Bug 23207 - hppa ld SIGSEGVs on invalid object files: bfd/elf32-hppa.c:468 : hppa_get_stub_entry()
Summary: hppa ld SIGSEGVs on invalid object files: bfd/elf32-hppa.c:468 : hppa_get_stu...
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Alan Modra
Depends on:
Reported: 2018-05-19 21:11 UTC by Sergei Trofimovich
Modified: 2018-05-22 13:26 UTC (History)
0 users

See Also:
Last reconfirmed: 2018-05-22 00:00:00

bug.o (360 bytes, application/x-object)
2018-05-19 21:11 UTC, Sergei Trofimovich
bug-2.o (443 bytes, application/x-object)
2018-05-22 06:44 UTC, Sergei Trofimovich
bug-orig.o (3.86 KB, application/x-object)
2018-05-22 07:05 UTC, Sergei Trofimovich

Note You need to log in before you can comment on or make changes to this bug.
Description Sergei Trofimovich 2018-05-19 21:11:57 UTC
Created attachment 11031 [details]

Original bug found on libressl: https://bugs.gentoo.org/656104
libressl itself has a bug that triggers binutils SIGSEGV.
See fix if you are interested: https://github.com/libressl-portable/portable/pull/426

Steps to reproduce:

Source file:

    // $ cat bug.i
    __asm__(".section .gnu.warning.");
    a() { b(); }

Build as:

    $ hppa2.0-unknown-linux-gnu-gcc         -fPIC -c bug.i -o bug.o
    $ hppa2.0-unknown-linux-gnu-gcc -shared -fPIC    bug.o -o libbug.so
    collect2: fatal error: ld terminated with signal 11 [Segmentation fault], core dumped

bug.o is also attached.

gdb backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f761db022b4 in sprintf (__fmt=0x7f761db67feb "%08x_%s+%x", __s=0x55a62a3c5fb0 "\020p<*\246U") at /usr/include/bits/stdio2.h:33
33        return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
(gdb) bt
#0  0x00007f761db022b4 in sprintf (__fmt=0x7f761db67feb "%08x_%s+%x", __s=0x55a62a3c5fb0 "\020p<*\246U") at /usr/include/bits/stdio2.h:33
#1  hppa_stub_name (hh=hh@entry=0x55a62a1d1040, rela=<optimized out>, rela=<optimized out>, sym_sec=<optimized out>, input_section=<optimized out>)
    at /usr/src/debug/cross-hppa2.0-unknown-linux-gnu/binutils-2.30-r2/binutils-2.30/bfd/elf32-hppa.c:468
#2  0x00007f761db02399 in hppa_get_stub_entry (sym_sec=sym_sec@entry=0x0, hh=hh@entry=0x55a62a1d1040, rela=rela@entry=0x55a62a200b20, 
    htab=htab@entry=0x55a62a1cfe90, input_section=<optimized out>)
    at /usr/src/debug/cross-hppa2.0-unknown-linux-gnu/binutils-2.30-r2/binutils-2.30/bfd/elf32-hppa.c:517
#3  0x00007f761db045ab in final_link_relocate (info=0x55a629ef2a60 <link_info>, hh=0x55a62a1d1040, sym_sec=<optimized out>, htab=0x55a62a1cfe90, 
    value=<optimized out>, rela=0x55a62a200b20, contents=0x55a62a402aa0 "k\302?\331\b\003\002A\b\036\002Co\301", input_section=0x55a62a1fe920)
    at /usr/src/debug/cross-hppa2.0-unknown-linux-gnu/binutils-2.30-r2/binutils-2.30/bfd/elf32-hppa.c:3274
#4  elf32_hppa_relocate_section (output_bfd=output_bfd@entry=0x55a62a1cdb00, info=0x55a629ef2a60 <link_info>, 
    input_bfd=input_bfd@entry=0x55a62a1eac50, input_section=input_section@entry=0x55a62a1fe920, 
    contents=0x55a62a402aa0 "k\302?\331\b\003\002A\b\036\002Co\301", relocs=relocs@entry=0x55a62a200b20, local_syms=0x55a62a1fc1a0, 
    local_sections=0x55a62a402fa0) at /usr/src/debug/cross-hppa2.0-unknown-linux-gnu/binutils-2.30-r2/binutils-2.30/bfd/elf32-hppa.c:4174
#5  0x00007f761db2bb60 in elf_link_input_bfd (flinfo=flinfo@entry=0x7fffab228070, input_bfd=input_bfd@entry=0x55a62a1eac50)
    at /usr/src/debug/cross-hppa2.0-unknown-linux-gnu/binutils-2.30-r2/binutils-2.30/bfd/elflink.c:10715
#6  0x00007f761db2d6af in bfd_elf_final_link () at /usr/src/debug/cross-hppa2.0-unknown-linux-gnu/binutils-2.30-r2/binutils-2.30/bfd/elflink.c:12033
#7  0x00007f761db0553b in elf32_hppa_final_link (abfd=0x55a62a1cdb00, info=0x55a629ef2a60 <link_info>)
    at /usr/src/debug/cross-hppa2.0-unknown-linux-gnu/binutils-2.30-r2/binutils-2.30/bfd/elf32-hppa.c:3143
#8  0x000055a629c9541f in ldwrite () at /usr/src/debug/cross-hppa2.0-unknown-linux-gnu/binutils-2.30-r2/binutils-2.30/ld/ldwrite.c:581
#9  0x000055a629c7df30 in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/cross-hppa2.0-unknown-linux-gnu/binutils-2.30-r2/binutils-2.30/ld/ldmain.c:456
Comment 1 Sergei Trofimovich 2018-05-19 22:00:05 UTC
Minimal reproducer does not require any external objects:
    $ hppa2.0-unknown-linux-gnu-ld -shared -o libbug.so bug.o
Comment 2 cvs-commit@gcc.gnu.org 2018-05-22 05:58:31 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:


commit 7455c018e45766ab7193cbd45f98f781e0dc7d84
Author: Alan Modra <amodra@gmail.com>
Date:   Mon May 21 21:29:25 2018 +0930

    PR23207, hppa ld SIGSEGVs on invalid object files
    We don't create PLT call stubs for anything in non-alloc sections,
    so it doesn't pay to go looking for them.  The problem is that
    non-alloc sections aren't processed by group_sections and thus don't
    get a link_sec set up for them.
    	PR 23207
    	* elf32-hppa.c (final_link_relocate): Don't look for plt call
    	stubs in non-alloc sections.
Comment 3 Sergei Trofimovich 2018-05-22 06:43:50 UTC
(In reply to cvs-commit@gcc.gnu.org from comment #2)
> The master branch has been updated by Alan Modra <amodra@sourceware.org>:
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=7455c018e45766ab7193cbd45f98f781e0dc7d84
> commit 7455c018e45766ab7193cbd45f98f781e0dc7d84
> Author: Alan Modra <amodra@gmail.com>
> Date:   Mon May 21 21:29:25 2018 +0930

This seems to fix the minimal reproducer, but not original bug. ld still SIGSEGVs. Bigger minimal file that still SIGSEGVs:

    // $ cat bug.i
    a() { b(); }
    __asm__(".section .gnu.warning.");
    c() { b(); }

Same steps to reproduce:
$ hppa2.0-unknown-linux-gnu-gcc         -fPIC -c bug.i -o bug.o
$ hppa2.0-unknown-linux-gnu-gcc -shared -fPIC    bug.o -o libbug.so

Will attach bigger object file as well.
Comment 4 Sergei Trofimovich 2018-05-22 06:44:29 UTC
Created attachment 11033 [details]
Comment 5 Sergei Trofimovich 2018-05-22 06:47:50 UTC
(In reply to Sergei Trofimovich from comment #4)
> Created attachment 11033 [details]
> bug-2.o

crash backtrace for it:

$ gdb --args ~/dev/git/binutils-gdb-hppa2.0/ld/ld-new -shared -o libbug.so bug.o
(gdb) bt
#0  0x00005555555c980b in hppa_stub_name (input_section=0x0, sym_sec=0x0, hh=0x555555906b50, rela=0x55555591f8d0) at ../../binutils-gdb/bfd/elf32-hppa.c:469
#1  0x00005555555cdd61 in elf32_hppa_size_stubs (output_bfd=0x555555903f20, stub_bfd=0x555555918580, info=0x5555558ebd20 <link_info>, multi_subspace=0, 
    group_size=1, add_stub_section=0x5555555a2b59 <hppaelf_add_stub_section>, layout_sections_again=0x5555555a2c58 <hppaelf_layout_sections_again>)
    at ../../binutils-gdb/bfd/elf32-hppa.c:2925
#2  0x00005555555a2e07 in gldhppalinux_after_allocation () at ehppalinux.c:354
#3  0x000055555559af2a in ldemul_after_allocation () at ../../binutils-gdb/ld/ldemul.c:76
#4  0x0000555555590259 in lang_process () at ../../binutils-gdb/ld/ldlang.c:7403
#5  0x000055555559466e in main (argc=5, argv=0x7fffffffcd98) at ../../binutils-gdb/ld/ldmain.c:438
Comment 6 Sergei Trofimovich 2018-05-22 07:05:21 UTC
Created attachment 11034 [details]

bug-orig.o is an object file produced by gcc on libressl-2.6.4
Comment 7 cvs-commit@gcc.gnu.org 2018-05-22 10:08:27 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:


commit 215f527155ea776fff3f2f836d5da1e300e8c370
Author: Alan Modra <amodra@gmail.com>
Date:   Tue May 22 18:34:18 2018 +0930

    PR23207, hppa ld SIGSEGVs on invalid object files
    The last patch was enough to cure the testcase, but not the original
    object file.  This patch does the same for hppa as is done for ppc64,
    simply test for the section belonging to a group.  I've also
    restricted stubs to load, alloc, code sections.
    	PR 23207
    	* elf32-hppa.c (hppa_get_stub_entry): Return NULL when link_sec
    	is NULL.
    	(elf32_hppa_size_stubs): Only create stubs for load, alloc, code
    	(final_link_relocate): Revert last change.
Comment 8 Alan Modra 2018-05-22 13:26:48 UTC