[Bug gold/24451] New: Multiple Crashes Memory Read/Write errors in Gold

bug-binutils
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug gold/24451] New: Multiple Crashes Memory Read/Write errors in Gold

From:	leftcopy.chx at gmail dot com
Subject:	[Bug gold/24451] New: Multiple Crashes Memory Read/Write errors in Gold Linker
Date:	Fri, 12 Apr 2019 08:08:57 +0000
https://sourceware.org/bugzilla/show_bug.cgi?id=24451

            Bug ID: 24451
           Summary: Multiple Crashes Memory Read/Write errors in Gold
                    Linker
           Product: binutils
           Version: 2.32
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gold
          Assignee: ccoutant at gmail dot com
          Reporter: leftcopy.chx at gmail dot com
                CC: ian at airs dot com
  Target Milestone: ---

Created attachment 11741
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11741&action=edit
pocs

There are multiple crashes when running:

 ./ld-new --threads --thread-count 4 -z relro --hash-style=gnu --build-id
--eh-frame-hdr -m elf_x86_64 -dynamic-linker /lib64/ld-linux-x86-64.so.2 -o
a.out /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crt1.o
/usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crti.o
/usr/bin/../lib/gcc/x86_64-linux-gnu/8/crtbegin.o
-L/usr/bin/../lib/gcc/x86_64-linux-gnu/8
-L/usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu
-L/lib/x86_64-linux-gnu -L/lib/../lib64 -L/usr/lib/x86_64-linux-gnu
-L/usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../.. -L/usr/lib/llvm-7/bin/../lib
-L/lib -L/usr/lib $FILE -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc
--as-needed -lgcc_s --no-as-needed
/usr/bin/../lib/gcc/x86_64-linux-gnu/8/crtend.o
/usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crtn.o

Where $FILE is the specified ELF file. These were tested on binutils git commit
7a6e0d89bb [2] (2019-03-12) but I found no significant code changes inside
"gold" subdirectory, therefore also crashes on the HEAD.
The attachment contains the POC files; while the full list of POCs and the
error messages are available at [1].
The sampling error messages are like below (many other crashes have different
backtraces):

Invalid Write:

```
==21697==WARNING: AddressSanitizer failed to allocate 0x55555555555554a0 bytes
ASAN:DEADLYSIGNAL
=================================================================
==21697==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x555886baf01b bp 0x7ffd88511b60 sp 0x7ffd88511b30 T0)
==21697==The signal is caused by a WRITE memory access.
==21697==Hint: address points to the zero page.
    #0 0x555886baf01a in
__gnu_cxx::__enable_if<std::__is_scalar<gold::Symbol*>::__value,
gold::Symbol**>::__type std::__fill_n_a<gold::Symbol**, unsigned long,
gold::Symbol*>(gold::Symbol**, unsigned long, gold::Symbol* const&)
/usr/include/c++/7/bits/stl_algobase.h:754
    #1 0x555886bae4dc in gold::Symbol** std::fill_n<gold::Symbol**, unsigned
long, gold::Symbol*>(gold::Symbol**, unsigned long, gold::Symbol* const&)
/usr/include/c++/7/bits/stl_algobase.h:789
    #2 0x555886baee3a in gold::Symbol**
std::__uninitialized_default_n_1<true>::__uninit_default_n<gold::Symbol**,
unsigned long>(gold::Symbol**, unsigned long)
/usr/include/c++/7/bits/stl_uninitialized.h:548
    #3 0x555886bae47b in gold::Symbol**
std::__uninitialized_default_n<gold::Symbol**, unsigned long>(gold::Symbol**,
unsigned long) /usr/include/c++/7/bits/stl_uninitialized.h:583
    #4 0x555886bad503 in gold::Symbol**
std::__uninitialized_default_n_a<gold::Symbol**, unsigned long,
gold::Symbol*>(gold::Symbol**, unsigned long, std::allocator<gold::Symbol*>&)
/usr/include/c++/7/bits/stl_uninitialized.h:645
    #5 0x555886ba766d in std::vector<gold::Symbol*,
std::allocator<gold::Symbol*> >::_M_default_append(unsigned long)
/usr/include/c++/7/bits/vector.tcc:575
    #6 0x555886b9f070 in std::vector<gold::Symbol*,
std::allocator<gold::Symbol*> >::resize(unsigned long)
/usr/include/c++/7/bits/stl_vector.h:692
    #7 0x555886d0204c in gold::Sized_relobj_file<64,
false>::do_add_symbols(gold::Symbol_table*, gold::Read_symbols_data*,
gold::Layout*) /home/exp/FOT/binutils/binutils-asan/gold/object.cc:2103
    #8 0x555886b442b8 in gold::Object::add_symbols(gold::Symbol_table*,
gold::Read_symbols_data*, gold::Layout*)
/home/exp/FOT/binutils/binutils-asan/gold/object.h:658
    #9 0x555886e57592 in gold::Add_symbols::run(gold::Workqueue*)
/home/exp/FOT/binutils/binutils-asan/gold/readsyms.cc:635
    #10 0x555886f90a3e in gold::Workqueue::find_and_run_task(int)
/home/exp/FOT/binutils/binutils-asan/gold/workqueue.cc:319
    #11 0x555886f91731 in gold::Workqueue::process(int)
/home/exp/FOT/binutils/binutils-asan/gold/workqueue.cc:495
    #12 0x555886606393 in main
/home/exp/FOT/binutils/binutils-asan/gold/main.cc:252
    #13 0x7fc950ed5b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x5558866057d9 in _start
(/home/exp/FOT/binutils/binutils-asan/gold/ld-new+0x1c17d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/c++/7/bits/stl_algobase.h:754 in
__gnu_cxx::__enable_if<std::__is_scalar<gold::Symbol*>::__value,
gold::Symbol**>::__type std::__fill_n_a<gold::Symbol**, unsigned long,
gold::Symbol*>(gold::Symbol**, unsigned long, gold::Symbol* const&)
==21697==ABORTING
```

Invalid Read:

```
./ld-new: error: ../../pocs/read_npr_elfcpp.h:1226_1: bad e_ehsize (0 != 64)
./ld-new: error: ../../pocs/read_npr_elfcpp.h:1226_1: bad e_shentsize (60545 !=
64)
ASAN:DEADLYSIGNAL
=================================================================
==20281==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x56376dcfc1b6 bp 0x7ffed4a4b040 sp 0x7ffed4a4b030 T0)
==20281==The signal is caused by a READ memory access.
==20281==Hint: address points to the zero page.
    #0 0x56376dcfc1b5 in elfcpp::Shdr<64, false>::get_sh_type() const
../elfcpp/elfcpp.h:1226
    #1 0x56376dcf9791 in elfcpp::Elf_file<64, false,
gold::Sniff_file>::section_type(unsigned int) ../elfcpp/elfcpp_file.h:644
    #2 0x56376dd076a9 in do_recognize_nacl_file<64, false>
/home/exp/FOT/binutils/binutils-asan/gold/nacl.h:202
    #3 0x56376dd04608 in recognize_nacl_file
/home/exp/FOT/binutils/binutils-asan/gold/nacl.h:186
    #4 0x56376dd00fea in do_recognize
/home/exp/FOT/binutils/binutils-asan/gold/nacl.h:116
    #5 0x56376e61fdea in gold::Target_selector::recognize(gold::Input_file*,
long, int, int, int)
/home/exp/FOT/binutils/binutils-asan/gold/target-select.h:82
    #6 0x56376e61f91c in gold::select_target(gold::Input_file*, long, int, int,
bool, int, int) /home/exp/FOT/binutils/binutils-asan/gold/target-select.cc:113
    #7 0x56376e364bc3 in make_elf_sized_object<64, false>
/home/exp/FOT/binutils/binutils-asan/gold/object.cc:3342
    #8 0x56376e3641d7 in gold::make_elf_object(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, gold::Input_file*, long,
unsigned char const*, long, bool*)
/home/exp/FOT/binutils/binutils-asan/gold/object.cc:3467
    #9 0x56376e4e5d77 in gold::Read_symbols::do_read_symbols(gold::Workqueue*)
/home/exp/FOT/binutils/binutils-asan/gold/readsyms.cc:336
    #10 0x56376e4e4709 in gold::Read_symbols::run(gold::Workqueue*)
/home/exp/FOT/binutils/binutils-asan/gold/readsyms.cc:167
    #11 0x56376e621a3e in gold::Workqueue::find_and_run_task(int)
/home/exp/FOT/binutils/binutils-asan/gold/workqueue.cc:319
    #12 0x56376e622731 in gold::Workqueue::process(int)
/home/exp/FOT/binutils/binutils-asan/gold/workqueue.cc:495
    #13 0x56376dc97393 in main
/home/exp/FOT/binutils/binutils-asan/gold/main.cc:252
    #14 0x7f75e9466b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #15 0x56376dc967d9 in _start
(/home/exp/FOT/binutils/binutils-asan/gold/ld-new+0x1c17d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../elfcpp/elfcpp.h:1226 in elfcpp::Shdr<64,
false>::get_sh_type() const
==20281==ABORTING
```

System information:

$ uname -a
Linux C11 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux

$ gcc --version
gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ clang --version
clang version 7.0.1-svn348686-1~exp1~20190113235231.54 (branches/release_70)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

[1] https://github.com/ntu-sec/pocs/tree/master/binutils-7a6e0d89bb/crashes
[2]
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=7a6e0d89bb018cef0d8d13c497d8f340aa2a0fc8

-- 
You are receiving this mail because:
You are on the CC list for the bug.
[Prev in Thread]
Current Thread
[Next in Thread]
[Bug gold/24451] New: Multiple Crashes Memory Read/Write errors in Gold Linker, leftcopy.chx at gmail dot com <=
Prev by Date: [Bug ld/24450] New: Missing ALIGN_WITH_INPUT in one texinfo page
Next by Date: [Bug ld/24450] Missing ALIGN_WITH_INPUT in one texinfo page
Previous by thread: [Bug ld/24450] New: Missing ALIGN_WITH_INPUT in one texinfo page
Next by thread: [Bug binutils/23994] Heap overflow in libbfd caused by integer overflow
Index(es):
- Date
- Thread