32109 – internal error, aborting at bfd/bfd.c:1236 in int _bfd_doprnt

Bug 32109 - internal error, aborting at bfd/bfd.c:1236 in int _bfd_doprnt

Summary: internal error, aborting at bfd/bfd.c:1236 in int _bfd_doprnt

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	2.44
Assignee:	Alan Modra

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-08-21 21:02 UTC by John Reiser
Modified:	2025-01-04 09:31 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:	2024-08-23 00:00:00
Project(s) to access:
ssh public key:

Attachments
shared library to dlopen() (8.86 KB, application/x-sharedlib) 2024-08-21 21:02 UTC, John Reiser	Details
main program calling dlopen (2.55 KB, application/x-executable) 2024-08-21 21:03 UTC, John Reiser	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Reiser 2024-08-21 21:02:31 UTC

Created attachment 15680 [details]
shared library to dlopen()

BFD (GNU Binutils) 2.42.50 internal error, aborting at /home/builder/.termux-build/gdb/src/bfd/bfd.c:1236 in int _bfd_doprnt(bfd_print_callback, void *, const char *, union _bfd_doprnt_args *)

gdb --version:
GNU gdb (GDB) 15.1
Copyright (C) 2024 Free Software Foundation, Inc.

OS (uname -a): Linux localhost 4.19.191-28086179-abT220XXS7DXF9 #1 SMP PREEMPT Tue Jun 18 19:07:00 +07 2024 aarch64 Android
hardware: arm64 (Aarch64-v8a) Samsung tablet running termux
target software being debugged: ELF eabi5 arm32 (arm7hf)


Terminal transcript (lightly edited)
-----
$ gdb --args my_dlopen32 ./my_lib-arm32-upx.so
(gdb) b main
(gdb) run
Breakpoint 1, main (argc=0x2, argv=0xfffeef94) at my_dlopen.c:6
   6    if (2 != argc) {
(gdb) n
  10        void *handle = dlopen(argv[1], RTLD_NOW);
(gdb) n
warning: BFD: warning: /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so has a section extending past end of file
warning: Loadable section ".rodata" outside of ELF segments
  in /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so
warning: Loadable section ".text" outside of ELF segments
  in /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so
warning: Loadable section ".plt" outside of ELF segments
   in /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so
warning: Loadable section ".data.rel.ro" outside of ELF segments
  in /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so
warning: Loadable section ".fini_array" outside of ELF segments
  in /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so
warning: Loadable section ".init_array" outside of ELF segments
  in /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so
warning: Loadable section ".dynamic" outside of ELF segments
  in /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so
warning: Loadable section ".got" outside of ELF segments
  in /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so
warning: Loadable section ".got.plt" outside of ELF segments
  in /data/data/com.termux/files/home/github-issue700/my_lib-arm32-upx.so
BFD: BFD (GNU Binutils) 2.42.50 internal error, aborting at /home/builder/.termux-build/gdb/src/bfd/bfd.c:1236 in int _bfd_doprnt(bfd_print_callback, void *, const char *, union _bfd_doprnt_args *)
  Please report this bug.
-----

Comment 1 John Reiser 2024-08-21 21:03:40 UTC

Created attachment 15681 [details]
main program calling dlopen

Comment 2 Tom Tromey 2024-08-23 18:40:12 UTC

This seems to be a bug in BFD:

		  if (sec == NULL)
		    /* Invoking %pA with a null section pointer is an
		       internal error.  */
		    abort ();
coming from:

#0  _bfd_doprnt (print=print@entry=0xf3fa73 <print_error_callback(void*, char const*, ...)>, stream=stream@entry=0x7fffffffd780, 
    format=format@entry=0x2600780 "%pB(%pA): string table is corrupt", args=args@entry=0x7fffffffd690) at ../../binutils-gdb/bfd/bfd.c:1237
#1  0x00000000016088e7 in _bfd_print (ap=0x7fffffffd7f8, fmt=0x2600780 "%pB(%pA): string table is corrupt", stream=0x7fffffffd780, 
    print_func=0xf3fa73 <print_error_callback(void*, char const*, ...)>) at ../../binutils-gdb/bfd/bfd.c:1497
#2  bfd_print_error (print_func=0xf3fa73 <print_error_callback(void*, char const*, ...)>, stream=0x7fffffffd780, fmt=0x2600780 "%pB(%pA): string table is corrupt", ap=0x7fffffffd7f8)
    at ../../binutils-gdb/bfd/bfd.c:1523
#3  0x0000000000f3fba2 in gdb_bfd_error_handler(const char *, typedef __va_list_tag __va_list_tag *) (fmt=0x2600780 "%pB(%pA): string table is corrupt", ap=0x7fffffffd7f8)
    at ../../binutils-gdb/gdb/gdb_bfd.c:1246
#4  0x0000000001608876 in _bfd_error_handler (fmt=<optimized out>) at ../../binutils-gdb/bfd/bfd.c:1726
#5  0x000000000162d327 in bfd_elf_get_str_section (abfd=abfd@entry=0x31c0db0, shindex=shindex@entry=30) at ../../binutils-gdb/bfd/elf.c:303
#6  0x000000000162d3cd in bfd_elf_string_from_elf_section (abfd=0x31c0db0, shindex=30, strindex=771778675) at ../../binutils-gdb/bfd/elf.c:341
#7  0x000000000162d829 in bfd_elf_string_from_elf_section (strindex=<optimized out>, shindex=<optimized out>, abfd=<optimized out>) at ../../binutils-gdb/bfd/elf.c:560
#8  bfd_elf_sym_name (abfd=abfd@entry=0x31c0db0, symtab_hdr=symtab_hdr@entry=0x31c0f90, isym=isym@entry=0x31c23f0, sym_sec=sym_sec@entry=0x0) at ../../binutils-gdb/bfd/elf.c:553
#9  0x000000000166e0b2 in bfd_elf32_slurp_symbol_table (abfd=0x31c0db0, symptrs=0x308eee0, dynamic=false) at ../../binutils-gdb/bfd/elfcode.h:1358

Comment 3 Sourceware Commits 2024-08-26 00:11:24 UTC

The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=db856d41004301b3a56438efd957ef5cabb91530

commit db856d41004301b3a56438efd957ef5cabb91530
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Aug 25 15:20:21 2024 +0930

    PR32109, aborting at bfd/bfd.c:1236 in int _bfd_doprnt
    
    Since bfd_section for .strtab isn't set, print the section index
    instead.  Also, don't return NULL on this error as that results in
    multiple mmap/read of the string table.  (We could return NULL if we
    arranged to set sh_size zero first, but just what we do with fuzzed
    object files is of no concern, and terminating the table might make a
    faulty object file usable.)
    
            PR 32109
            * elf.c (bfd_elf_get_str_section): Remove outdated comment, and
            tweak shstrtabsize test to suit.  Don't use string tab bfd_section
            in error message, use index instead.  Don't return NULL on
            unterminated string section, terminate it.
            (_bfd_elf_get_dynamic_symbols): Similarly terminate string table
            section.

Comment 4 Sourceware Commits 2024-08-26 01:07:40 UTC

The binutils-2_43-branch branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cd3e2b58f2c42197737e5f24943a74c394d04b05

commit cd3e2b58f2c42197737e5f24943a74c394d04b05
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Aug 25 15:20:21 2024 +0930

    PR32109, aborting at bfd/bfd.c:1236 in int _bfd_doprnt
    
    Since bfd_section for .strtab isn't set, print the section index
    instead.  Also, don't return NULL on this error as that results in
    multiple mmap/read of the string table.  (We could return NULL if we
    arranged to set sh_size zero first, but just what we do with fuzzed
    object files is of no concern, and terminating the table might make a
    faulty object file usable.)
    
            PR 32109
            * elf.c (bfd_elf_get_str_section): Remove outdated comment, and
            tweak shstrtabsize test to suit.  Don't use string tab bfd_section
            in error message, use index instead.  Don't return NULL on
            unterminated string section, terminate it.
            (_bfd_elf_get_dynamic_symbols): Similarly terminate string table
            section.
    
    (cherry picked from commit db856d41004301b3a56438efd957ef5cabb91530)

Comment 5 Alan Modra 2024-08-26 01:19:23 UTC

Pushed to the branch as well since this is an internal error.  My policy is to not apply release branch fixes for bugs triggered by fuzzed object files, but in this case there doesn't seem much risk that the fix will introduce some other failure.

Comment 6 Sourceware Commits 2024-09-30 23:23:16 UTC

The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=656f8fbaae34cb37bda5110cbc8c79c6a2aaa847

commit 656f8fbaae34cb37bda5110cbc8c79c6a2aaa847
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Oct 1 07:53:55 2024 +0930

    segv in bfd_elf_get_str_section
    
    Attempting to write a termination NUL to PROT_READ mmap'd memory was
    a silly idea.
    
            PR 32109
            * elf.c (bfd_elf_get_str_section): Don't write terminating NUL
            if missing.
            * libbfd.c (_bfd_munmap_readonly_temporary): Correct comment.

Comment 7 Sourceware Commits 2024-09-30 23:53:23 UTC

The binutils-2_43-branch branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=95ed7cf1be25d86ca455b09ffee4f129f1857f1d

commit 95ed7cf1be25d86ca455b09ffee4f129f1857f1d
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Oct 1 07:53:55 2024 +0930

    segv in bfd_elf_get_str_section
    
    Attempting to write a termination NUL to PROT_READ mmap'd memory was
    a silly idea.
    
            PR 32109
            * elf.c (bfd_elf_get_str_section): Don't write terminating NUL
            if missing.
            * libbfd.c (_bfd_munmap_readonly_temporary): Correct comment.
    
    (cherry picked from commit 656f8fbaae34cb37bda5110cbc8c79c6a2aaa847)

Comment 8 Sourceware Commits 2024-10-16 12:39:44 UTC

The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=76eab8f47a743bde86be410bce8fd8382eaea6c2

commit 76eab8f47a743bde86be410bce8fd8382eaea6c2
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Oct 13 15:11:59 2024 +1030

    PR32266, segv when linking libclang_rt.asan-powerpc64.so
    
    Change the mmap support added with commit 9ba56acee518 to always mmap
    memory with PROT_READ | PROT_WRITE.  Prior to that commit most file
    contents were read into a buffer allocated with bfd_alloc or
    bfd_malloc and thus the memory was read/write.  Even after that commit
    any section contents with relocations must be read/write to apply the
    relocs.  Making them all read/write is not a major change, and it
    should not introduce any measurable linker slowdown for contents that
    are not modified.  More importantly, it removes a BFD behaviour
    difference that only triggers when large files are involved.
    
            PR 32266
            PR 32109
            * libbfd.c (bfd_mmap_local): Remove prot param.  Always mmap
            with PROT_READ | PROT_WRITE.  Adjust all calls.
            (_bfd_mmap_temporary): Rename from _bfd_mmap_readonly_temporary.
            (_bfd_munmap_temporary): Rename from _bfd_munmap_readonly_temporary.
            _bfd_mmap_persistent): Rename from _bfd_mmap_readonly_persistent.
            (_bfd_generic_get_section_contents): Use PROT_READ | PROT_WRITE
            regardless of relocs.
            * libbfd-in.h: Update decls to suit.  Make non-USE_MMAP variants
            static inline functions.
            * elflink.c: Update all uses of _bfd_mmap functions.
            * elf.c: Likewise.
            (bfd_elf_get_str_section): Revert commit 656f8fbaae.
            * libbfd.h: Regenerate.

Comment 9 Sourceware Commits 2025-01-04 09:31:43 UTC

The binutils-2_43-branch branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=412919cb962e984e5272435ad6aa4766029954e9

commit 412919cb962e984e5272435ad6aa4766029954e9
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Oct 13 15:11:59 2024 +1030

    PR32266, segv when linking libclang_rt.asan-powerpc64.so
    
    Change the mmap support added with commit 9ba56acee518 to always mmap
    memory with PROT_READ | PROT_WRITE.  Prior to that commit most file
    contents were read into a buffer allocated with bfd_alloc or
    bfd_malloc and thus the memory was read/write.  Even after that commit
    any section contents with relocations must be read/write to apply the
    relocs.  Making them all read/write is not a major change, and it
    should not introduce any measurable linker slowdown for contents that
    are not modified.  More importantly, it removes a BFD behaviour
    difference that only triggers when large files are involved.
    
            PR 32266
            PR 32109
            * libbfd.c (bfd_mmap_local): Remove prot param.  Always mmap
            with PROT_READ | PROT_WRITE.  Adjust all calls.
            (_bfd_mmap_temporary): Rename from _bfd_mmap_readonly_temporary.
            (_bfd_munmap_temporary): Rename from _bfd_munmap_readonly_temporary.
            _bfd_mmap_persistent): Rename from _bfd_mmap_readonly_persistent.
            (_bfd_generic_get_section_contents): Use PROT_READ | PROT_WRITE
            regardless of relocs.
            * libbfd-in.h: Update decls to suit.  Make non-USE_MMAP variants
            static inline functions.
            * elflink.c: Update all uses of _bfd_mmap functions.
            * elf.c: Likewise.
            (bfd_elf_get_str_section): Revert commit 656f8fbaae.
            * libbfd.h: Regenerate.
    
    (cherry picked from commit 76eab8f47a743bde86be410bce8fd8382eaea6c2)