo files it is common for the dynamic segment not being inside the file because the .dynamic section is NOBITS. Since the check is done unconditionally in process_program_headers and process_program_headers is always called (to setup dynamic_addr in case it is needed). The error is produced on any operations done on any .debug file (even if no program headers or the dynamic segment is used). If there are section headers then a cross check is done to see if the .dynamic section is NOBITS in which case dynamic_addr is set to zero without a warning or error (which is then checked first before any operation on the dynamic segement is done). Move the check for the dynamic segment being inside the actual ELF file after the cross check with the section headers to suppress the error for .debug files. binutils/ChangeLog: * readelf.c (process_program_headers): Move dynamic_addr check after .dynamic section cross check.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=de357ff4e4f8fa7aaf621d680fde72a010b026d2 commit de357ff4e4f8fa7aaf621d680fde72a010b026d2 Author: Alan Modra <amodra@gmail.com> Date: Fri Mar 3 09:13:03 2023 +1030 binutils coff type list As for commit 72d225ef9cc7, handle type numbers starting anywhere. PR 17512 * rdcoff.c (struct coff_slots): Add base_index. (coff_get_slot): Delete pr17512 excessively large slot check. Don't allocate entire array from 0 to type number, allocate a sparse array.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=695c322803476e92e1566c90470b6bb737a40514 commit 695c322803476e92e1566c90470b6bb737a40514 Author: Alan Modra <amodra@gmail.com> Date: Sun Mar 26 19:26:46 2023 +1030 coffgrok access of u.auxent.x_sym.x_tagndx.p u.auxent.x_sym.x_tagndx is a union. The p field is only valid when fix_tag is set. This patch fixes code in coffgrok.c that accessed the field without first checking fix_tag, and removes a whole lot of code validating bogus pointers to prevent segfaults (which no longer happen, I checked the referenced PR 17512 testcases). The patch also documents this in the fix_tag comment, makes is_sym a bitfield, and sorts the selecter fields a little. bfd/ * coffcode.h (combined_entry_type): Make is_sym a bitfield. Sort and comment on union selectors. * libcoff.h: Regenerate. binutils/ * coffgrok.c (do_type): Make aux a combined_entry_type. Test fix_tag before accessing u.auxent.x_sym.x_tagndx.p. Remove now unnecessary pointer bounds checking.