bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug gas/20901] New: AS: Hangs

From: boehme.marcel at gmail dot com
Subject: [Bug gas/20901] New: AS: Hangs
Date: Fri, 02 Dec 2016 02:38:07 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=20901

            Bug ID: 20901
           Summary: AS: Hangs
           Product: binutils
           Version: 2.28 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gas
          Assignee: unassigned at sourceware dot org
          Reporter: boehme.marcel at gmail dot com
  Target Milestone: ---

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.

The assembler hangs for the following execution on Ubuntu 16.04 x86_64 and
14.04 x86_64 for Binutils v2.24, v2.26.1, and trunk:

$ printf
"\x20\x00\x1a\x3b\x64\x63\x67\x67\x64\x67\x67\x67\x67\x67\x67\x67\x6c\xff\xfd\x40\xff\xff\xff\x80\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x1d\x00\xff\xe2\xff\xff\x7f\xe1\x00\x2e\x64\x53\x09\x34\x34\x34\x34\x34\x2a\x34\x34\x34\x35\x35\x35\x35\x35\x35\x38\x38\x35\x35\x35\x35\x35\x35\x35\x2c\x35\x35\x35\x35\x35\xff\xff\xff\x7f\x7e\x7e\x00\x00\x38\x38\x35\x00\x10\x35\x35\x35\x38\x38\x35\x35\x35\x35\x35\x35\x35\x35\x35\x35\x35\x2c\x35\x35\x35\x35\x35\xff\xff\xff\x7f\x7e\x7e\x00\x00\x38\x38\x35\x35\x35\x35\x03\xf8\x79\xff\x7f\x7e\x7e\x00\x00\x38\x38\x35\x35\x35\x35\x03\xf8\x79\x00\x00\x40\x0f\x00\x63\x00\x00\x17\x80\x00\x20\x00\x3d\x63\x03\x04\x1b\xff\xff\x10\xff\xff\x80\x00\x3d\x3d\x43\x25\x83\xff\xff\x8c\x09\x0f\x37"
> a

$ ./as a
..

It slowly eats up the available memory. Couldn't determine whether this is
actually an infinite loop or just a very long execution. Was unable to minimize
the test case with this execution time.

STRACE reports repeated calls to brk:
...
brk(0x2705000)                          = 0x2705000
brk(0x2726000)                          = 0x2726000
brk(0x2747000)                          = 0x2747000
brk(0x2768000)                          = 0x2768000
brk(0x2789000)                          = 0x2789000
brk(0x27aa000)                          = 0x27aa000
...

ASAN reports as signed integer overflow:
../../gas/expr.c:1939:46: runtime error: signed integer overflow: 44444 *
444555555885555555 cannot be represented in type 'long int'

Interupting GDB at a random point during the execution gives:
(gdb) bt
#0  frag_more (nchars=2) at frags.c:208
#1  0x0000000000498c8f in emit_expr_with_reloc (reloc=BFD_RELOC_NONE,
nbytes=<optimized out>, exp=0x7fffffffe180) at read.c:4336
#2  emit_expr (nbytes=<optimized out>, exp=0x7fffffffe180) at read.c:4184
#3  s_space (mult=<optimized out>) at read.c:3401
#4  0x00000000004b5bb0 in read_a_source_file (name=<optimized out>) at
read.c:1146
#5  0x0000000000407ed2 in perform_an_assembly_pass (argv=0xccef08,
argc=<optimized out>) at as.c:1172
#6  main (argc=<optimized out>, argv=<optimized out>) at as.c:1296
(gdb) p *exp
$1 = {X_add_symbol = 0x0, X_op_symbol = 0x0, X_add_number = 55555, X_op =
O_constant, X_unsigned = 1, X_extrabit = 0, X_md = 63469}

Best regards,
- Marcel

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]