bfd_zalloc/bfd_zmalloc to fix uninitialized memory reads is too big a
hammer, when the size allocated depends on user input. A typical
bfd_alloc, bfd_seek, bfd_bread sequence will give an error or warning
at the point the file read fails when some enormous item as described
by headers is not actually present in the file. Nice operating system
allow memory overcommit. But not if you write to the memory. So
bfd_zalloc can cause an OOM, thrashing, or system hangs.
The patch also fixes a recently introduced endless loop on bad input.
PR binutils/17512
* coffcode.h (coff_slurp_line_table): Don't bfd_zalloc, just
memset the particular bits we need. Update src after hitting loop
"continue". Don't count lineno omitted due to invalid symbols in
nbr_func, and update lineno_count. Init entire terminating
lineno. Don't both allocating terminator in n_lineno_cache.
Redirect sym->lineno pointer to where n_lineno_cache will be
copied, and free n_lineno_cache.
* pe-mips.c (NUM_HOWTOS): Typo fix.
Turning on .eh_frame processing for ld -r resulted in systemtap
tickling a ld bug. Triggered by the zero terminator not being added
to .eh_frame in a separate file as it usually is (crtend.o), but
instead being present in the last .eh_frame section along with CIEs
and FDEs. The 4-byte terminator makes the section size check fail
on 64-bit targets.
* elf-eh-frame (_bfd_elf_write_section_eh_frame): Adjust section
size check to account for possible zero terminator.
When searching static symbols, gdb would search over all
expanded symtabs of all objfiles, and if that fails only then
would it search all partial/gdb_index tables of all objfiles.
This means that the user could get a random instance of the
symbol depending on what symtabs have been previously expanded.
Now the search is consistent, searching each objfile completely
before proceeding to the next one.
gdb/ChangeLog:
PR symtab/17564
* symtab.c (lookup_symbol_in_all_objfiles): Delete.
(lookup_static_symbol): Move definition to new location and rewrite.
(lookup_symbol_in_objfile): New function.
(lookup_symbol_global_iterator_cb): Call it.
gdb/testsuite/ChangeLog:
PR symtab/17564
* gdb.base/symtab-search-order.exp: New file.
* gdb.base/symtab-search-order.c: New file.
* gdb.base/symtab-search-order-1.c: New file.
* gdb.base/symtab-search-order-shlib-1.c: New file.
PR binutils/17531
* (ia64_process_unwind): Replace assertion with an error message.
Add range checking for group section indicies.
(hppa_process_unwind): Replace assertion with an error message.
(process_syminfo): Likewise.
(decode_arm_unwind_bytecode): Add range checking.
(dump_section_as_strings): Add more string range checking.
(display_tag_value): Likewise.
(display_arm_attribute): Likewise.
(display_gnu_attribute): Likewise.
(display_tic6x_attribute): Likewise.
(display_msp430x_attribute): Likewise.
when displaying the contents of corrupt files.
PR binutils/17521
* coff-i386.c (NUM_HOWTOS): New define.
(RTYPE2HOWTO): Use it.
(coff_i386_rtype_to_howto): Likewise.
(coff_i386_reloc_name_lookup): Likewise.
(CALC_ADDEND): Check that reloc r_type field is valid.
* coff-x86_64.c (NUM_HOWTOS): New define.
(RTYPE2HOWTO): Use it.
(coff_amd64_rtype_to_howto): Likewise.
(coff_amd64_reloc_name_lookup): Likewise.
(CALC_ADDEND): Check that reloc r_type field is valid.
* coffcode.h (coff_slurp_line_table): Check for symbol table
indexing underflow.
(coff_slurp_symbol_table): Use zalloc to ensure that all table
entries are initialised.
* coffgen.c (_bfd_coff_read_string_table): Initialise unused bits
in the string table. Also ensure that the table is 0 terminated.
(coff_get_normalized_symtab): Check for symbol table indexing
underflow.
* opncls.c (bfd_alloc): Catch the case where a small negative size
can result in only 1 byte being allocated.
(bfd_alloc2): Use bfd_alloc.
* pe-mips.c (NUM_HOWTOS): New define.
(coff_mips_reloc_name_lookup): Use it.
(CALC_ADDEND): Check that reloc r_type field is valid.
* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Initialise unused entries
in the DataDirectory.
(pe_print_idata): Avoid reading beyond the end of the data block
wen printing strings.
(pe_print_edata): Likewise.
Check for table indexing underflow.
* peicode.h (pe_mkobject): Initialise the pe_opthdr field.
(pe_bfd_object_p): Allocate and initialize enough space to hold a
PEAOUTHDR, even if the opt_hdr field specified less.
A recent change to eval.c triggered a GCC bug that causes a false positive
"may be used uninitialized" warning in evaluate_subexp_standard. This seems
to be triggered by a specific CFG constructed via setjmp and gotos.
While the GCC bug is in the process of being fixed, there are released
compiler versions (in particular GCC 4.9) in the field that show this
problem. In order to allow compiling GDB with one of those compilers,
this commit slightly reworks the CFG (in an equivalent way) of the
affected function, so that the GCC bug is no longer triggered.
gdb/ChangeLog:
* eval.c (evaluate_subexp_standard): Work around GCC bug 63748.
Structions with R_X86_64_GOTTPOFF relocation must be encoded with REX
prefix even if it isn't required by destination register. Otherwise
linker can't safely perform IE -> LE optimization.
bfd/
PR ld/17482
* elf64-x86-64.c (elf_x86_64_relocate_section): Update comments
for IE->LE transition.
gas/
PR ld/17482
* config/tc-i386.c (output_insn): Add a dummy REX_OPCODE prefix
for structions with R_X86_64_GOTTPOFF relocation for x32 if needed.
gas/testsuite/
PR ld/17482
* gas/i386/ilp32/x32-tls.d: New file.
* gas/i386/ilp32/x32-tls.s: Likewise.
ld/testsuite/
PR ld/17482
* ld-x86-64/tlsie4.dd: Updated.
Running gdb.base/sigstep.exp with --target=i686-pc-linux-gnu on a
64-bit kernel naturally trips on PR gdb/17511 as well, given this is a
kernel bug.
I haven't really tested a real 32-bit kernel/machine, but given the
code in question in the kernel is shared between 32-bit and 64-bit,
I'm quite sure the bug triggers in those cases as well.
So, simply xfail i?86-*-linux* too.
gdb/testsuite/
2014-11-07 Pedro Alves <palves@redhat.com>
PR gdb/17511
* gdb.base/sigstep.exp (in_handler_map) <si+advance>: xfail
i?86-*-linux*.
The in_prologue check in the nexti code is obsolete; this commit
removes that, and then removes the in_prologue function as nothing
else uses it.
Looking at the code in GDB that makes use in_prologue, all we find is
this one caller:
if ((ecs->event_thread->control.step_over_calls == STEP_OVER_NONE)
|| ((ecs->event_thread->control.step_range_end == 1)
&& in_prologue (gdbarch, ecs->event_thread->prev_pc,
ecs->stop_func_start)))
{
/* I presume that step_over_calls is only 0 when we're
supposed to be stepping at the assembly language level
("stepi"). Just stop. */
/* Also, maybe we just did a "nexti" inside a prolog, so we
thought it was a subroutine call but it was not. Stop as
well. FENN */
/* And this works the same backward as frontward. MVS */
end_stepping_range (ecs);
return;
}
This was added by:
commit 100a02e1de
...
From Fernando Nasser:
* infrun.c (handle_inferior_event): Handle "nexti" inside function
prologues.
The mailing list thread is here:
https://sourceware.org/ml/gdb-patches/2001-01/msg00047.html
Not much discussion there, and no test, but looking at the code around
what was patched in that revision, we see that the checks that detect
whether the program has just stepped into a subroutine didn't rely on
the unwinders at all back then.
From 'git show 100a02e1:gdb/infrun.c':
if (stop_pc == ecs->stop_func_start /* Quick test */
|| (in_prologue (stop_pc, ecs->stop_func_start) &&
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
!IN_SOLIB_RETURN_TRAMPOLINE (stop_pc, ecs->stop_func_name))
|| IN_SOLIB_CALL_TRAMPOLINE (stop_pc, ecs->stop_func_name)
|| ecs->stop_func_name == 0)
{
/* It's a subroutine call. */
if ((step_over_calls == STEP_OVER_NONE)
|| ((step_range_end == 1)
&& in_prologue (prev_pc, ecs->stop_func_start)))
{
/* I presume that step_over_calls is only 0 when we're
supposed to be stepping at the assembly language level
("stepi"). Just stop. */
/* Also, maybe we just did a "nexti" inside a prolog,
so we thought it was a subroutine call but it was not.
Stop as well. FENN */
stop_step = 1;
print_stop_reason (END_STEPPING_RANGE, 0);
stop_stepping (ecs);
return;
}
Stripping the IN_SOLIB_RETURN_TRAMPOLINE checks for simplicity, we had:
if (stop_pc == ecs->stop_func_start /* Quick test */
|| in_prologue (stop_pc, ecs->stop_func_start)
|| ecs->stop_func_name == 0)
{
/* It's a subroutine call. */
That is, detecting a subroutine call was based on prologue detection
back then. So the in_prologue check in the current tree only made
sense back then as it was undoing a bad decision the in_prologue check
that used to exist above did.
Today, the check for a subroutine call relies on frame ids instead,
which are stable throughout the function. So we can just remove the
in_prologue check for nexti, and the whole in_prologue function along
with it.
Tested on x86_64 Fedora 20, and also by nexti-ing manually a prologue.
gdb/
2014-11-07 Pedro Alves <palves@redhat.com>
* infrun.c (process_event_stop_test) <subroutine check>: Don't
check if we did a "nexti" inside a prologue.
* symtab.c (in_prologue): Delete function.
* symtab.h (in_prologue): Delete declaration.
PR binutils/17531
* readelf.c (get_data): Avoid allocating memory when we know that
the read will fail.
(find_section_by_type): New function.
(get_unwind_section_word): Check for invalid symbol indicies.
Check for invalid reloc types.
(get_32bit_dynamic_section): Add range checks.
(get_64bit_dynamic_section): Add range checks.
(process_dynamic_section): Check for a corrupt time value.
(process_symbol_table): Add range checks.
(dump_section_as_strings): Add string length range checks.
(display_tag_value): Likewise.
(display_arm_attribute): Likewise.
(display_gnu_attribute): Likewise.
(display_tic6x_attribute): Likewise.
(display_msp430x_attribute): Likewise.
(process_mips_specific): Add range check.
Dramatically reduces memory consumption and processing time for large
all-zero data segments. Allows multiple symbol types attached to a
given segment to survive objcopy.
* tekhex.c (CHUNK_SPAN): Define.
(struct data_struct <chunk_init>): Use one byte per span, update
all code accessing this field.
(find_chunk): Add create param, don't create new entry unless set.
(insert_byte): Don't save zeros.
(first_phase): Set section SEC_CODE or SEC_DATA flag depending
on symbol type. Create an alternate section if both types of
symbol are given. Attach type '2' and '6' symbols to absolute
section.
(move_section_contents): Fix caching of chunk. Don't create chunk
when reading, or for writing zeros.
(tekhex_set_section_contents): Don't create initial chunks.
(tekhex_write_object_contents): Use CHUNK_SPAN.
Save a multiplication, and any concern that the buffer allocation
might be smaller than the amount read (as it could be if the header
size isn't a multiple of EXTERNAL_NLIST_SIZE).
* aoutx.h (aout_get_external_symbols): Tidy allocation of symbol buffer.
"aux" doesn't contribute anything to the name, and it makes the
reader wonder what it's supposed to mean.
gdb/ChangeLog:
* symtab.c (lookup_local_symbol): Renamed from lookup_symbol_aux_local.
All callers updated.
(lookup_symbol_in_all_objfiles): Renamed from
lookup_symbol_aux_symtabs. All callers updated.
(lookup_symbol_via_quick_fns): Renamed from lookup_symbol_aux_quick.
All callers updated.
(lookup_symbol_in_objfile_symtabs): Renamed from
lookup_symbol_aux_objfile. All callers updated.
and lookup_static_symbol_aux to lookup_static_symbol.
gdb/ChangeLog:
* symtab.c (lookup_static_symbol): Renamed from
lookup_static_symbol_aux. All callers updated.
(lookup_symbol_in_static_block): Renamed from lookup_symbol_static.
All callers updated.
gdb/ChangeLog:
* block.h (ALL_BLOCK_SYMBOLS_WITH_NAME): New macro.
* block.c (block_lookup_symbol): Use it.
* cp-support.c (make_symbol_overload_list_block): Use it.
* symtab.c (iterate_over_symbols): Use it.
There is another function, lookup_symbol_aux_block, and
the names lookup_block_symbol and lookup_symbol_aux_block don't
convey any real difference between them.
The difference is that lookup_block_symbol lives in the lower level
block API, and lookup_symbol_aux_block lives in the higher level symtab API.
This patch makes this distinction clear.
gdb/ChangeLog:
* symtab.c (lookup_block_symbol): Moved to ...
* block.c (block_lookup_symbol): ... here and renamed.
All callers updated.
* block.h (block_lookup_symbol): Declare.
* symtab.h (lookup_block_symbol): Delete.
Non-primary symtabs share the block vector with their primary symtabs.
In these cases there's no need to use ALL_SYMTABS.
gdb/ChangeLog:
* ada-lang.c (ada_make_symbol_completion_list): Use
ALL_PRIMARY_SYMTABS instead of ALL_SYMTABS.
* symtab.c (lookup_objfile_from_block): Ditto.
PR binutils/17552, binutils/17533
* bucomm.c (is_valid_archive_path): New function. Returns false
for absolute pathnames and pathnames that include /../.
* bucomm.h (is_valid_archive_path): Add prototype.
* ar.c (extract_file): Use new function to check for valid
pathnames when extracting files from an archive.
* objcopy.c (copy_archive): Likewise.
* doc/binutils.texi: Update documentation to mention the
limitation on pathname of archive members.
Handle the case of a zero length section or sub-section in
_bfd_elf_parse_attributes and in doing so prevent an infinite loop
in the parser.
bfd/ChangeLog:
2014-11-06 Will Newton <will.newton@linaro.org>
* elf-attrs.c (_bfd_elf_parse_attributes): Handle zero
length sections and sub-sections.
PR binutils/17512
* coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT.
Replace another abort with an error message.
(coff_slurp_line_table): Add more range checking.
* peXXigen.c (pe_print_debugdata): Add range checking.
PR binutils/15731
* readelf.c (printable_section_name): New function.
(printable_section_name_from_index): New function.
(dump_relocations): Use new function.
(process_program_headers, get_32bit_elf_symbols,
(get_64bit_elf_symbols, process_section_headers,
(process_section_groups, process_relocs, ia64_process_unwind,
(hppa_process_unwind, get_unwind_section_word, decode_arm_unwind,
(arm_process_unwind, process_version_sections,
(process_symbol_table, apply_relocations, get_section_contents,
(dump_section_as_strings, dump_section_as_bytes,
(display_debug_section, process_attributes, process_mips_specific,
(process_mips_specific process_gnu_liblist): Likewise.
(get_unwind_section_word): Check for a missing symbol table.
Replace aborts with error messages.
(arm_process_unwind): Check for a missing string table.
(process_attributes): Check for an attribute length that is too
small.
(process_mips_specific): Check for a corrupt GOT symbol offset.
Alan Modra
Doug Evans
Richard Sandiford
Nick Clifton
Ulrich Weigand
H.J. Lu
Evgeniy Dushistov
Pedro Alves
Sandra Loosemore
Will Newton
Rainer Orth
Matthew Fortune