public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug plugins/101810] New: libiberty/simple-object-xcoff.c segmentation fault
@ 2021-08-07 4:08 amodra at gmail dot com
2021-08-07 4:13 ` [Bug plugins/101810] " amodra at gmail dot com
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: amodra at gmail dot com @ 2021-08-07 4:08 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101810
Bug ID: 101810
Summary: libiberty/simple-object-xcoff.c segmentation fault
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: plugins
Assignee: unassigned at gcc dot gnu.org
Reporter: amodra at gmail dot com
Target Milestone: ---
>From https://sourceware.org/bugzilla/show_bug.cgi?id=28179
binutils/nm-new --plugin ~/build/gcc-virgin/lto-plugin/.libs/liblto_plugin.so
-a pr28179
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3630013==ERROR: AddressSanitizer: SEGV on unknown address 0x60200001000a (pc
0x7fc28ca928ea bp 0x000000000000 sp 0x7ffd425c36d0 T0)
==3630013==The signal is caused by a READ memory access.
#0 0x7fc28ca928ea in simple_object_xcoff_find_sections
/home/alan/src/gcc-virgin/libiberty/simple-object-xcoff.c:529:26
#1 0x7fc28ca874f7 in claim_file_handler
/home/alan/src/gcc-virgin/lto-plugin/lto-plugin.c:1189:16
#2 0x9ad923 in try_claim /home/alan/src/binutils-gdb/bfd/plugin.c:323:7
[snip]
A little analysis of the binutils testcase reveals the xcoff file header has
nsyms of 0x80000000. The file contains a number of places where ocr->nsyms *
SYMESZ is calculated. Since ocr->nsyms is an unsigned int and SYMESZ a plain
number (18), the expression overflows to zero. That results in a zero length
buffer being allocated and read from file, but 0x80000000 syms processed from
the buffer.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug plugins/101810] libiberty/simple-object-xcoff.c segmentation fault 2021-08-07 4:08 [Bug plugins/101810] New: libiberty/simple-object-xcoff.c segmentation fault amodra at gmail dot com @ 2021-08-07 4:13 ` amodra at gmail dot com 2021-08-09 7:34 ` rguenth at gcc dot gnu.org ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: amodra at gmail dot com @ 2021-08-07 4:13 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101810 --- Comment #1 from Alan Modra <amodra at gmail dot com> --- Created attachment 51272 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51272&action=edit Proposed fix ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug plugins/101810] libiberty/simple-object-xcoff.c segmentation fault 2021-08-07 4:08 [Bug plugins/101810] New: libiberty/simple-object-xcoff.c segmentation fault amodra at gmail dot com 2021-08-07 4:13 ` [Bug plugins/101810] " amodra at gmail dot com @ 2021-08-09 7:34 ` rguenth at gcc dot gnu.org 2021-08-12 4:43 ` amodra at gmail dot com 2022-01-09 8:27 ` [Bug other/101810] " pinskia at gcc dot gnu.org 3 siblings, 0 replies; 5+ messages in thread From: rguenth at gcc dot gnu.org @ 2021-08-09 7:34 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101810 --- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> --- How about fixing the places instad? Making SYMESZ a size_t looks like a complete fix? ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug plugins/101810] libiberty/simple-object-xcoff.c segmentation fault 2021-08-07 4:08 [Bug plugins/101810] New: libiberty/simple-object-xcoff.c segmentation fault amodra at gmail dot com 2021-08-07 4:13 ` [Bug plugins/101810] " amodra at gmail dot com 2021-08-09 7:34 ` rguenth at gcc dot gnu.org @ 2021-08-12 4:43 ` amodra at gmail dot com 2022-01-09 8:27 ` [Bug other/101810] " pinskia at gcc dot gnu.org 3 siblings, 0 replies; 5+ messages in thread From: amodra at gmail dot com @ 2021-08-12 4:43 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101810 --- Comment #3 from Alan Modra <amodra at gmail dot com> --- Making SYMESZ a size_t as the patch does, is a complete fix if the code is only compiled for 64-bit hosts where unsigned int is smaller than size_t. If compiled for 32-bit then the expression calculating buffer size can overflow leading to similar segfaults on fuzzed object files. As explained by the comment. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug other/101810] libiberty/simple-object-xcoff.c segmentation fault 2021-08-07 4:08 [Bug plugins/101810] New: libiberty/simple-object-xcoff.c segmentation fault amodra at gmail dot com ` (2 preceding siblings ...) 2021-08-12 4:43 ` amodra at gmail dot com @ 2022-01-09 8:27 ` pinskia at gcc dot gnu.org 3 siblings, 0 replies; 5+ messages in thread From: pinskia at gcc dot gnu.org @ 2022-01-09 8:27 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101810 Andrew Pinski <pinskia at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Last reconfirmed| |2022-01-09 Component|lto |other Status|UNCONFIRMED |NEW Ever confirmed|0 |1 Keywords| |lto --- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> --- Confirmed. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-01-09 8:27 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-08-07 4:08 [Bug plugins/101810] New: libiberty/simple-object-xcoff.c segmentation fault amodra at gmail dot com 2021-08-07 4:13 ` [Bug plugins/101810] " amodra at gmail dot com 2021-08-09 7:34 ` rguenth at gcc dot gnu.org 2021-08-12 4:43 ` amodra at gmail dot com 2022-01-09 8:27 ` [Bug other/101810] " pinskia at gcc dot gnu.org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).