Created attachment 11767 [details] input files and crash logs I would like to submit information about crashes in "GNU as" we've found. All crashes are caused by corrupted files (attached). There are many of them, so we've tried to group them for easier analysis (look at point 4). Found by: Mateusz Kocielski, Michal Dardas from LogicalTrust 1. Used machine CPU: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz Ram: 8 GB OS: Kali Linux, 4.17.0-kali1-amd64 gcc version 8.1.0 (Debian 8.1.0-12) 2. Compilation process # git clone --depth 1 git://sourceware.org/git/binutils-gdb.git # cd binutils-gdb # LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0" ./configure --enable-targets=all # make -j4 # cd gas # archs="alpha arm i386 ia64 mcore mips ppc rs6000 sh tic4x tic54x x86_64" \ for arch in $archs; do \ echo $arch ; \ make clean ; \ LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0" ./configure --prefix=`pwd`/bin/ --target=$arch-elf ; \ make -j4 ; \ cp as-new as-$arch ; \ done \ 3. "as" version # for as in $(ls as-*); do echo "Binary: $as"; echo `./$as --version | grep ass`; done Binary: as-alpha GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `alpha-elf'. Binary: as-arm GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `arm-elf'. Binary: as-i386 GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `i386-elf'. Binary: as-ia64 GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `ia64-elf'. Binary: as-mcore GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `mcore-elf'. Binary: as-mips GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `mips-elf'. Binary: as-ppc GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `ppc-elf'. Binary: as-rs6000 GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `rs6000-elf'. Binary: as-sh GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `sh-elf'. Binary: as-tic4x GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `tic4x-elf'. Binary: as-tic54x GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `tic54x-elf'. Binary: as-x86_64 GNU assembler (GNU Binutils) 2.32.51.20190414 This assembler was configured for a target of `x86_64-elf'. 4. Crashes There are 22 directories which names are related to a line of code at which a crash occurred. Every directory contains files using following convention: crash_{binary-name}_{test-case} - crash from ASAN {test-case} - test case file. To reproduce run as (in corresponding architecture): ./as {test-case} for example, directory ini386_output_nopsconfig_tc-i386.c:1302 contains files: crash_as-i386_nop-1.s_1000066.out.min - ASAN log, to reproduce: # as-i386 nop-1.s_1000066.out.min crash_as-i386_nop-6.s_i386_2750877559.out.min - ASAN log, to reproduce: # as-i386 nop-6.s_i386_2750877559.out.min crash_as-x86_64_nop-1.s_1000066.out.min - ASAN log, to reproduce: # as-x86_64 nop-1.s_1000066.out.min crash_as-x86_64_nop-6.s_i386_2750877559.out.min - ASAN log, to reproduce: # as-x86_64 nop-6.s_i386_2750877559.out.min nop-1.s_1000066.out.min - test case nop-6.s_i386_2750877559.out.min - test case
Examining now...
Hi mtest1, Thank you very much for reporting these bugs. I have applied a patch to address most of the problems, but I was unable to reproduce one of them: ini386_intel_simplify_registerconfig_tc-i386-intel.c:289 Please could you check to see if it is still causing you problems ? Cheers Nick
(In reply to Nick Clifton from comment #2) > Hi mtest1, > > Thank you very much for reporting these bugs. > > I have applied a patch to address most of the problems, but I > was unable to reproduce one of them: > > ini386_intel_simplify_registerconfig_tc-i386-intel.c:289 > > Please could you check to see if it is still causing you problems ? > > Cheers > Nick Hi Nick! We've just tried this testcase and it's still causing problems: Starting program: /home/shm/src/binutils-gdb/bin/bin/as-i386 < avx512f_vaes-wig.s_401709.out.min [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". {standard input}: Assembler messages: {standard input}:3: Error: bignum invalid ================================================================= ==1619==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001363f98 at pc 0x0000004a8868 bp 0x7fffffffdfc0 sp 0x7fffffffdfb0 READ of size 8 at 0x000001363f98 thread T0 #0 0x4a8867 in i386_intel_simplify_register config/tc-i386-intel.c:289 #1 0x4a9864 in i386_intel_simplify config/tc-i386-intel.c:500 #2 0x4a8b98 in i386_intel_simplify_symbol config/tc-i386-intel.c:322 #3 0x4a8e04 in i386_intel_simplify config/tc-i386-intel.c:355 #4 0x4a8b98 in i386_intel_simplify_symbol config/tc-i386-intel.c:322 #5 0x4a90fc in i386_intel_simplify config/tc-i386-intel.c:398 #6 0x4a9e87 in i386_intel_operand config/tc-i386-intel.c:577 #7 0x4876f1 in parse_operands config/tc-i386.c:4760 #8 0x484d42 in md_assemble config/tc-i386.c:4089 #9 0x445c21 in assemble_one /home/shm/src/binutils-gdb/gas/read.c:711 #10 0x447357 in read_a_source_file /home/shm/src/binutils-gdb/gas/read.c:1179 #11 0x409f94 in perform_an_assembly_pass /home/shm/src/binutils-gdb/gas/as.c:1197 #12 0x40a4d0 in main /home/shm/src/binutils-gdb/gas/as.c:1350 #13 0x7ffff68bc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x4034a8 in _start (/home/shm/src/binutils-gdb/bin/bin/as-i386+0x4034a8) Likely the problem is here: #7 0x00000000004a8868 in i386_intel_simplify_register (e=0x621000015960) at config/tc-i386-intel.c:289 289 && (i386_regtab[reg_num].reg_type.bitfield.xmmword (gdb) print reg_num $1 = 65534 Somehow X_md egt 65535 value: (gdb) print *e $2 = {X_add_symbol = 0x0, X_op_symbol = 0x0, X_add_number = 0, X_op = O_constant, X_unsigned = 0, X_extrabit = 0, X_md = 65535} thus i386_regtab[reg_num] is accessing table far after its end: (gdb) print i386_regtab_size $3 = 281 Let us know if you need more assistance. Good luck!
Created attachment 11772 [details] Proposed patch Hi mtest1, Ah - yes - I know why I could not reproduce this problem now ... There is a long standing problem with Fedora which makes it impossible to build 32-bit binaries with address sanitization enabled. So my i386-elf toolchain actually has 64-bit executables in it rather than 32-bit ones. Please could you try out the uploaded patch and let me know if it resolves the problem ? It may not work however as all it does is to (try to) stop the illegal memory access inside i386_intel_simplify_register(). It does not address the underlying problem of why an illegal register number was being used in the first place. Cheers Nick
> I have applied a patch to address most of the problems I don't see any such patch applied or posted?
(In reply to Nick Clifton from comment #4) > Created attachment 11772 [details] > Proposed patch > > Hi mtest1, > > Ah - yes - I know why I could not reproduce this problem now ... There is > a long standing problem with Fedora which makes it impossible to build > 32-bit binaries with address sanitization enabled. So my i386-elf > toolchain > actually has 64-bit executables in it rather than 32-bit ones. > > Please could you try out the uploaded patch and let me know if it resolves > the problem ? It may not work however as all it does is to (try to) stop > the illegal memory access inside i386_intel_simplify_register(). It does > not address the underlying problem of why an illegal register number was > being used in the first place. > > Cheers > Nick Hello Nick, your patch fixed the problem: $ ./as-i386 ~/tmp/result/ini386_intel_simplify_registerconfig_tc-i386-intel.c\:289/avx512f_vaes-wig.s_401709.out.min /home/shm/tmp/result/ini386_intel_simplify_registerconfig_tc-i386-intel.c:289/avx512f_vaes-wig.s_401709.out.min: Assembler messages: /home/shm/tmp/result/ini386_intel_simplify_registerconfig_tc-i386-intel.c:289/avx512f_vaes-wig.s_401709.out.min:3: Error: bignum invalid /home/shm/tmp/result/ini386_intel_simplify_registerconfig_tc-i386-intel.c:289/avx512f_vaes-wig.s_401709.out.min:3: Error: invalid register number May I ask you to let us know when you commit the patches? Best Regards!
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3076e59490428c9719765f9b007d6d0d0238f006 commit 3076e59490428c9719765f9b007d6d0d0238f006 Author: Nick Clifton <nickc@redhat.com> Date: Fri May 10 16:57:31 2019 +0100 A series of fixes to addres problems detected by compiling the assembler with address sanitization enabled. PR 24538 gas * macro.c (get_any_string): Increase size of buffer used to hold decimal value of expression result. * dw2gencfi.c (get_debugseg_name): Handle an empty name. * dwarf2dbg.c (get_filenum): Catch integer wraparound when extending allocate file array. (dwarf2_directive_filename): Add extra checks of the computed file number. * config/tc-arm.c (arm_tc_equal_in_insn): Insert copy of name into warning hash table. (s_arm_eabi_attribute): Check for obj_elf_vendor_attribute returning -1. * config/tc-i386.c (i386_output_nops): Catch an attempt to generate nops of negative lengths. * as.h (MAX_LITTLENUMS): Move definition to here from... * config/atof-ieee.c: ...here. * config/tc-aarch64.c: ...here. * config/tc-arc.c: ...here. * config/tc-arm.c: ...here. * config/tc-epiphany.c: ...here. * config/tc-i386.c: ...here. * config/tc-ia64.c: ...here. (And correct the value). * config/tc-m32c.c: ...here. * config/tc-m32r.c: ...here. * config/tc-metag.c: ...here. * config/tc-microblaze.c: ...here. * config/tc-nds32.c: ...here. * config/tc-or1k.c: ...here. * config/tc-score.c: ...here. * config/tc-score7.c: ...here. * config/tc-tic4x.c: ...here. * config/tc-tilegx.c: ...here. * config/tc-tilepro.c: ...here. * config/tc-visium.c: ...here. * config/tc-sh.c (md_assemble): Add check for an instruction with no opcodes. * config/tc-mips.c (mips_lookup_insn): Add check for very short instruction name. * config/tc-tic54x.c: Use unsigned chars to access is_end_of_line array. (tic54x_start_line_hook): Check for an empty line. (next_line_shows_parallel): Do not walk off the end of the string. (tic54x_macro_start): Check for too much macro nesting. (tic54x_start_label): Add label_start parameter. Use this parameter to check the first character of the label. * config/tc-tic54x.h (TC_START_LABEL_WITHOUT_COLON): Pass line_start variable to tic54x_start_label. PR 24538 opcodes * ia64-opc.c (ia64_find_matching_opcode): Check for reaching the end of the table prematurely.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=35015cd193be5e603ed31c14472d2d9d17e14e7a commit 35015cd193be5e603ed31c14472d2d9d17e14e7a Author: Nick Clifton <nickc@redhat.com> Date: Tue May 14 12:42:02 2019 +0100 Fix illegal memory access triggered when attempting to assemble a bogus i386 source file. PR 24538 * config/tc-i386-intel.c (i386_intel_simplify_register): Reject illegal register numbers.
(In reply to mtest1 from comment #6) Hi, > May I ask you to let us know when you commit the patches? They are all now in. Cheers Nick
(In reply to cvs-commit@gcc.gnu.org from comment #8) > The master branch has been updated by Nick Clifton <nickc@sourceware.org>: > > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; > h=35015cd193be5e603ed31c14472d2d9d17e14e7a > > commit 35015cd193be5e603ed31c14472d2d9d17e14e7a > Author: Nick Clifton <nickc@redhat.com> > Date: Tue May 14 12:42:02 2019 +0100 > > Fix illegal memory access triggered when attempting to assemble a bogus > i386 source file. > > PR 24538 > * config/tc-i386-intel.c (i386_intel_simplify_register): Reject > illegal register numbers. Hi Nick, After this commit, I'm seeing: UNRESOLVED: objcopy (verilog data width) The error message is: Assembler messages: Error: can't open /testsuite/binutils-all/verilogtest.s for reading: No such file or directory assembler exited with status 1
Hi Chris, > UNRESOLVED: objcopy (verilog data width) Doh! (Stupid .gitignore...) OK, this should now be fixed. Thanks for letting me know about it. Cheers Nick
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ded12894f5a2836b06c997b899d04c9f692004c1 commit ded12894f5a2836b06c997b899d04c9f692004c1 Author: Alan Modra <amodra@gmail.com> Date: Wed May 15 11:15:17 2019 +0930 tic54x_start_line_hook git commit 3076e59490 caused tic54x-coff +FAIL: c54x subsym assignment/use PR 24538 * config/tc-tic54x.c (tic54x_start_line_hook): Do skip end of line chars in setting endp.