Re: Report UBSan integer overflow bugs found by automatic tools

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Report UBSan integer overflow bugs found by automatic tools

From:	He Jingxuan
Subject:	Re: Report UBSan integer overflow bugs found by automatic tools
Date:	Fri, 30 Jul 2021 07:33:38 +0000

Thanks for your prompt feedback!

> On 30 Jul 2021, at 08:08, Alan Modra <amodra@gmail.com> wrote:
> 
> On Thu, Jul 29, 2021 at 03:09:40PM +0000, He  Jingxuan wrote:
>> Dear Alan,
>> 
>> Thanks for your information!
>> 
>> UBSan indeed has an option to turn on complaints about unsigned integer 
>> overflow (-fsanitize=unsigned-integer-overflow). Unsigned integer overflow 
>> has caused bugs in binutils that were fixed (see 
>> https://sourceware.org/bugzilla/show_bug.cgi?id=24131 for example).
>> 
>> Based on our inspection, most bugs reported by us result in wrong offsets or 
>> addresses. The *.err files provide exact bug location and bug triggering 
>> values, which can be used to quickly decide if the bugs are true or false 
>> positives. Could you please take a deeper look into the bugs?
> 
> ../../libiberty/argv.c:478:27: runtime error: unsigned integer overflow: 0 - 
> 1 cannot be represented in type 'unsigned long'
> ../../libiberty/argv.c:478:14: runtime error: unsigned integer overflow: 3 + 
> 18446744073709551615 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/bfdio.c:397:14: runtime error: unsigned integer overflow: 24 + 
> 18446744073709551600 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elfcore.h:233:43: runtime error: unsigned integer overflow: 
> 18446744073709537336 + 14280 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/coffcode.h:1921:56: runtime error: unsigned integer overflow: 0 - 1 
> cannot be represented in type 'unsigned long'
> 
> A bug.  Lack of sanity checking.
> 
> ../../bfd/coffcode.h:2601:27: runtime error: unsigned integer overflow: 
> 18446744073265032094 + 444596226 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/coffcode.h:4392:43: runtime error: unsigned integer overflow: 0 - 
> 335544324 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/coffcode.h:5079:26: runtime error: unsigned integer overflow: 76704 
> - 4294967295 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/coffgen.c:1192:27: runtime error: unsigned integer overflow: 
> 18446744073709490606 + 61235 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/coffgen.c:1676:38: runtime error: unsigned integer overflow: 
> 18446744071562069503 * 18 cannot be represented in type 'unsigned long'
> ../../bfd/coffgen.c:1676:7: runtime error: unsigned integer overflow: 32799 + 
> 18446744073709551598 cannot be represented in type 'unsigned long'
> 
> Lack of sanity checking again.
> 
> ../../bfd/coffgen.c:1988:30: runtime error: unsigned integer overflow: 
> 4294967295 + 1 cannot be represented in type 'unsigned int'
> 
> A bug.
> 
> ../../bfd/elf.c:12069:41: runtime error: unsigned integer overflow: 
> 18446744073709551604 + 32 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:12077:41: runtime error: unsigned integer overflow: 
> 18446744073709551600 + 64 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:12062:56: runtime error: unsigned integer overflow: 
> 18446744073709551580 + 64 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> peXXigen.c:561:26: runtime error: unsigned integer overflow: 4294967295 + 
> 18446744073709551615 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> peXXigen.c:569:31: runtime error: unsigned integer overflow: 4294967295 + 
> 18446744073709551615 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:5543:36: runtime error: unsigned integer overflow: 16777216 + 
> 18446744073709289469 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:5715:20: runtime error: unsigned integer overflow: 128 - 
> 2147483724 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:5717:15: runtime error: unsigned integer overflow: 0 - 1996 
> cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:5789:32: runtime error: unsigned integer overflow: 
> 18446744073709549620 + 1996 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:5791:33: runtime error: unsigned integer overflow: 262147 - 
> 294915 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:6289:10: runtime error: unsigned integer overflow: 
> 18446744073709551594 + 22 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:7265:10: runtime error: unsigned integer overflow: 0 - 22 
> cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> i../../bfd/elf.c:7285:21: runtime error: unsigned integer overflow: 22 - 64 
> cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:7299:21: runtime error: unsigned integer overflow: 0 - 7 
> cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:7449:4: runtime error: unsigned integer overflow: 0 - 32 
> cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:7614:32: runtime error: unsigned integer overflow: 0 - 
> 134217728 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/elf.c:7615:32: runtime error: unsigned integer overflow: 0 - 
> 335544322 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/tekhex.c:496:34: runtime error: unsigned integer overflow: 17476 - 
> 13421772 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../bfd/tekhex.c:544:33: runtime error: unsigned integer overflow: 0 - 5 
> cannot be represented in type 'unsigned int'
> 
> Not a bug.
> 
> ../../bfd/tekhex.c:893:37: runtime error: unsigned integer overflow: 
> 18445843353784078336 + 900719925474099 cannot be represented in type 
> 'unsigned long'
> 
> Not a bug.
> 
> ../../binutils/readelf.c:21264:2: runtime error: unsigned integer overflow: 
> 18446744073709551615 + 1 cannot be represented in type 'unsigned long'
> 
> A bug.
> 
> ../../binutils/readelf.c:17095:45: runtime error: unsigned integer overflow: 
> 0 - 32752 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../binutils/readelf.c:5586:13: runtime error: unsigned integer overflow: 
> 4226819 - 1785358848 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../binutils/readelf.c:5586:28: runtime error: unsigned integer overflow: 
> 18446744073178963944 + 536870912 cannot be represented in type 'unsigned long'
> 
> Not a bug.
> 
> ../../binutils/readelf.c:9312:17: runtime error: unsigned integer overflow: 
> 18446744073709421054 + 4294967299 cannot be represented in type 'unsigned 
> long'
> 
> Not a bug.
> 
> I'll be committing a few fixes for the real bugs you found.
> 
> -- 
> Alan Modra
> Australia Development Lab, IBM

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Report UBSan integer overflow bugs found by automatic tools, He Jingxuan, 2021/07/29
- Re: Report UBSan integer overflow bugs found by automatic tools, Alan Modra, 2021/07/29
  - Re: Report UBSan integer overflow bugs found by automatic tools, He Jingxuan, 2021/07/29
    - Re: Report UBSan integer overflow bugs found by automatic tools, Alan Modra, 2021/07/30
    - Re: Report UBSan integer overflow bugs found by automatic tools, He Jingxuan <=

Prev by Date: Re: Report UBSan integer overflow bugs found by automatic tools
Next by Date: [Bug gas/21683] [avr] Support a pseudo-instruction to allow more efficient GCC ISR prologues
Previous by thread: Re: Report UBSan integer overflow bugs found by automatic tools
Next by thread: [Bug binutils/26206] Add pei-aarch64 support for native EFI support
Index(es):
- Date
- Thread