bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug ld/25745] New: powerpc64-unknown-linux-gnu-ld overflows string buff


From: slyfox at inbox dot ru
Subject: [Bug ld/25745] New: powerpc64-unknown-linux-gnu-ld overflows string buffer in --stats mode
Date: Sun, 29 Mar 2020 12:18:16 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=25745

            Bug ID: 25745
           Summary: powerpc64-unknown-linux-gnu-ld overflows string buffer
                    in --stats mode
           Product: binutils
           Version: 2.34
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: slyfox at inbox dot ru
  Target Milestone: ---

Initially observed the crash when building ncurses-6.2 on powerpc64 using
ru_RU.UTF-8 locale.

$ locale
LANG=ru_RU.UTF-8
...

"""
$ powerpc64-unknown-linux-gnu-ld ... -stats -lc ...
GNU ld (Gentoo 2.34 p1) 2.34.0
...
powerpc64-unknown-linux-gnu-ld: заглушки компоновщика в 2 группах
...
Ошибка сегментирования (стек памяти сброшен на диск)
"""

It's a SIGSEGV. valgrind points it to heap buffer overflow at:

==3864715== Invalid write of size 1
==3864715==    at 0x483F046: mempcpy (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3864715==    by 0x4AB5707: _IO_default_xsputn (genops.c:386)
==3864715==    by 0x4AB5707: _IO_default_xsputn (genops.c:370)
==3864715==    by 0x4A9D1EC: __vfprintf_internal (vfprintf-internal.c:1719)
==3864715==    by 0x4AA9C0F: __vsprintf_internal (iovsprintf.c:96)
==3864715==    by 0x4B3D992: __sprintf_chk (sprintf_chk.c:40)
==3864715==    by 0x48B3CCB: sprintf (stdio2.h:36)
==3864715==    by 0x48B3CCB: ppc64_elf_build_stubs (elf64-ppc.c:14129)
==3864715==    by 0x137988: gldelf64ppc_finish (eelf64ppc.c:618)
==3864715==    by 0x12959A: lang_process (ldlang.c:7916)
==3864715==    by 0x11561C: main (ldmain.c:452)


An overflow happens on locales where most letters are multibyte (like Russian).

Here is a modern binutils-bfd snippet from
https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=bfd/elf64-ppc.c;h=7f7e190ce2b656d31ba1f163010adcccc924c645;hb=HEAD#l14561

which looks suspicious:

14558   if (stats != NULL)
14559     {
14560       size_t len;
14561       *stats = bfd_malloc (500);
14562       if (*stats == NULL)
14563         return FALSE;
14564 
14565       len = sprintf (*stats,
14566                      ngettext ("linker stubs in %u group\n",
14567                                "linker stubs in %u groups\n",
14568                                stub_sec_count),
14569                      stub_sec_count);
14570       sprintf (*stats + len, _("  branch         %lu\n"
14571                                "  branch toc adj %lu\n"
14572                                "  branch notoc   %lu\n"
14573                                "  branch both    %lu\n"
14574                                "  long branch    %lu\n"
14575                                "  long toc adj   %lu\n"
14576                                "  long notoc     %lu\n"
14577                                "  long both      %lu\n"
14578                                "  plt call       %lu\n"
14579                                "  plt call save  %lu\n"
14580                                "  plt call notoc %lu\n"
14581                                "  plt call both  %lu\n"
14582                                "  global entry   %lu"),
14583                htab->stub_count[ppc_stub_long_branch - 1],
14584                htab->stub_count[ppc_stub_long_branch_r2off - 1],
14585                htab->stub_count[ppc_stub_long_branch_notoc - 1],
14586                htab->stub_count[ppc_stub_long_branch_both - 1],
14587                htab->stub_count[ppc_stub_plt_branch - 1],
14588                htab->stub_count[ppc_stub_plt_branch_r2off - 1],
14589                htab->stub_count[ppc_stub_plt_branch_notoc - 1],
14590                htab->stub_count[ppc_stub_plt_branch_both - 1],
14591                htab->stub_count[ppc_stub_plt_call - 1],
14592                htab->stub_count[ppc_stub_plt_call_r2save - 1],
14593                htab->stub_count[ppc_stub_plt_call_notoc - 1],
14594                htab->stub_count[ppc_stub_plt_call_both - 1],
14595                htab->stub_count[ppc_stub_global_entry - 1]);
14596     }
14597   return TRUE;
14598 }

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]