[Bug gas/17754] New: Buffer overflow detected in MinGW gas

Wed, 24 Dec 2014 20:21:22 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=17754

            Bug ID: 17754
           Summary: Buffer overflow detected in MinGW gas
           Product: binutils
           Version: 2.25
            Status: NEW
          Severity: normal
          Priority: P2
         Component: gas
          Assignee: unassigned at sourceware dot org
          Reporter: yselkowitz at cygwin dot com
                CC: ktietz at redhat dot com, nickc at redhat dot com
              Host: x86_64-redhat-linux (RHEL/CentOS 6)
            Target: {i686,x86_64}-w64-mingw32
             Build: x86_64-redhat-linux (RHEL/CentOS 6)

With 2.25 on EL6 x86_64 host, {i686,x86_64}-w64-mingw32 target, a buffer
overflow is detected when compiling even the simplest assembly:

$ gdb /usr/i686-w64-mingw32/bin/as
[snip]
Reading symbols from /usr/i686-w64-mingw32/bin/as...Reading symbols from
/usr/lib/debug/usr/i686-w64-mingw32/bin/as.debug...done.
done.
(gdb) r -v -o test.o test.s
Starting program: /usr/i686-w64-mingw32/bin/as -v -o test.o test.s
GNU assembler version 2.25 (i686-w64-mingw32) using BFD version (GNU Binutils)
2.25
*** buffer overflow detected ***: /usr/i686-w64-mingw32/bin/as terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7ffff7731697]
/lib64/libc.so.6(+0x100580)[0x7ffff772f580]
/lib64/libc.so.6(__strncpy_chk+0x17b)[0x7ffff772e84b]
/usr/i686-w64-mingw32/bin/as[0x43fbf4]
/usr/i686-w64-mingw32/bin/as[0x44018e]
/usr/i686-w64-mingw32/bin/as[0x45845b]
/usr/i686-w64-mingw32/bin/as[0x4436a1]
/usr/i686-w64-mingw32/bin/as[0x416af3]
/usr/i686-w64-mingw32/bin/as[0x405370]
/usr/i686-w64-mingw32/bin/as[0x4b5767]
/usr/i686-w64-mingw32/bin/as[0x4b5816]
/usr/i686-w64-mingw32/bin/as[0x40506c]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7ffff764dd5d]
/usr/i686-w64-mingw32/bin/as[0x4029e9]
======= Memory map: ========
00400000-00576000 r-xp 00000000 fd:00 532449                            
/usr/i686-w64-mingw32/bin/as
00776000-00779000 rw-p 00176000 fd:00 532449                            
/usr/i686-w64-mingw32/bin/as
00779000-007e9000 rw-p 00000000 00:00 0                                  [heap]
7ffff1384000-7ffff139a000 r-xp 00000000 fd:00 654082                    
/lib64/libgcc_s-4.4.7-20120601.so.1
7ffff139a000-7ffff1599000 ---p 00016000 fd:00 654082                    
/lib64/libgcc_s-4.4.7-20120601.so.1
7ffff1599000-7ffff159a000 rw-p 00015000 fd:00 654082                    
/lib64/libgcc_s-4.4.7-20120601.so.1
7ffff159a000-7ffff179e000 rw-p 00000000 00:00 0
7ffff179e000-7ffff762f000 r--p 00000000 fd:00 393971                    
/usr/lib/locale/locale-archive
7ffff762f000-7ffff77b9000 r-xp 00000000 fd:00 656988                    
/lib64/libc-2.12.so
7ffff77b9000-7ffff79b9000 ---p 0018a000 fd:00 656988                    
/lib64/libc-2.12.so
7ffff79b9000-7ffff79bd000 r--p 0018a000 fd:00 656988                    
/lib64/libc-2.12.so
7ffff79bd000-7ffff79be000 rw-p 0018e000 fd:00 656988                    
/lib64/libc-2.12.so
7ffff79be000-7ffff79c3000 rw-p 00000000 00:00 0
7ffff79c3000-7ffff79c5000 r-xp 00000000 fd:00 656994                    
/lib64/libdl-2.12.so
7ffff79c5000-7ffff7bc5000 ---p 00002000 fd:00 656994                    
/lib64/libdl-2.12.so
7ffff7bc5000-7ffff7bc6000 r--p 00002000 fd:00 656994                    
/lib64/libdl-2.12.so
7ffff7bc6000-7ffff7bc7000 rw-p 00003000 fd:00 656994                    
/lib64/libdl-2.12.so
7ffff7bc7000-7ffff7bdc000 r-xp 00000000 fd:00 657068                    
/lib64/libz.so.1.2.3
7ffff7bdc000-7ffff7ddb000 ---p 00015000 fd:00 657068                    
/lib64/libz.so.1.2.3
7ffff7ddb000-7ffff7ddc000 r--p 00014000 fd:00 657068                    
/lib64/libz.so.1.2.3
7ffff7ddc000-7ffff7ddd000 rw-p 00015000 fd:00 657068                    
/lib64/libz.so.1.2.3
7ffff7ddd000-7ffff7dfd000 r-xp 00000000 fd:00 656981                    
/lib64/ld-2.12.so
7ffff7e65000-7ffff7feb000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffb000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 0001f000 fd:00 656981                    
/lib64/ld-2.12.so
7ffff7ffd000-7ffff7ffe000 rw-p 00020000 fd:00 656981                    
/lib64/ld-2.12.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffea000-7ffffffff000 rw-p 00000000 00:00 0                         
[stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                 
[vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7661625 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6.x86_64
libgcc-4.4.7-11.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0  0x00007ffff7661625 in raise () from /lib64/libc.so.6
#1  0x00007ffff7662e05 in abort () from /lib64/libc.so.6
#2  0x00007ffff769f537 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff7731697 in __fortify_fail () from /lib64/libc.so.6
#4  0x00007ffff772f580 in __chk_fail () from /lib64/libc.so.6
#5  0x00007ffff772e84b in __strncpy_chk () from /lib64/libc.so.6
#6  0x000000000043fbf4 in strncpy (abfd=0x79d1f0, symbol=0x7a5bf8,
native=0x7c9940, written=0x7fffffffd160, string_size_p=0x7fffffffd178,
    debug_string_section_p=0x7fffffffd170, debug_string_size_p=0x7fffffffd168)
at /usr/include/bits/string3.h:121
#7  coff_fix_symbol_name (abfd=0x79d1f0, symbol=0x7a5bf8, native=0x7c9940,
written=0x7fffffffd160, string_size_p=0x7fffffffd178,
    debug_string_section_p=0x7fffffffd170, debug_string_size_p=0x7fffffffd168)
at ../../bfd/coffgen.c:909
#8  coff_write_symbol (abfd=0x79d1f0, symbol=0x7a5bf8, native=0x7c9940,
written=0x7fffffffd160, string_size_p=0x7fffffffd178,
    debug_string_section_p=0x7fffffffd170, debug_string_size_p=0x7fffffffd168)
at ../../bfd/coffgen.c:1023
#9  0x000000000044018e in coff_write_native_symbol (abfd=0x79d1f0) at
../../bfd/coffgen.c:1216
#10 coff_write_symbols (abfd=0x79d1f0) at ../../bfd/coffgen.c:1320
#11 0x000000000045845b in coff_write_object_contents (abfd=<value optimized
out>) at ../../bfd/coffcode.h:4176
#12 0x00000000004436a1 in bfd_close (abfd=0x79d1f0) at ../../bfd/opncls.c:731
#13 0x0000000000416af3 in output_file_close (filename=0x787ed0 "test.o") at
../../gas/output-file.c:64
#14 0x0000000000405370 in close_output_file () at ../../gas/as.c:1005
#15 0x00000000004b5767 in xatexit_cleanup () at ../../libiberty/xatexit.c:98
#16 0x00000000004b5816 in xexit (code=<value optimized out>) at
../../libiberty/xexit.c:50
#17 0x000000000040506c in main (argc=2, argv=0x787e90) at ../../gas/as.c:1313
(gdb) 

This does not occur with 2.24 on the same platform, nor with 2.25 on EL7 or
Fedora, nor does it occur with a cygwin target.

The code in question is:

    filnmlen = bfd_coff_filnmlen (abfd); 
    ...
    strncpy(auxent->x_file.x_fname, name, filnmlen); 

x_fname is char[FILNMLEN] in coff/internal.h, in which FILNMLEN is defined as
14.  However, filnmlen is 18, which I'm guessing is due to the FILNMLEN
override in coff/pe.h, and the difference triggers the overflow detection.  I
still don't grok the code well enough to understand why this is only failing on
one platform though.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to