[Bug] Between and glibc causes ld to segfault.

[Bug] Between and glibc causes ld to segfault.

[Stefan Jones]

Dear Sirs,

As I have said before, if you call ld with excessive -l() arguments you
get the following segfault:
( see http://bugs.gentoo.org/show_bug.cgi?id=16577 for examples, also
works  on redhat beta 8.1 )
#0  new_statement (type=lang_group_statement_enum, size=13, list=0xd)
    at ldlang.c:516
#1  0x080543e6 in lang_enter_group () at ldlang.c:4758
#2  0x08049f34 in yyparse () at ldgram.y:338
#3  0x0805055c in load_symbols (entry=0x0, place=0x0) at ldlang.c:1576
#4  0x08050d2f in open_input_bfds (s=0x0, force=0) at ldlang.c:2043
#5  0x08053b00 in lang_process () at ldlang.c:4277
#6  0x080567e5 in main (argc=0, argv=0x0) at ldmain.c:438
#7  0x4003c747 in __libc_start_main () from /lib/libc.so.6

The cause is in the following function:

static lang_statement_union_type *
new_statement (type, size, list)
     enum statement_enum type;
     size_t size;
     lang_statement_list_type *list;
{
  lang_statement_union_type *new = (lang_statement_union_type *)
  stat_alloc (size);

  new->header.type = type;
  new->header.next = (lang_statement_union_type *) NULL;
  lang_statement_append (list, new, &new->header.next);
  return new;
}
 in ld/lang.c


The function "stat_alloc" returns 0x07 which is wrong and causes the
segfault.
stat_alloc allocates memory off the stack, as far as I can understand. See
obstack.h, in both binutils and glibc. I have tried updating the the one
in binutils with the one from glibc. It does not fix it *for me*.
The problem appeared between glibc-2.3.1 and glibc-2.3.2. I did a binary
search though the glibc CVS. I have so far narrowed down the interval;
[Tue Dec 31 06:49:17 2002,Tue Dec 31 08:29:10 2002]

I have only searched linuxthreads, nptl is also affected, but is not on CVS.

The only valid error causing patch I can see in that lot is the new stack
stuff in glibc linuxthreads.
Can someone please reply, I am happy to supply any additional info needed,

Stefan

Re: [Bug] Between and glibc causes ld to segfault.

[Wolfram Gloger]

Hi,

> As I have said before, if you call ld with excessive -l() arguments you
> get the following segfault:
> ( see http://bugs.gentoo.org/show_bug.cgi?id=16577 for examples, also
> works  on redhat beta 8.1 )
> #0  new_statement (type=lang_group_statement_enum, size=13, list=0xd)
>     at ldlang.c:516
                                                              ^^^^^^^^

list=0xd looks suspicious; isn't the stack probably already corrupt
at this stage?

> The only valid error causing patch I can see in that lot is the new stack
> stuff in glibc linuxthreads.

Hmm, but since when is 'ld' linked to libpthread?  I can't see how
LinuxThreads changes could have anything to do with this.

> Can someone please reply, I am happy to supply any additional info needed,

Have you run the ld command under valgrind?

Regards,
Wolfram.

Re: [Bug] Between Tue Dec 31 06:49:17 2002 and Tue Dec 31 07:14:15 2002 glibc causes ld to segfault.

[Stefan Jones]

Wolfram Gloger said:
>> The only valid error causing patch I can see in that lot is the new
>> stack stuff in glibc linuxthreads.
>
> Hmm, but since when is 'ld' linked to libpthread?  I can't see how
> LinuxThreads changes could have anything to do with this.
>

This patch makes /usr/lib/libpthread.so into a ld script, rather than a
symlink.
This is the real trigger. The problem then surfaces when you add too many
-lpthread arguments to ld, it segfaults while reading the ld script file
for the nth time.
( the bad line is "ld -lpthread -lpthread -lpthread .... " )

>> Can someone please reply, I am happy to supply any additional info
>> needed,
>
> Have you run the ld command under valgrind?

Am rebuilding glibc with -g now then I will try valgrind.

Thankyou for the reply.

Feeling stupider,

Stefan

Re: [Bug] Between and glibc causes ld to segfault.

[Stefan Jones]

Wolfram Gloger said:
>
> Have you run the ld command under valgrind?

valgrind -v ld -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread
-lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread
-lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread
-lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread
-lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread
-lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread
-lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread
-lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread
-lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread
-lpthread -lpthread==31925== Memcheck, a.k.a. Valgrind, a memory error detector for x86-linux.
==31925== Copyright (C) 2002, and GNU GPL'd, by Julian Seward.
==31925== Using valgrind-1.9.3, a program instrumentation system for
x86-linux.==31925== Copyright (C) 2000-2002, and GNU GPL'd, by Julian Seward.
==31925== Startup, with flags:
==31925==    --suppressions=/usr/lib/valgrind/default.supp
==31925==    -v
==31925== Reading suppressions file: /usr/lib/valgrind/default.supp
==31925== Estimated CPU clock rate is 1522 MHz
==31925==
==31925== Reading syms from /usr/i686-pc-linux-gnu/bin/ld
==31925== Reading syms from /lib/ld-2.3.1.so
==31925== Reading syms from /usr/lib/valgrind/vgskin_memcheck.so
==31925== Reading syms from /usr/lib/valgrind/valgrind.so
==31925== Reading syms from /usr/lib/libbfd-2.13.90.0.18.so
==31925== Reading syms from /lib/libdl-2.3.1.so
==31925== Reading syms from /lib/libc-2.3.1.so
==31925== Invalid write of size 4
==31925==    at 0x80515A3: new_statement (ldlang.c:525)
==31925==    by 0x8057F3C: lang_enter_group (ldlang.c:4868)
==31925==    by 0x804B429: yyparse (ldgram.y:338)
==31925==    by 0x8052D24: load_symbols (ldlang.c:1630)
==31925==    Address 0xB is not stack'd, malloc'd or free'd
Segmentation fault

And the tail of a strace is:

munmap(0x400c6000, 4096)                = 0
open("/usr/lib/libpthread.so", O_RDONLY) = 36
brk(0)                                  = 0x85c1000
brk(0x85c5000)                          = 0x85c5000
ioctl(36, SNDCTL_TMR_TIMEBASE, 0xbfffea40) = -1 ENOTTY (Inappropriate
ioctl for device)fstat64(36, {st_mode=S_IFREG|0755, st_size=216, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x400c6000read(36, "/* GNU ld script\n   Use the shar"..., 8192) = 216
read(36, "", 4096)                      = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

And most importantly, when I replace /usr/lib/libpthread.so
which is:

/* GNU ld script
   Use the shared library, but some functions are only in
   the static library, so try that secondarily.  */
OUTPUT_FORMAT(elf32-i386)
GROUP ( /lib/libpthread.so.0 /usr/lib/libpthread_nonshared.a )

with a symlink to /lib/libpthread.so.0 all is ok ...

I'm finished now, I have a work around, thanks for your time

Stefan

Re: [Bug] Between and glibc causes ld to segfault.

[Andreas Schwab]

"Stefan Jones" <cretin@gentoo.org> writes:

> Dear Sirs,
> 
> As I have said before, if you call ld with excessive -l() arguments you
> get the following segfault:
> ( see http://bugs.gentoo.org/show_bug.cgi?id=16577 for examples, also
> works  on redhat beta 8.1 )
> #0  new_statement (type=lang_group_statement_enum, size=13, list=0xd)
>     at ldlang.c:516
> #1  0x080543e6 in lang_enter_group () at ldlang.c:4758
> #2  0x08049f34 in yyparse () at ldgram.y:338
> #3  0x0805055c in load_symbols (entry=0x0, place=0x0) at ldlang.c:1576
> #4  0x08050d2f in open_input_bfds (s=0x0, force=0) at ldlang.c:2043
> #5  0x08053b00 in lang_process () at ldlang.c:4277
> #6  0x080567e5 in main (argc=0, argv=0x0) at ldmain.c:438
> #7  0x4003c747 in __libc_start_main () from /lib/libc.so.6

Here is a patch:

2003-03-19  Andreas Schwab  <schwab@suse.de>

	* ldfile.c (ldfile_try_open_bfd): Pop lexer start condition after
	eof.

--- ld/ldfile.c.~1.26.~	2003-03-04 22:48:32.000000000 +0100
+++ ld/ldfile.c	2003-03-19 00:08:38.000000000 +0100
@@ -220,6 +220,7 @@ ldfile_try_open_bfd (attempt, entry)
 		        }
 		      token = yylex ();
 		    }
+		  ldlex_popstate ();
 		  ldfile_assumed_script = FALSE;
 		  fclose (yyin);
 		  yyin = NULL;

Andreas.

Re: [Bug] Between and glibc causes ld to segfault.

[Alan Modra]

On Wed, Mar 19, 2003 at 12:17:13AM +0100, Andreas Schwab wrote:
> 	* ldfile.c (ldfile_try_open_bfd): Pop lexer start condition after
> 	eof.

Ah ha!  So it was an out of bounds array access scribbling over
other things.  Please apply.

-- 
Alan Modra
IBM OzLabs - Linux Technology Centre