Noticed when built gcc-6.3.0 and gcc-5.4.0 with bintils-2.28 (original report https://bugs.gentoo.org/show_bug.cgi?id=622500 ) In the build process of gcc the following object file is generated that can crash 'strip': http://dev.gentoo.org/~slyfox/bugs/622500-ia64-strip/dwarf2out.o Reproducible both on native ia64 box and when running cross-binutils on x85_64. -fsanitize=address detects out-of-bouds access as: ==17093==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000598 ... READ of size 8 at 0x61a000000598 thread T0 #0 0x7feeb6dd4333 in find_link binutils-gdb/bfd/elf.c:1295 #1 0x7feeb6dd48a1 in copy_special_section_fields binutils-gdb/bfd/elf.c:1379 #2 0x7feeb6dd5391 in _bfd_elf_copy_private_bfd_data binutils-gdb/bfd/elf.c:1501 #3 0x5623789a0952 in copy_object binutils-gdb/binutils/objcopy.c:2974 #4 0x5623789a25d4 in copy_file binutils-gdb/binutils/objcopy.c:3336 #5 0x5623789a6856 in strip_main binutils-gdb/binutils/objcopy.c:4261 #6 0x5623789ab0f9 in main binutils-gdb/binutils/objcopy.c:5368 #7 0x7feeb650f3f9 in __libc_start_main (/lib64/libc.so.6+0x39648203f9) #8 0x562378996259 in _start (binutils-gdb/binutils/.libs/strip-new+0x16259) The failure is easy to workaround but i'm not sure if comething breaks hint invariant: diff --git a/bfd/elf.c b/bfd/elf.c index 5f37e7f79c..abb1499893 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -1291,7 +1291,8 @@ find_link (const bfd * obfd, const Elf_Internal_Shdr * iheader, const unsigned i BFD_ASSERT (iheader != NULL); /* See PR 20922 for a reproducer of the NULL test. */ - if (oheaders[hint] != NULL + if (hint < elf_numsections (obfd) + && oheaders[hint] != NULL && section_match (oheaders[hint], iheader)) return hint;
Created attachment 10219 [details] binutils-2.28-bfd-elf.c-fix-out-of-bounds-access-in-find_link.patch binutils-2.28-bfd-elf.c-fix-out-of-bounds-access-in-find_link.patch is the same workaround as a separate patch. The patch allows rebuilding gcc-6.3.0 on ia64.
Adding Nick who handled very similar PR 20922
Sent patch for review as https://sourceware.org/ml/binutils/2017-06/msg00328.html
Thanks for the report and patch. Patch is obvious, and I'll apply after a test run finishes. The test run was really for some patches of mine, but I've learned it helps to test even obvious patches. ;-)
Patch committed 5cc4ca837de