Ubuntu
binutils package

readelf crash on 32bit, leading to abi-monitor testsuite regression

Bug #1844119 reported by Gianfranco Costamagna
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
binutils
Fix Released
Medium
binutils (Ubuntu)
Fix Released
High
Matthias Klose
glibc (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

readelf --debug-dump=info libjsoncpp.so.1.8.1
to reproduce
dpkg -l |grep binut
ii binutils 2.32.51.20190905-0ubuntu1 i386 GNU assembler, linker and binary utilities
ii binutils-common:i386 2.32.51.20190905-0ubuntu1 i386 Common files for the GNU assembler, linker and binary utilities
ii binutils-i686-linux-gnu 2.32.51.20190905-0ubuntu1 i386 GNU binary utilities, for i686-linux-gnu target
ii libbinutils:i386 2.32.51.20190905-0ubuntu1 i386 GNU binary utilities (private shared library)

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :
Changed in binutils (Ubuntu):
importance: Undecided → High
assignee: nobody → Matthias Klose (doko)
status: New → Confirmed
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

it works fine with binutils_2.32.51.20190821-1ubuntu1_i386.deb

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Something in this diff regressed it and makes it crash.
http://launchpadlibrarian.net/440335350/binutils_2.32.51.20190821-1ubuntu1_2.32.51.20190905-0ubuntu1.diff.gz

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

For some reasons, gdb seems to make me suspect of glibc 2.30...

Changed in glibc (Ubuntu):
status: New → Invalid
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

manually downgrading glibc to 2.29 on i386, with newer binutils fails, so back to a binutils bug
ii libc-bin 2.29-0ubuntu3 i386 GNU C Library: Binaries
ii libc-dev-bin 2.29-0ubuntu3 i386 GNU C Library: Development binaries
ii libc6:i386 2.29-0ubuntu3 i386 GNU C Library: Shared libraries
ii libc6-dev:i386 2.29-0ubuntu3 i386 GNU C Library: Development Libraries and Header Files

G.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :
Download full text (6.8 KiB)

    <65c00> DW_AT_external : 1
    <65c00> DW_AT_name : (indirect string, offset: 0x1d277): _M_get_allocator
    <65c04> DW_AT_decl_file : 2
    <65c05> DW_AT_decl_line : 290
    <65c07> DW_AT_decl_column : 7
    <65c08> DW_AT_linkage_name: (indirect string, offset: 0xdb15): _ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE16_M_get_allocatorEv

Program received signal SIGSEGV, Segmentation fault.
0x56596128 in read_leb128 (data=0x87a81712 <error: Cannot access memory at address 0x87a81712>, length_return=0xffffd014, sign=0, end=0xf7dbecef "") at ../../binutils/dwarf.c:336
336 ../../binutils/dwarf.c: No such file or directory.
(gdb) bt full
#0 0x56596128 in read_leb128 (data=0x87a81712 <error: Cannot access memory at address 0x87a81712>, length_return=0xffffd014, sign=0, end=0xf7dbecef "") at ../../binutils/dwarf.c:336
        result = 0
        num_read = 0
        shift = 0
        byte = 0 '\000'
#1 0x56599e50 in read_uleb128 (end=0xf7dbecef "", length_return=<optimized out>, data=0x87a81711 <error: Cannot access memory at address 0x87a81711>) at ../../binutils/dwarf.c:2005
No locals.
#2 get_type_signedness (start=start@entry=0xf7cd1010 "\266X\006", data=0x87a81711 <error: Cannot access memory at address 0x87a81711>, end=end@entry=0xf7dbecef "", pointer_size=4, offset_size=4,
    dwarf_version=4, is_signed=0xffffd190, is_nested=1) at ../../binutils/dwarf.c:2005
        abbrev_number = <optimized out>
        bytes_read = 0
        entry = <optimized out>
        attr = <optimized out>
#3 0x56599f50 in get_type_signedness (start=start@entry=0xf7cd1010 "\266X\006", data=0xf7ce1238 "", end=end@entry=0xf7dbecef "", pointer_size=4, offset_size=4, dwarf_version=4, is_signed=0xffffd190,
    is_nested=0) at ../../binutils/dwarf.c:2045
        uvalue = <optimized out>
        abbrev_number = <optimized out>
        bytes_read = 1
        entry = <optimized out>
        attr = 0x56640530
#4 0x5659b968 in read_and_display_attr_value (attribute=attribute@entry=73, form=form@entry=19, implicit_const=-1, start=0xf7cd1010 "\266X\006", data=<optimized out>, end=0xf7dbecef "",
    cu_offset=415930, pointer_size=4, offset_size=4, dwarf_version=<optimized out>, debug_info_p=0x0, do_loc=<optimized out>, section=0x56617880 <debug_displays+192>, this_set=0x0,
    delimiter=<optimized out>, level=<optimized out>) at ../../binutils/dwarf.c:2732
        is_signed = 0
        uvalue = 66082
        block_start = <optimized out>
        orig_data = 0xf7d36c1c "\"\002\001"
        bytes_read = 4160392480
        __PRETTY_FUNCTION__ = "read_and_display_attr_value"
#5 0x5659efb4 in read_and_display_attr (level=<optimized out>, this_set=0x0, section=0x56617880 <debug_displays+192>, do_loc=0, debug_info_p=0x0, dwarf_version=4, offset_size=<optimized out>,
    pointer_size=4, cu_offset=415930, end=0xf7dbecef "", data=0xf7d36c1c "\"\002\001", start=0xf7cd1010 "\266X\006", implicit_const=<optimized out>, form=19, attribute=<optimized out>)
    at ../../binutils/dwarf.c:3119
No locals.
#6 process_debug_info (section=0x56617880 <debug_displays+192>, file=<optimized out>, abbrev_sec=abbrev, do_loc=0, do_types=<optimized out>) at ../../...

Read more...

Revision history for this message
In , Gianfranco Costamagna (costamagnagianfranco) wrote :
Download full text (11.4 KiB)

Created attachment 11996
example of failing file

I already reported to Ubuntu
https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1844119

This is a regression started after binutils_2.32.51.20190821-1
and before 2.32.51.20190905-0

so this is the changelog of changes in bfd
+2019-09-05 Alan Modra <email address hidden>
+
+ * elf64-ppc.c (xlate_pcrel_opt): Handle prefix loads and stores
+ in second instruction.
+ (ppc64_elf_relocate_section): Likewise.
+
+2019-09-05 Alan Modra <email address hidden>
+
+ PR 24955
+ * libbfd-in.h (bfd_strdup): New inline function.
+ * archive.c (_bfd_get_elt_at_filepos): Use bfd_strdup. Close
+ bfd on error.
+ * elfcode.h (_bfd_elf_bfd_from_remote_memory): Use bfd_strdup.
+ * opncls.c (bfd_fopen): Use bfd_strdup. Close fd and stream
+ on error.
+ (bfd_openstreamr): Use bfd_strdup.
+ (bfd_openr_iovec, bfd_openw, bfd_create): Likewise.
+ * plugin.c (try_load_plugin): Use bfd_malloc.
+ * libbfd.h: Regenerate.
+
+2019-09-02 Alan Modra <email address hidden>
+
+ PR 11983
+ * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Free debug_filename
+ on success. Tidy.
+ (read_alt_indirect_string): Likewise.
+ (read_alt_indirect_ref): Likewise.
+
+2019-08-31 Jim Wilson <email address hidden>
+
+ PR 23825
+ * elfnn-riscv.c (riscv_elf_create_dynamic_sections): Add SEC_LOAD,
+ SEC_DATA, and SEC_HAS_CONTENTS to .tdata.dyn section.
+
+2019-08-30 Jim Wilson <email address hidden>
+
+ * elfnn-riscv.c (riscv_elf_relocate_section): For unresolvable reloc
+ error, call bfd_set_error, set ret to FALSE, and goto out label.
+
+2019-08-30 H.J. Lu <email address hidden>
+
+ PR ld/24951
+ * archive.c (_bfd_get_elt_at_filepos): Copy BFD_COMPRESS,
+ BFD_DECOMPRESS and BFD_COMPRESS_GABI flags for thin archive.
+
+2019-08-29 Alan Modra <email address hidden>
+
+ PR 24697
+ * elf32-ppc.c (ppc_elf_check_relocs): Call bad_shared_reloc
+ when !bfd_link_executable for R_PPC_EMB_SDA2I16 and
+ R_PPC_EMB_SDA2REL. Don't call bad_shared_reloc for any other
+ reloc.
+
+2019-08-29 Alan Modra <email address hidden>
+
+ * elf64-ppc.c (xlate_pcrel_opt): Add poff parameter. Allow offset
+ on second insn, return it in poff.
+ (ppc64_elf_relocate_section): Add offset to paddi addend for
+ PCREL_OPT.
+
+2019-08-28 Jim Wilson <email address hidden>
+
+ * elfnn-riscv.c (_bfd_riscv_relax_lui): Add check to exclude abs
+ section when setting max_alignment. Update comment.
+ (_bfd_riscv_relax_pc): Likewise.
+
+2019-08-29 Alan Modra <email address hidden>
+
+ PR 24891
+ * bfd.c (struct bfd): Add no_element_cache.
+ * archive.c (_bfd_get_elt_at_filepos): Don't add element to
+ archive cache when no_element_cache.
+ (bfd_generic_archive_p): Set no_element_cache when opening first
+ element to check format. Close first element too.
+ (do_slurp_bsd_armap): Don't zero ardata->cache here.
+ * bfd-in2.h: Regenerate.
+
+2019-08-24 Alan Modra <email address hidden>
+
+ * elf64-ppc.c (ppc64_elf_edit_toc): Exclude undefined weak
+ symbols from GOT optimisation.
+
+2019-08-23 Stafford Horne <email address hidden>
+
+ * elf32-or1k.c (or1k_elf_finish_dynamic_symbol): Use correct value for
+ PLT GOT entries.
+
+2019-08-23 Nick Clifton <email address hidden>
+
+ PR 24456
+ * elf.c (bfd_section_from_shdr...

Bug Watch Updater (bug-watch-updater)
Changed in binutils:
importance: Unknown → Medium
status: Unknown → New
Revision history for this message
In , Cvs-commit (cvs-commit) wrote :

The master branch has been updated by Alan Modra <email address hidden>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b3fe587ed2c78d46132bd33e14f42449d410354b

commit b3fe587ed2c78d46132bd33e14f42449d410354b
Author: Alan Modra <email address hidden>
Date: Mon Sep 23 08:53:07 2019 +0930

    PR25018, readelf crash on 32bits

    Pointer comparisons after adding an offset just don't work to catch
    overflow when the offset is a larger type than the pointer.

     PR 25018
     * dwarf.c (get_type_signedness): Delete ineffective pointer
     comparison check. Properly range check uvalue offset on
     recursive call.
     (read_and_display_attr_value): Range check uvalue offset before
     calling get_type_signedness.

Revision history for this message
In , Alan Modra (amodra-gmail) wrote :

Fixed.

Bug Watch Updater (bug-watch-updater)
Changed in binutils:
status: New → Fix Released
Revision history for this message
In , Cvs-commit (cvs-commit) wrote :

The binutils-2_33-branch branch has been updated by Alan Modra <email address hidden>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a11b3493ca2d5aabdc218197b92026098d7e2f57

commit a11b3493ca2d5aabdc218197b92026098d7e2f57
Author: Alan Modra <email address hidden>
Date: Mon Sep 23 08:53:07 2019 +0930

    PR25018, readelf crash on 32bits

    Pointer comparisons after adding an offset just don't work to catch
    overflow when the offset is a larger type than the pointer.

     PR 25018
     * dwarf.c (get_type_signedness): Delete ineffective pointer
     comparison check. Properly range check uvalue offset on
     recursive call.
     (read_and_display_attr_value): Range check uvalue offset before
     calling get_type_signedness.

    (cherry picked from commit b3fe587ed2c78d46132bd33e14f42449d410354b)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package binutils - 2.32.90.20190929-0ubuntu2

---------------
binutils (2.32.90.20190929-0ubuntu2) eoan; urgency=medium

  * Snapshot, taken from the 2.33 branch (20190929).
    - Fix PR25031, nm reports wrong address on 32bit. LP: #1845190.
    - Fix PR25018, readelf crash on 32bits. LP: #1844119.
    - [GOLD] Fix spurious "plugin needed to handle lto object" warnings.
    - GCC 10 related warning fixes.
    - i386: Adjust for new output format from readelf.
  * Include the test logs in the binutils-dev package.

 -- Matthias Klose <email address hidden> Sun, 29 Sep 2019 07:37:06 +0200

Changed in binutils (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.