objcopy --redefine-sym(s) segfaults on mach-o-i386

objcopy --redefine-sym(s) segfaults on mach-o-i386

[Michael Opitz]

[-- Attachment #1: Type: text/plain, Size: 970 bytes --]

Hello,

objcopy crashes very often when renaming symbols in mach-o-i386 object files.
I've uploaded a coredump http://176.28.14.46/core.24966  and a small
object file with which the crash happened.
The coredump was generated on linux x86_64
The binutils version is:

x86_64-apple-darwin-objcopy --version
GNU objcopy (GNU Binutils) 2.24.51.20140331
Copyright (C) 2014 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

The binary was compiled on Mountain Lion with gcc -m32 -c test.c -o test.o
where gcc is really a link on clang:
gcc --version
Apple LLVM version 5.1 (clang-503.0.38) (based on LLVM 3.4svn)
Target: x86_64-apple-darwin12.5.0
Thread model: posix

The problem is reproducible with recent binutils compiled on OSX.
I've also attached a valgrind logmessage.

Kind Regards,
Michael

[-- Attachment #2: valgrind.log --]
[-- Type: text/x-log, Size: 9476 bytes --]

==25435== Memcheck, a memory error detector
==25435== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==25435== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==25435== Command: /home/nax/macools/bin/x86_64-apple-darwin-objcopy --redefine-sym _hello1=_hoho /home/nax/Downloads/test\ (2).o
==25435== Parent PID: 23854
==25435== 
--25435-- 
--25435-- Valgrind options:
--25435--    -v
--25435--    --leak-check=full
--25435--    --log-file=valgrind.log
--25435-- Contents of /proc/version:
--25435--   Linux version 3.13.7-1-ARCH (nobody@var-lib-archbuild-extra-x86_64-thomas) (gcc version 4.8.2 20140206 (prerelease) (GCC) ) #1 SMP PREEMPT Mon Mar 24 20:06:08 CET 2014
--25435-- Arch and hwcaps: AMD64, amd64-cx16-rdtscp-sse3-avx
--25435-- Page sizes: currently 4096, max supported 4096
--25435-- Valgrind library directory: /usr/lib/valgrind
--25435-- Reading syms from /home/nax/macools/bin/x86_64-apple-darwin-objcopy
--25435-- Reading syms from /usr/lib/ld-2.19.so
--25435-- Reading syms from /usr/lib/valgrind/memcheck-amd64-linux
--25435--    object doesn't have a symbol table
--25435--    object doesn't have a dynamic symbol table
--25435-- Scheduler: using generic scheduler lock implementation.
--25435-- Reading suppressions file: /usr/lib/valgrind/default.supp
==25435== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-25435-by-nax-on-???
==25435== embedded gdbserver: writing to   /tmp/vgdb-pipe-to-vgdb-from-25435-by-nax-on-???
==25435== embedded gdbserver: shared mem   /tmp/vgdb-pipe-shared-mem-vgdb-25435-by-nax-on-???
==25435== 
==25435== TO CONTROL THIS PROCESS USING vgdb (which you probably
==25435== don't want to do, unless you know exactly what you're doing,
==25435== or are doing some strange experiment):
==25435==   /usr/lib/valgrind/../../bin/vgdb --pid=25435 ...command...
==25435== 
==25435== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==25435==   /path/to/gdb /home/nax/macools/bin/x86_64-apple-darwin-objcopy
==25435== and then give GDB the following command
==25435==   target remote | /usr/lib/valgrind/../../bin/vgdb --pid=25435
==25435== --pid is optional if only one valgrind process is running
==25435== 
--25435-- REDIR: 0x40178e0 (strlen) redirected to 0x380673f1 (???)
--25435-- Reading syms from /usr/lib/valgrind/vgpreload_core-amd64-linux.so
--25435--    object doesn't have a symbol table
--25435-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
--25435--    object doesn't have a symbol table
--25435-- REDIR: 0x4017690 (index) redirected to 0x4c2b7f0 (index)
--25435-- REDIR: 0x40178b0 (strcmp) redirected to 0x4c2c8d0 (strcmp)
--25435-- Reading syms from /usr/lib/libz.so.1.2.8
--25435--    object doesn't have a symbol table
--25435-- Reading syms from /usr/lib/libc-2.19.so
--25435-- REDIR: 0x50cedf0 (strcasecmp) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x50d10e0 (strncasecmp) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x50ce5c0 (memcpy@GLIBC_2.2.5) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x50cc940 (rindex) redirected to 0x4c2b5e0 (rindex)
--25435-- REDIR: 0x50c9230 (__GI_strcmp) redirected to 0x4c2c880 (__GI_strcmp)
--25435-- REDIR: 0x50cac40 (strlen) redirected to 0x4c2bb80 (strlen)
--25435-- REDIR: 0x50cb0b0 (__GI_strncmp) redirected to 0x4c2c090 (__GI_strncmp)
--25435-- REDIR: 0x50c8fd0 (__GI_strchr) redirected to 0x4c2b6f0 (__GI_strchr)
--25435-- REDIR: 0x50d5780 (strchrnul) redirected to 0x4c2e5c0 (strchrnul)
--25435-- REDIR: 0x50c4fd0 (malloc) redirected to 0x4c286c0 (malloc)
--25435-- REDIR: 0x50c5610 (free) redirected to 0x4c29930 (free)
--25435-- REDIR: 0x50cec80 (__GI_stpcpy) redirected to 0x4c2dbd0 (__GI_stpcpy)
--25435-- REDIR: 0x50c91f0 (strcmp) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x516d830 (__strcmp_ssse3) redirected to 0x4c2c830 (strcmp)
--25435-- REDIR: 0x50cae00 (strnlen) redirected to 0x4c2bb20 (strnlen)
--25435-- REDIR: 0x50c5940 (calloc) redirected to 0x4c2a7a0 (calloc)
--25435-- REDIR: 0x50cdc90 (memchr) redirected to 0x4c2c970 (memchr)
--25435-- REDIR: 0x50d5570 (rawmemchr) redirected to 0x4c2e600 (rawmemchr)
--25435-- REDIR: 0x50c8fa0 (index) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x50cc900 (strncpy) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x50de8d0 (__strncpy_sse2_unaligned) redirected to 0x4c2bd80 (strncpy)
--25435-- REDIR: 0x50ca680 (strcpy) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x50de2a0 (__strcpy_sse2_unaligned) redirected to 0x4c2bbc0 (strcpy)
--25435-- REDIR: 0x50d37c0 (memcpy@@GLIBC_2.14) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x50d96e0 (__memcpy_sse2_unaligned) redirected to 0x4c2cc20 (memcpy@@GLIBC_2.14)
--25435-- REDIR: 0xffffffffff600000 (???) redirected to 0x380673d3 (???)
--25435-- REDIR: 0x50ce650 (memset) redirected to 0x4c2dfc0 (memset)
--25435-- REDIR: 0x50cb060 (strncmp) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x516ea90 (__strncmp_ssse3) redirected to 0x4c2c020 (strncmp)
--25435-- REDIR: 0x50cdfe0 (bcmp) redirected to 0x4a23730 (_vgnU_ifunc_wrapper)
--25435-- REDIR: 0x518d690 (__memcmp_sse4_1) redirected to 0x4c2da70 (bcmp)
==25435== Invalid read of size 8
==25435==    at 0x4401F6: bfd_mach_o_canonicalize_relocs (mach-o.c:1093)
==25435==    by 0x440863: bfd_mach_o_canonicalize_reloc (mach-o.c:1178)
==25435==    by 0x407923: mark_symbols_used_in_relocations (objcopy.c:3122)
==25435==    by 0x43069B: bfd_map_over_sections (section.c:1354)
==25435==    by 0x409499: copy_object (objcopy.c:2081)
==25435==    by 0x40A9F3: copy_file (objcopy.c:2514)
==25435==    by 0x405852: main (objcopy.c:4270)
==25435==  Address 0x805439aa0 is not stack'd, malloc'd or (recently) free'd
==25435== 
==25435== Invalid read of size 8
==25435==    at 0x4401FA: bfd_mach_o_canonicalize_relocs (mach-o.c:1093)
==25435==    by 0x440863: bfd_mach_o_canonicalize_reloc (mach-o.c:1178)
==25435==    by 0x407923: mark_symbols_used_in_relocations (objcopy.c:3122)
==25435==    by 0x43069B: bfd_map_over_sections (section.c:1354)
==25435==    by 0x409499: copy_object (objcopy.c:2081)
==25435==    by 0x40A9F3: copy_file (objcopy.c:2514)
==25435==    by 0x405852: main (objcopy.c:4270)
==25435==  Address 0x78 is not stack'd, malloc'd or (recently) free'd
==25435== 
==25435== 
==25435== Process terminating with default action of signal 11 (SIGSEGV)
==25435==  Access not within mapped region at address 0x78
==25435==    at 0x4401FA: bfd_mach_o_canonicalize_relocs (mach-o.c:1093)
==25435==    by 0x440863: bfd_mach_o_canonicalize_reloc (mach-o.c:1178)
==25435==    by 0x407923: mark_symbols_used_in_relocations (objcopy.c:3122)
==25435==    by 0x43069B: bfd_map_over_sections (section.c:1354)
==25435==    by 0x409499: copy_object (objcopy.c:2081)
==25435==    by 0x40A9F3: copy_file (objcopy.c:2514)
==25435==    by 0x405852: main (objcopy.c:4270)
==25435==  If you believe this happened as a result of a stack
==25435==  overflow in your program's main thread (unlikely but
==25435==  possible), you can try to increase the size of the
==25435==  main thread stack using the --main-stacksize= flag.
==25435==  The main thread stack size used in this run was 8388608.
==25435== 
==25435== HEAP SUMMARY:
==25435==     in use at exit: 53,784 bytes in 37 blocks
==25435==   total heap usage: 2,429 allocs, 2,392 frees, 231,742 bytes allocated
==25435== 
==25435== Searching for pointers to 37 not-freed blocks
==25435== Checked 413,176 bytes
==25435== 
==25435== LEAK SUMMARY:
==25435==    definitely lost: 0 bytes in 0 blocks
==25435==    indirectly lost: 0 bytes in 0 blocks
==25435==      possibly lost: 0 bytes in 0 blocks
==25435==    still reachable: 53,784 bytes in 37 blocks
==25435==         suppressed: 0 bytes in 0 blocks
==25435== Reachable blocks (those to which a pointer was found) are not shown.
==25435== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==25435== 
==25435== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 1 from 1)
==25435== 
==25435== 1 errors in context 1 of 2:
==25435== Invalid read of size 8
==25435==    at 0x4401FA: bfd_mach_o_canonicalize_relocs (mach-o.c:1093)
==25435==    by 0x440863: bfd_mach_o_canonicalize_reloc (mach-o.c:1178)
==25435==    by 0x407923: mark_symbols_used_in_relocations (objcopy.c:3122)
==25435==    by 0x43069B: bfd_map_over_sections (section.c:1354)
==25435==    by 0x409499: copy_object (objcopy.c:2081)
==25435==    by 0x40A9F3: copy_file (objcopy.c:2514)
==25435==    by 0x405852: main (objcopy.c:4270)
==25435==  Address 0x78 is not stack'd, malloc'd or (recently) free'd
==25435== 
==25435== 
==25435== 1 errors in context 2 of 2:
==25435== Invalid read of size 8
==25435==    at 0x4401F6: bfd_mach_o_canonicalize_relocs (mach-o.c:1093)
==25435==    by 0x440863: bfd_mach_o_canonicalize_reloc (mach-o.c:1178)
==25435==    by 0x407923: mark_symbols_used_in_relocations (objcopy.c:3122)
==25435==    by 0x43069B: bfd_map_over_sections (section.c:1354)
==25435==    by 0x409499: copy_object (objcopy.c:2081)
==25435==    by 0x40A9F3: copy_file (objcopy.c:2514)
==25435==    by 0x405852: main (objcopy.c:4270)
==25435==  Address 0x805439aa0 is not stack'd, malloc'd or (recently) free'd
==25435== 
--25435-- 
--25435-- used_suppression:      1 dl-hack3-cond-1 /usr/lib/valgrind/default.supp:1196
==25435== 
==25435== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 1 from 1)

[-- Attachment #3: test (2).o --]
[-- Type: application/x-object, Size: 747 bytes --]

Re: objcopy --redefine-sym(s) segfaults on mach-o-i386

[Tristan Gingold]

Hello,

I have modified mach-o.c to avoid the crash (I haven't yet testet with valgrind).

Do you have the C source of test 2 ?  It looks to be not well formed.

Tristan.

bfd/
	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Avoid to crash
	when num == 0.

diff --git a/bfd/mach-o.c b/bfd/mach-o.c
index ebaa6c7..e33c01f 100644
--- a/bfd/mach-o.c
+++ b/bfd/mach-o.c
@@ -1075,7 +1075,7 @@ bfd_mach_o_canonicalize_one_reloc (bfd *abfd,
 	  /* An external symbol number.  */
 	  sym = syms + num;
 	}
-      else if (num == 0x00ffffff)
+      else if (num == 0x00ffffff || num == 0)
 	{
 	  /* The 'symnum' in a non-scattered PAIR is 0x00ffffff.  But as this
 	     is generic code, we don't know wether this is really a PAIR.
@@ -1087,7 +1087,6 @@ bfd_mach_o_canonicalize_one_reloc (bfd *abfd,
       else
         {
 	  /* A section number.  */
-          BFD_ASSERT (num != 0);
           BFD_ASSERT (num <= mdata->nsects);
 
           sym = mdata->sections[num - 1]->bfdsection->symbol_ptr_ptr;

On 01 Apr 2014, at 12:28, Michael Opitz <opitz.michael@gmail.com> wrote:

> Hello,
> 
> objcopy crashes very often when renaming symbols in mach-o-i386 object files.
> I've uploaded a coredump http://176.28.14.46/core.24966  and a small
> object file with which the crash happened.
> The coredump was generated on linux x86_64
> The binutils version is:
> 
> x86_64-apple-darwin-objcopy --version
> GNU objcopy (GNU Binutils) 2.24.51.20140331
> Copyright (C) 2014 Free Software Foundation, Inc.
> This program is free software; you may redistribute it under the terms of
> the GNU General Public License version 3 or (at your option) any later version.
> This program has absolutely no warranty.
> 
> The binary was compiled on Mountain Lion with gcc -m32 -c test.c -o test.o
> where gcc is really a link on clang:
> gcc --version
> Apple LLVM version 5.1 (clang-503.0.38) (based on LLVM 3.4svn)
> Target: x86_64-apple-darwin12.5.0
> Thread model: posix
> 
> The problem is reproducible with recent binutils compiled on OSX.
> I've also attached a valgrind logmessage.
> 
> Kind Regards,
> Michael
> <valgrind.log><test (2).o>