[Bug ld/32761] New: binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 Bug ID: 32761 Summary: binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled Product: binutils Version: 2.44 Status: UNCONFIRMED Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: fourdim2001 at gmail dot com Target Milestone: --- This happens when compiling https://github.com/google/syzkaller's syz-executor. The commit hash of syzkaller I was working on is 6a8fcbc4a6172c831c89c507007f59fba13408aa The compile command is g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"6a8fcbc4a6172c831c89c507007f59fba13408aa\" When compile it with lld, mold, it runs without any issue. When compile it with -static instead of -static-pie option, it runs without any issue. The stack trace is: #0 0x771cc090 in _dl_relocate_static_pie () #1 0x77146cb6 in __libc_start_main_impl () #2 0x77050885 in _start () Partial disassembly: 0x771cc045 <+965>: mov0x10(%r12),%rcx 0x771cc04a <+970>: and$0x20,%edx 0x771cc04d <+973>: movq %xmm0,%rax 0x771cc052 <+978>: lea(%rcx,%rcx,2),%rcx 0x771cc056 <+982>: movdqa %xmm0,%xmm1 0x771cc05a <+986>: lea(%rax,%rcx,8),%rbx 0x771cc05e <+990>: mov0x70(%r9),%rcx 0x771cc062 <+994>: psrldq $0x8,%xmm1 0x771cc067 <+999>: paddq %xmm1,%xmm0 0x771cc06b <+1003>: mov0x8(%rcx),%r10 0x771cc06f <+1007>: movq %xmm0,%r8 0x771cc074 <+1012>: lea(%r10,%r13,1),%rcx 0x771cc078 <+1016>: cmovne %rcx,%r10 0x771cc07c <+1020>: cmp%rbx,%rax 0x771cc07f <+1023>: jae0x771cc0bc <_dl_relocate_static_pie+1084> 0x771cc081 <+1025>: data16 cs nopw 0x0(%rax,%rax,1) 0x771cc08c <+1036>: nopl 0x0(%rax) => 0x771cc090 <+1040>: mov(%rax),%rcx 0x771cc093 <+1043>: mov0x8(%rax),%edx 0x771cc096 <+1046>: add%r13,%rcx 0x771cc099 <+1049>: cmp$0x26,%rdx 0x771cc09d <+1053>: je 0x771cc0a9 <_dl_relocate_static_pie+1065> 0x771cc09f <+1055>: cmp$0x8,%rdx 0x771cc0a3 <+1059>: jne0x7704e374 <_dl_relocate_static_pie.cold+62> 0x771cc0a9 <+1065>: mov0x10(%rax),%rdx 0x771cc0ad <+1069>: add$0x18,%rax 0x771cc0b1 <+1073>: add%r13,%rdx 0x771cc0b4 <+1076>: mov%rdx,(%rcx) 0x771cc0b7 <+1079>: cmp%rbx,%rax 0x771cc0ba <+1082>: jb 0x771cc090 <_dl_relocate_static_pie+1040> 0x771cc0bc <+1084>: mov0x208(%r9),%rcx 0x771cc0c3 <+1091>: test %rcx,%rcx 0x771cc0c6 <+1094>: je 0x771cc5c0 <_dl_relocate_static_pie+2368> 0x771cc0cc <+1100>: cmp%r8,%rbx It looks like it has something to do with linker relocation, so I post it here. The known good version of ld is ubuntu 22.04.4 LTS GNU ld (GNU Binutils for Ubuntu) 2.38 The known bad version of ld is archlinux GNU ld (GNU Binutils) 2.44 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 H.J. Lu changed: What|Removed |Added Ever confirmed|0 |1 Last reconfirmed||2025-03-05 Status|UNCONFIRMED |NEW -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/25237] Strip leaves file offset of empty PT_LOAD segment point past end of file
https://sourceware.org/bugzilla/show_bug.cgi?id=25237
H.J. Lu changed:
What|Removed |Added
CC||hjl.tools at gmail dot com
--- Comment #12 from H.J. Lu ---
A testcase:
[hjl@gnu-tgl-3 pr32761]$ cat x.c
#include
char bss[0xb5dce8] __attribute__((aligned(65536)));
int
main (void)
{
printf ("hello\n");
}
[hjl@gnu-tgl-3 pr32761]$ gcc -B./ x.c
[hjl@gnu-tgl-3 pr32761]$ readelf -Wl a.out
Elf file type is EXEC (Executable file)
Entry point 0x4003b0
There are 14 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz
Flg Align
PHDR 0x40 0x00400040 0x00400040 0x000310
0x000310 R 0x8
INTERP 0x001000 0x00401000 0x00401000 0x1c
0x1c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x00 0x0040 0x0040 0x0004b9
0x0004b9 R E 0x1000
LOAD 0x001000 0x00401000 0x00401000 0x0002c0
0x0002c0 R 0x1000
LOAD 0x001dc8 0x00402dc8 0x00402dc8 0x000244
0x000244 RW 0x1000
LOAD 0x01 0x0041 0x0041 0x00
0xb6dce8 RW 0x1
The offset is beyond the file size.
DYNAMIC0x001dd8 0x00402dd8 0x00402dd8 0x000200
0x000200 RW 0x8
NOTE 0x000350 0x00400350 0x00400350 0x24
0x24 R 0x4
NOTE 0x001260 0x00401260 0x00401260 0x40
0x40 R 0x8
NOTE 0x0012a0 0x004012a0 0x004012a0 0x20
0x20 R 0x4
GNU_PROPERTY 0x001260 0x00401260 0x00401260 0x40
0x40 R 0x8
GNU_EH_FRAME 0x0011a0 0x004011a0 0x004011a0 0x2c
0x2c R 0x4
GNU_STACK 0x00 0x 0x 0x00
0x00 RW 0x10
GNU_RELRO 0x001dc8 0x00402dc8 0x00402dc8 0x000238
0x000238 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .note.gnu.build-id .init .plt .text .fini
03 .interp .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r
.rela.dyn .rela.plt .rodata .eh_frame_hdr .eh_frame .note.gnu.property
.note.ABI-tag
04 .init_array .fini_array .dynamic .got .got.plt .data
05 .bss
06 .dynamic
07 .note.gnu.build-id
08 .note.gnu.property
09 .note.ABI-tag
10 .note.gnu.property
11 .eh_frame_hdr
12
13 .init_array .fini_array .dynamic .got
[hjl@gnu-tgl-3 pr32761]$ ls -l a.out
-rwxr-xr-x 1 hjl hjl 12592 Mar 5 11:37 a.out
[hjl@gnu-tgl-3 pr32761]$
[hjl@gnu-tgl-3 pr32761]$
--
You are receiving this mail because:
You are on the CC list for the bug.
[Bug ld/32762] ld test failures on x86 (No PLT) with default BIND_NOW
https://sourceware.org/bugzilla/show_bug.cgi?id=32762 H.J. Lu changed: What|Removed |Added CC||hjl.tools at gmail dot com Status|NEW |WAITING --- Comment #3 from H.J. Lu --- How do I reproduce it? -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] 2.43/2.44 Regression] Static PIE with more than one PT_LOAD segments at offset 0
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 H.J. Lu changed: What|Removed |Added Summary|binary created by ld will |2.43/2.44 Regression] |segfault in |Static PIE with more than |_dl_relocate_static_pie |one PT_LOAD segments at |when static pie is enabled |offset 0 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32762] ld test failures on x86 (No PLT)
https://sourceware.org/bugzilla/show_bug.cgi?id=32762 Sam James changed: What|Removed |Added Status|NEW |WAITING --- Comment #1 from Sam James --- Let me figure out the trigger. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 --- Comment #5 from H.J. Lu --- Section to Segment mapping: Segment Sections... 00 .note.gnu.build-id .init .plt .plt.got .text .fini ^^^ Data, .note.gnu.build-id, in the executable segment is unexpected. 01 .gnu.hash .dynsym .dynstr .rela.dyn .rela.plt .rodata .stapsdt.base rodata.cst32 .eh_frame_hdr .eh_frame .gcc_except_table .note.gnu.property .note.ABI-tag 02 .tdata .init_array .fini_array .data.rel.ro .dynamic .got .got.plt .data 03 .bss 04 .dynamic 05 .note.gnu.build-id 06 .note.gnu.property 07 .note.ABI-tag 08 .tdata .tbss 09 .note.gnu.property 10 .eh_frame_hdr 11 12 .tdata .init_array .fini_array .data.rel.ro .dynamic .got -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32762] ld test failures on x86 (No PLT) with default BIND_NOW
https://sourceware.org/bugzilla/show_bug.cgi?id=32762 Sam James changed: What|Removed |Added Summary|ld test failures on x86 (No |ld test failures on x86 (No |PLT)|PLT) with default BIND_NOW Status|WAITING |NEW --- Comment #2 from Sam James --- (In reply to Sam James from comment #1) > Let me figure out the trigger. It's caused by default -Wl,-z,now which figures. But only on x86. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 H.J. Lu changed: What|Removed |Added CC||amodra at gmail dot com, ||nickc at redhat dot com --- Comment #6 from H.J. Lu --- There are 13 program headers, starting at offset 64 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x00 0x 0x 0x1c8781 0x1c8781 R E 0x1000 LOAD 0x1c9000 0x001c9000 0x001c9000 0x0fa130 0x0fa130 R 0x1000 LOAD 0x2c32f0 0x002c42f0 0x002c42f0 0x0e8944 0x0e8944 RW 0x1000 LOAD 0x00 0x003b 0x003b 0x00 0xb5dce8 RW 0x1 ^^^ The same offset is mapped twice. DYNAMIC0x3a3768 0x003a4768 0x003a4768 0x0001d0 0x0001d0 RW 0x8 NOTE 0x000318 0x0318 0x0318 0x24 0x24 R 0x4 NOTE 0x2c30d0 0x002c30d0 0x002c30d0 0x40 0x40 R 0x8 NOTE 0x2c3110 0x002c3110 0x002c3110 0x20 0x20 R 0x4 TLS0x2c32f0 0x002c42f0 0x002c42f0 0x70 0x0001a0 R 0x8 GNU_PROPERTY 0x2c30d0 0x002c30d0 0x002c30d0 0x40 0x40 R 0x8 GNU_EH_FRAME 0x278900 0x00278900 0x00278900 0x00afdc 0x00afdc R 0x4 GNU_STACK 0x00 0x 0x 0x00 0x00 RW 0x10 GNU_RELRO 0x2c32f0 0x002c42f0 0x002c42f0 0x0e0d10 0x0e0d10 R 0x1 Section to Segment mapping: Segment Sections... 00 .note.gnu.build-id .init .plt .plt.got .text .fini 01 .gnu.hash .dynsym .dynstr .rela.dyn .rela.plt .rodata .stapsdt.base rodata.cst32 .eh_frame_hdr .eh_frame .gcc_except_table .note.gnu.property .note.ABI-tag 02 .tdata .init_array .fini_array .data.rel.ro .dynamic .got .got.plt .data 03 .bss 04 .dynamic 05 .note.gnu.build-id 06 .note.gnu.property 07 .note.ABI-tag 08 .tdata .tbss 09 .note.gnu.property 10 .eh_frame_hdr 11 12 .tdata .init_array .fini_array .data.rel.ro .dynamic .got -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 H.J. Lu changed: What|Removed |Added See Also||https://sourceware.org/bugz ||illa/show_bug.cgi?id=32763 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 --- Comment #7 from H.J. Lu --- It is caused by commit 0bc3450e220a4fb29f931ada84b546ce8993e85e Author: Alan Modra Date: Fri Dec 13 16:14:57 2019 +1030 Set no file contents PT_LOAD p_offset to first page PR 25237 * elf.c (assign_file_positions_for_load_sections): Attempt to keep meaningless p_offset for PT_LOAD segments without file contents within file size. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] 2.43/2.44 Regression] Static PIE with more than one PT_LOAD segments at offset 0
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 H.J. Lu changed: What|Removed |Added Resolution|--- |DUPLICATE Status|NEW |RESOLVED --- Comment #8 from H.J. Lu --- Dup. *** This bug has been marked as a duplicate of bug 32763 *** -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32671] Default to erroring out on executable stacks
https://sourceware.org/bugzilla/show_bug.cgi?id=32671 Bug 32671 depends on bug 32717, which changed state. Bug 32717 Summary: glibc tests fail when bfd is built with --enable-error-execstack=yes https://sourceware.org/bugzilla/show_bug.cgi?id=32717 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 Sam James changed: What|Removed |Added CC||sam at gentoo dot org --- Comment #1 from Sam James --- Created attachment 15987 --> https://sourceware.org/bugzilla/attachment.cgi?id=15987&action=edit syz-executor-executor.ii Attached preprocessed source from GCC 14. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32762] New: ld test failures on x86 (No PLT)
https://sourceware.org/bugzilla/show_bug.cgi?id=32762 Bug ID: 32762 Summary: ld test failures on x86 (No PLT) Product: binutils Version: 2.45 (HEAD) Status: NEW Severity: normal Priority: P2 Component: ld Assignee: unassigned at sourceware dot org Reporter: sam at gentoo dot org Target Milestone: --- Created attachment 15988 --> https://sourceware.org/bugzilla/attachment.cgi?id=15988&action=edit ld.log.xz The following tests fail for me in an x86 chroot (same with binutils-2.44): ``` /tmp/binutils-build/ld $ grep -rs ^FAIL ld.log FAIL: Build ifunc-1a with PIE -z ibtplt FAIL: Build libno-plt-1b.so FAIL: No PLT (dynamic 1a) FAIL: No PLT (dynamic 1b) FAIL: No PLT (dynamic 1c) FAIL: No PLT (PIE 1e) FAIL: No PLT (PIE 1f) FAIL: No PLT (PIE 1g) /tmp/binutils-build/ld $ ./ld-new --version | head -1 GNU ld (GNU Binutils) 2.44.50.20250305 ``` ``` Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/libexec/gcc/i686-pc-linux-gnu/14/lto-wrapper Target: i686-pc-linux-gnu Configured with: /var/tmp/portage/sys-devel/gcc-14.2.1_p20241221/work/gcc-14-20241221/configure --host=i686-pc-linux-gnu --build=i686-pc-linux-gnu --prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/14 --includedir=/usr/lib/gcc/i686-pc-linux-gnu/14/include --datadir=/usr/share/gcc-data/i686-pc-linux-gnu/14 --mandir=/usr/share/gcc-data/i686-pc-linux-gnu/14/man --infodir=/usr/share/gcc-data/i686-pc-linux-gnu/14/info --with-gxx-include-dir=/usr/lib/gcc/i686-pc-linux-gnu/14/include/g++-v14 --disable-silent-rules --disable-dependency-tracking --with-python-dir=/share/gcc-data/i686-pc-linux-gnu/14/python --enable-objc-gc --enable-languages=c,c++,d,objc,obj-c++,fortran,ada --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --disable-libunwind-exceptions --enable-checking=release --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo 14.2.1_p20241221 p7' --with-gcc-major-version-only --enable-libstdcxx-time --enable-lto --disable-libstdcxx-pch --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --disable-multilib --disable-fixed-point --with-arch=i686 --enable-targets=all --enable-libgomp --disable-libssp --enable-libada --disable-cet --disable-systemtap --disable-valgrind-annotations --disable-vtable-verify --disable-libvtv --with-zstd --with-isl --disable-isl-version-check --enable-default-pie --enable-host-pie --enable-host-bind-now --enable-default-ssp --disable-fixincludes Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 14.2.1 20241221 (Gentoo 14.2.1_p20241221 p7) ``` -- You are receiving this mail because: You are on the CC list for the bug.
[Bug binutils/25237] Strip leaves file offset of empty PT_LOAD segment point past end of file
https://sourceware.org/bugzilla/show_bug.cgi?id=25237 --- Comment #13 from Sourceware Commits --- The master branch has been updated by H.J. Lu : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9b1e14e5e90ad29d30d2cee9fe6bf3616dcaba70 commit 9b1e14e5e90ad29d30d2cee9fe6bf3616dcaba70 Author: H.J. Lu Date: Wed Mar 5 11:58:57 2025 +0800 ld: Add a test for PR ld/25237 PR ld/25237 * testsuite/ld-elf/pr25237.d: New file. * testsuite/ld-elf/pr25237.s: Likewise. Signed-off-by: H.J. Lu -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32762] ld test failures on x86 (No PLT) with default BIND_NOW
https://sourceware.org/bugzilla/show_bug.cgi?id=32762 --- Comment #4 from Sourceware Commits --- The master branch has been updated by H.J. Lu : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=78d7038b1579733dafd3e0541444f7626cf24a87 commit 78d7038b1579733dafd3e0541444f7626cf24a87 Author: H.J. Lu Date: Wed Mar 5 12:44:11 2025 +0800 ld: Pass -Wl,-z,lazy to compiler for i386 lazy binding tests Pass -Wl,-z,lazy to compiler for i386 tests which require lazy binding to support compilers which default to non-lazy binding. PR ld/32762 * testsuite/ld-i386/i386.exp: Pass -Wl,-z,lazy for "Build ifunc-1a with PIE -z ibtplt" test. * testsuite/ld-i386/no-plt.exp: Pass -Wl,-z,lazy for "Build libno-plt-1b.so", "No PLT (dynamic 1a)", "No PLT (dynamic 1b)", "No PLT (dynamic 1c)", "No PLT (PIE 1e)", "No PLT (PIE 1f)", "No PLT (PIE 1g)" tests. Signed-off-by: H.J. Lu -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/31795] ld.bfd makes ELFs of type ET_EXEC for PIEs when load address is non-0
https://sourceware.org/bugzilla/show_bug.cgi?id=31795 Popa Vlad changed: What|Removed |Added CC||popavlad1109 at gmail dot com --- Comment #72 from Popa Vlad --- I'm encountering the same issue. Please fix this soon. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 --- Comment #2 from Sam James --- When using glibc-2.41 at least, using even binutils-2.34 leads to a segfault. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 Sam James changed: What|Removed |Added CC||hjl.tools at gmail dot com --- Comment #3 from Sam James --- glibc-2.35 with binutils trunk works fine in an ubuntu-22.04 container. ``` $ g++ -B/tmp/binutils/bin -O2 -pthread syz-executor-executor.ii -o syz-executor -static-pie $ ./syz-executor ``` -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32761] binary created by ld will segfault in _dl_relocate_static_pie when static pie is enabled
https://sourceware.org/bugzilla/show_bug.cgi?id=32761 Sam James changed: What|Removed |Added See Also||https://sourceware.org/bugz ||illa/show_bug.cgi?id=31799 --- Comment #4 from Sam James --- Started with this glibc commit: e7b553272196e6175b8a15f807cb59217ba2843a is the first bad commit commit e7b553272196e6175b8a15f807cb59217ba2843a Author: H.J. Lu Date: Tue Oct 29 06:01:14 2024 +0800 elf: Handle static PIE with non-zero load address [BZ #31799] For a static PIE with non-zero load address, its PT_DYNAMIC segment entries contain the relocated values for the load address in static PIE. Since static PIE usually doesn't have PT_PHDR segment, use p_vaddr of the PT_LOAD segment with offset == 0 as the load address in static PIE and adjust the entries of PT_DYNAMIC segment in static PIE by properly setting the l_addr field for static PIE. This fixes BZ #31799. Signed-off-by: H.J. Lu Reviewed-by: Noah Goldstein configure| 74 configure.ac | 36 + elf/Makefile | 20 elf/dl-reloc-static-pie.c| 30 +- elf/tst-pie-address-static.c | 19 elf/tst-pie-address.c| 28 + 6 files changed, 200 insertions(+), 7 deletions(-) create mode 100644 elf/tst-pie-address-static.c create mode 100644 elf/tst-pie-address.c -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/32762] ld test failures on x86 (No PLT) with default BIND_NOW
https://sourceware.org/bugzilla/show_bug.cgi?id=32762 H.J. Lu changed: What|Removed |Added Status|WAITING |RESOLVED Target Milestone|--- |2.45 Resolution|--- |FIXED --- Comment #5 from H.J. Lu --- Fixed for 2.45. -- You are receiving this mail because: You are on the CC list for the bug.
