Bug 21669 - strip from binutils-2.28 SIGSEGVs when strips ia64 files
Summary: strip from binutils-2.28 SIGSEGVs when strips ia64 files
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Alan Modra
URL: https://sourceware.org/ml/binutils/20...
Depends on:
Reported: 2017-06-24 14:52 UTC by Sergei Trofimovich
Modified: 2017-06-25 05:01 UTC (History)
2 users (show)

See Also:
Target: ia64-unknown-linux-gnu
Last reconfirmed: 2017-06-25 00:00:00

binutils-2.28-bfd-elf.c-fix-out-of-bounds-access-in-find_link.patch (1.00 KB, patch)
2017-06-24 14:54 UTC, Sergei Trofimovich
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sergei Trofimovich 2017-06-24 14:52:24 UTC
Noticed when built gcc-6.3.0 and gcc-5.4.0 with bintils-2.28
(original report https://bugs.gentoo.org/show_bug.cgi?id=622500 )

In the build process of gcc the following object file is generated
that can crash 'strip':

Reproducible both on native ia64 box and when running cross-binutils on x85_64.

-fsanitize=address detects out-of-bouds access as:

==17093==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000598 ...
READ of size 8 at 0x61a000000598 thread T0
    #0 0x7feeb6dd4333 in find_link binutils-gdb/bfd/elf.c:1295
    #1 0x7feeb6dd48a1 in copy_special_section_fields binutils-gdb/bfd/elf.c:1379
    #2 0x7feeb6dd5391 in _bfd_elf_copy_private_bfd_data binutils-gdb/bfd/elf.c:1501
    #3 0x5623789a0952 in copy_object binutils-gdb/binutils/objcopy.c:2974
    #4 0x5623789a25d4 in copy_file binutils-gdb/binutils/objcopy.c:3336
    #5 0x5623789a6856 in strip_main binutils-gdb/binutils/objcopy.c:4261
    #6 0x5623789ab0f9 in main binutils-gdb/binutils/objcopy.c:5368
    #7 0x7feeb650f3f9 in __libc_start_main (/lib64/libc.so.6+0x39648203f9)
    #8 0x562378996259 in _start (binutils-gdb/binutils/.libs/strip-new+0x16259)

The failure is easy to workaround but i'm not sure if comething breaks hint invariant:

diff --git a/bfd/elf.c b/bfd/elf.c
index 5f37e7f79c..abb1499893 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -1291,7 +1291,8 @@ find_link (const bfd * obfd, const Elf_Internal_Shdr * iheader, const unsigned i
   BFD_ASSERT (iheader != NULL);
   /* See PR 20922 for a reproducer of the NULL test.  */
-  if (oheaders[hint] != NULL
+  if (hint < elf_numsections (obfd)
+      && oheaders[hint] != NULL
       && section_match (oheaders[hint], iheader))
     return hint;
Comment 1 Sergei Trofimovich 2017-06-24 14:54:26 UTC
Created attachment 10219 [details]

binutils-2.28-bfd-elf.c-fix-out-of-bounds-access-in-find_link.patch is the same workaround as a separate patch.

The patch allows rebuilding gcc-6.3.0 on ia64.
Comment 2 Sergei Trofimovich 2017-06-24 17:28:49 UTC
Adding Nick who handled very similar PR 20922
Comment 3 Sergei Trofimovich 2017-06-24 19:20:28 UTC
Sent patch for review as https://sourceware.org/ml/binutils/2017-06/msg00328.html
Comment 4 Alan Modra 2017-06-25 02:16:28 UTC
Thanks for the report and patch.  Patch is obvious, and I'll apply after a test run finishes.  The test run was really for some patches of mine, but I've learned it helps to test even obvious patches. ;-)
Comment 5 Alan Modra 2017-06-25 05:01:50 UTC
Patch committed 5cc4ca837de