Bug 24538 - GAS crashes caused by corrupted input files
Summary: GAS crashes caused by corrupted input files
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: gas (show other bugs)
Version: 2.32
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-08 16:49 UTC by mtest1
Modified: 2019-05-15 07:00 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-05-10 00:00:00


Attachments
input files and crash logs (69.42 KB, application/zip)
2019-05-08 16:49 UTC, mtest1
Details
Proposed patch (288 bytes, patch)
2019-05-13 11:30 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description mtest1 2019-05-08 16:49:29 UTC
Created attachment 11767 [details]
input files and crash logs

I would like to submit information about crashes in "GNU as" we've found. All crashes are caused by corrupted files (attached).

There are many of them, so we've tried to group them for easier analysis (look at point 4).

Found by: Mateusz Kocielski, Michal Dardas from LogicalTrust

1. Used machine
CPU: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz
Ram: 8 GB
OS: Kali Linux, 4.17.0-kali1-amd64
gcc version 8.1.0 (Debian 8.1.0-12)

2. Compilation process
# git clone --depth 1 git://sourceware.org/git/binutils-gdb.git
# cd binutils-gdb
# LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0" ./configure --enable-targets=all
# make -j4
# cd gas
# archs="alpha arm i386 ia64 mcore mips ppc rs6000 sh tic4x tic54x x86_64" \
for arch in $archs; do \
    echo $arch ; \
    make clean ; \
    LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0" ./configure --prefix=`pwd`/bin/ --target=$arch-elf ; \
    make -j4 ; \
    cp as-new as-$arch ; \
done \

3. "as" version
# for as in $(ls as-*); do echo "Binary: $as"; echo `./$as --version | grep ass`; done
Binary: as-alpha
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `alpha-elf'.
Binary: as-arm
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `arm-elf'.
Binary: as-i386
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `i386-elf'.
Binary: as-ia64
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `ia64-elf'.
Binary: as-mcore
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `mcore-elf'.
Binary: as-mips
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `mips-elf'.
Binary: as-ppc
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `ppc-elf'.
Binary: as-rs6000
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `rs6000-elf'.
Binary: as-sh
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `sh-elf'.
Binary: as-tic4x
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `tic4x-elf'.
Binary: as-tic54x
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `tic54x-elf'.
Binary: as-x86_64
GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `x86_64-elf'.

4. Crashes
There are 22 directories which names are related to a line of code at which a crash occurred. Every directory contains files using following convention:
crash_{binary-name}_{test-case} - crash from ASAN
{test-case} - test case file. To reproduce run as (in corresponding architecture): ./as {test-case}
for example, directory ini386_output_nopsconfig_tc-i386.c:1302 contains files:
crash_as-i386_nop-1.s_1000066.out.min - ASAN log, to reproduce: # as-i386 nop-1.s_1000066.out.min
crash_as-i386_nop-6.s_i386_2750877559.out.min - ASAN log, to reproduce: # as-i386 nop-6.s_i386_2750877559.out.min
crash_as-x86_64_nop-1.s_1000066.out.min - ASAN log, to reproduce: # as-x86_64 nop-1.s_1000066.out.min
crash_as-x86_64_nop-6.s_i386_2750877559.out.min - ASAN log, to reproduce: # as-x86_64 nop-6.s_i386_2750877559.out.min
nop-1.s_1000066.out.min - test case
nop-6.s_i386_2750877559.out.min - test case
Comment 1 Nick Clifton 2019-05-10 12:15:53 UTC
Examining now...
Comment 2 Nick Clifton 2019-05-10 16:05:23 UTC
Hi mtest1,

  Thank you very much for reporting these bugs.

  I have applied a patch to address most of the problems, but I
  was unable to reproduce one of them: 

    ini386_intel_simplify_registerconfig_tc-i386-intel.c:289

  Please could you check to see if it is still causing you problems ?

Cheers
  Nick
Comment 3 mtest1 2019-05-13 07:47:43 UTC
(In reply to Nick Clifton from comment #2)
> Hi mtest1,
> 
>   Thank you very much for reporting these bugs.
> 
>   I have applied a patch to address most of the problems, but I
>   was unable to reproduce one of them: 
> 
>     ini386_intel_simplify_registerconfig_tc-i386-intel.c:289
> 
>   Please could you check to see if it is still causing you problems ?
> 
> Cheers
>   Nick

Hi Nick!

 We've just tried this testcase and it's still causing problems:

 Starting program: /home/shm/src/binutils-gdb/bin/bin/as-i386 < avx512f_vaes-wig.s_401709.out.min
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
{standard input}: Assembler messages:
{standard input}:3: Error: bignum invalid
=================================================================
==1619==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001363f98 at pc 0x0000004a8868 bp 0x7fffffffdfc0 sp 0x7fffffffdfb0
READ of size 8 at 0x000001363f98 thread T0
    #0 0x4a8867 in i386_intel_simplify_register config/tc-i386-intel.c:289
    #1 0x4a9864 in i386_intel_simplify config/tc-i386-intel.c:500
    #2 0x4a8b98 in i386_intel_simplify_symbol config/tc-i386-intel.c:322
    #3 0x4a8e04 in i386_intel_simplify config/tc-i386-intel.c:355
    #4 0x4a8b98 in i386_intel_simplify_symbol config/tc-i386-intel.c:322
    #5 0x4a90fc in i386_intel_simplify config/tc-i386-intel.c:398
    #6 0x4a9e87 in i386_intel_operand config/tc-i386-intel.c:577
    #7 0x4876f1 in parse_operands config/tc-i386.c:4760
    #8 0x484d42 in md_assemble config/tc-i386.c:4089
    #9 0x445c21 in assemble_one /home/shm/src/binutils-gdb/gas/read.c:711
    #10 0x447357 in read_a_source_file /home/shm/src/binutils-gdb/gas/read.c:1179
    #11 0x409f94 in perform_an_assembly_pass /home/shm/src/binutils-gdb/gas/as.c:1197
    #12 0x40a4d0 in main /home/shm/src/binutils-gdb/gas/as.c:1350
    #13 0x7ffff68bc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x4034a8 in _start (/home/shm/src/binutils-gdb/bin/bin/as-i386+0x4034a8)

 Likely the problem is here:

 #7  0x00000000004a8868 in i386_intel_simplify_register (e=0x621000015960) at config/tc-i386-intel.c:289
289		   && (i386_regtab[reg_num].reg_type.bitfield.xmmword
(gdb) print reg_num
$1 = 65534

 Somehow X_md egt 65535 value:

(gdb) print *e
$2 = {X_add_symbol = 0x0, X_op_symbol = 0x0, X_add_number = 0, X_op = O_constant, X_unsigned = 0, X_extrabit = 0, X_md = 65535}

 thus i386_regtab[reg_num] is accessing table far after its end:

 (gdb) print i386_regtab_size 
 $3 = 281

 Let us know if you need more assistance.

 Good luck!
Comment 4 Nick Clifton 2019-05-13 11:30:38 UTC
Created attachment 11772 [details]
Proposed patch

Hi mtest1,

  Ah - yes - I know why I could not reproduce this problem now ...  There is
  a long standing problem with Fedora which makes it impossible to build
  32-bit binaries with address sanitization enabled.  So my i386-elf toolchain
  actually has 64-bit executables in it rather than 32-bit ones.

  Please could you try out the uploaded patch and let me know if it resolves
  the problem ?  It may not work however as all it does is to (try to) stop 
  the illegal memory access inside i386_intel_simplify_register().  It does
  not address the underlying problem of why an illegal register number was
  being used in the first place.

Cheers
  Nick
Comment 5 Alan Modra 2019-05-14 00:27:36 UTC
> I have applied a patch to address most of the problems

I don't see any such patch applied or posted?
Comment 6 mtest1 2019-05-14 07:19:29 UTC
(In reply to Nick Clifton from comment #4)
> Created attachment 11772 [details]
> Proposed patch
> 
> Hi mtest1,
> 
>   Ah - yes - I know why I could not reproduce this problem now ...  There is
>   a long standing problem with Fedora which makes it impossible to build
>   32-bit binaries with address sanitization enabled.  So my i386-elf
> toolchain
>   actually has 64-bit executables in it rather than 32-bit ones.
> 
>   Please could you try out the uploaded patch and let me know if it resolves
>   the problem ?  It may not work however as all it does is to (try to) stop 
>   the illegal memory access inside i386_intel_simplify_register().  It does
>   not address the underlying problem of why an illegal register number was
>   being used in the first place.
> 
> Cheers
>   Nick

Hello Nick,

 your patch fixed the problem:

$ ./as-i386 ~/tmp/result/ini386_intel_simplify_registerconfig_tc-i386-intel.c\:289/avx512f_vaes-wig.s_401709.out.min 
/home/shm/tmp/result/ini386_intel_simplify_registerconfig_tc-i386-intel.c:289/avx512f_vaes-wig.s_401709.out.min: Assembler messages:
/home/shm/tmp/result/ini386_intel_simplify_registerconfig_tc-i386-intel.c:289/avx512f_vaes-wig.s_401709.out.min:3: Error: bignum invalid
/home/shm/tmp/result/ini386_intel_simplify_registerconfig_tc-i386-intel.c:289/avx512f_vaes-wig.s_401709.out.min:3: Error: invalid register number

 May I ask you to let us know when you commit the patches?

 Best Regards!
Comment 7 cvs-commit@gcc.gnu.org 2019-05-14 09:43:17 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3076e59490428c9719765f9b007d6d0d0238f006

commit 3076e59490428c9719765f9b007d6d0d0238f006
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri May 10 16:57:31 2019 +0100

    A series of fixes to addres problems detected by compiling the assembler with address sanitization enabled.
    
    	PR 24538
    gas	* macro.c (get_any_string): Increase size of buffer used to hold
    	decimal value of expression result.
    	* dw2gencfi.c (get_debugseg_name): Handle an empty name.
    	* dwarf2dbg.c (get_filenum): Catch integer wraparound when
    	extending allocate file array.
    	(dwarf2_directive_filename): Add extra checks of the computed file
    	number.
    	* config/tc-arm.c (arm_tc_equal_in_insn): Insert copy of name into
    	warning hash table.
    	(s_arm_eabi_attribute): Check for obj_elf_vendor_attribute
    	returning -1.
    	* config/tc-i386.c (i386_output_nops): Catch an attempt to
    	generate nops of negative lengths.
    	* as.h (MAX_LITTLENUMS): Move definition to here from...
    	* config/atof-ieee.c: ...here.
    	* config/tc-aarch64.c: ...here.
    	* config/tc-arc.c: ...here.
    	* config/tc-arm.c: ...here.
    	* config/tc-epiphany.c: ...here.
    	* config/tc-i386.c: ...here.
    	* config/tc-ia64.c: ...here.  (And correct the value).
    	* config/tc-m32c.c: ...here.
    	* config/tc-m32r.c: ...here.
    	* config/tc-metag.c: ...here.
    	* config/tc-microblaze.c: ...here.
    	* config/tc-nds32.c: ...here.
    	* config/tc-or1k.c: ...here.
    	* config/tc-score.c: ...here.
    	* config/tc-score7.c: ...here.
    	* config/tc-tic4x.c: ...here.
    	* config/tc-tilegx.c: ...here.
    	* config/tc-tilepro.c: ...here.
    	* config/tc-visium.c: ...here.
    	* config/tc-sh.c (md_assemble): Add check for an instruction with
    	no opcodes.
    	* config/tc-mips.c (mips_lookup_insn): Add check for very short
    	instruction name.
    	* config/tc-tic54x.c: Use unsigned chars to access is_end_of_line
    	array.
    	(tic54x_start_line_hook): Check for an empty line.
    	(next_line_shows_parallel): Do not walk off the end of the string.
    	(tic54x_macro_start): Check for too much macro nesting.
    	(tic54x_start_label): Add label_start parameter.  Use this
    	parameter to check the first character of the label.
    	* config/tc-tic54x.h (TC_START_LABEL_WITHOUT_COLON): Pass
    	line_start variable to tic54x_start_label.
    
    	PR 24538
    opcodes	* ia64-opc.c (ia64_find_matching_opcode): Check for reaching the
    	end of the table prematurely.
Comment 8 cvs-commit@gcc.gnu.org 2019-05-14 11:43:31 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=35015cd193be5e603ed31c14472d2d9d17e14e7a

commit 35015cd193be5e603ed31c14472d2d9d17e14e7a
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue May 14 12:42:02 2019 +0100

    Fix illegal memory access triggered when attempting to assemble a bogus i386 source file.
    
    	PR 24538
    	* config/tc-i386-intel.c (i386_intel_simplify_register): Reject
    	illegal register numbers.
Comment 9 Nick Clifton 2019-05-14 11:45:02 UTC
(In reply to mtest1 from comment #6)
Hi,

>  May I ask you to let us know when you commit the patches?

They are all now in.

Cheers
  Nick
Comment 10 Christophe Lyon 2019-05-14 13:32:55 UTC
(In reply to cvs-commit@gcc.gnu.org from comment #8)
> The master branch has been updated by Nick Clifton <nickc@sourceware.org>:
> 
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=35015cd193be5e603ed31c14472d2d9d17e14e7a
> 
> commit 35015cd193be5e603ed31c14472d2d9d17e14e7a
> Author: Nick Clifton <nickc@redhat.com>
> Date:   Tue May 14 12:42:02 2019 +0100
> 
>     Fix illegal memory access triggered when attempting to assemble a bogus
> i386 source file.
>     
>     	PR 24538
>     	* config/tc-i386-intel.c (i386_intel_simplify_register): Reject
>     	illegal register numbers.

Hi Nick,

After this commit, I'm seeing:
UNRESOLVED: objcopy (verilog data width)

The error message is:
Assembler messages:
Error: can't open /testsuite/binutils-all/verilogtest.s for reading: No such file or directory
assembler exited with status 1
Comment 11 Nick Clifton 2019-05-14 15:18:56 UTC
Hi Chris,

> UNRESOLVED: objcopy (verilog data width)

Doh!  (Stupid .gitignore...)  OK, this should now be fixed.
Thanks for letting me know about it.

Cheers
  Nick
Comment 12 cvs-commit@gcc.gnu.org 2019-05-15 07:00:00 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ded12894f5a2836b06c997b899d04c9f692004c1

commit ded12894f5a2836b06c997b899d04c9f692004c1
Author: Alan Modra <amodra@gmail.com>
Date:   Wed May 15 11:15:17 2019 +0930

    tic54x_start_line_hook
    
    git commit 3076e59490 caused
    tic54x-coff  +FAIL: c54x subsym assignment/use
    
    	PR 24538
    	* config/tc-tic54x.c (tic54x_start_line_hook): Do skip end of line
    	chars in setting endp.