[Bug ld/31906] New: libdep.so plugin escaping with `\` has bugs, can segfault

Tue, 18 Jun 2024 09:51:35 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=31906

            Bug ID: 31906
           Summary: libdep.so plugin escaping with `\` has bugs, can
                    segfault
           Product: binutils
           Version: 2.42
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: me at harmenstoppels dot nl
  Target Milestone: ---

The `libdep.so` plugin allows putting dependency metadata as further command
line arguments `-L/foo -lbar` for the linker in the `__.LIBDEP` archive member.

This archive member is just a string with has to be transformed into a list of
arguments. Since it's a string, parsing supports quoting single or double
quotes to deal with directories that contain whitespaces. With quoting comes
escaping...

The issue is that escaping with `\` is completely broken, and can lead to
segfault.

The implementation has multiple bugs:

1. It drops the `\` in place by shifting the remainder of the string one byte
to the left. But while doing so it forgets to truncate the last byte of the
string by null terminating it. So `-Lhello\world` is incorrectly parsed as
`-Lhelloworldd`

2. The implementation doesn't seem to handle escaping the escape character
itself (?)

3. There seems to be some missing continue in the loop after encountering an
escape character, leading to segfaults when mixed with quotes:
`-L/'hello\'world'` leads to a segfault after it warns showing how it
incorrectly parses it as `/usr/bin/ld.gold: warning: ignoring libdep argument
hellworldlddl'`.


To reproduce:

> mkdir -p f
> printf 'extern int g(); int f(){ return g(); }' | cc -c -xc - -o f/f.o
> mkdir -p g
> printf 'int g(){ return 4; }' | cc -c -xc - -o g/g.o
> ar cr g/libg.a g/g.o
> ar crl "-L/'hello\'world'" f/libf.a f/f.o
> printf 'extern int f(); int main() { return f(); }' | cc 
> -Wl,--plugin,/usr/lib/x86_64-linux-gnu/bfd-plugins/libdep.so -fuse-ld=gold 
> -xc - -o exe -Lf -lf
> got deps for library f/libf.a: -L/'hello\'world'
> /usr/bin/ld.gold: warning: ignoring libdep argument hellworldlddl'
> free(): invalid pointer
> collect2: fatal error: ld terminated with signal 6 [Aborted], core dumped
> compilation terminated.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to