Ubuntu
binutils package

Rgression building sbsigntool with binutils >= 2.22-6ubuntu1.2 in precise

  1. Precise (12.04)
  2. Bug #1477350
Bug #1477350 reported by Adam Conrad
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
binutils (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned

Bug Description

objcopy segfaults in precise when running the sbsigntool testsuite on i386 with binutils >= 2.22-6ubuntu1.2

See the attachment for output and downgrade iterations to show that 1.1 works, while 1.2 and 1.3 don't.

Revision history for this message
Adam Conrad (adconrad) wrote :
Changed in binutils (Ubuntu):
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in binutils (Ubuntu Precise):
status: New → Confirmed
Revision history for this message
Steve Beattie (sbeattie) wrote :

Mathieu Trudel-Lapierre identified that the segfault is result of the patch
binutils-bz17512-misc.patch (aka https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=32a9d621c3c480aa093a089a36e36c35f68a4010 ). I've dug deeper into this and the issue is that stack gets corrupted in bfd/coffgen.c::coff_write_alien_symbol(), due to the added chunk:

@@ -1078,10 +1089,12 @@ coff_write_alien_symbol (bfd *abfd,
     {
       symbol->name = "";
       if (isym != NULL)
- memset (isym, 0, sizeof(*isym));
+ memset (isym, 0, sizeof (*isym));
       return TRUE;
     }
   native = dummy;
+ native->is_sym = TRUE;
+ native[1].is_sym = FALSE;
   native->u.syment.n_type = T_NULL;
   native->u.syment.n_flags = 0;
   native->u.syment.n_numaux = 0;

The problem is the write to "native[1].is_sym", as the patch to make dummy be a two element array of structs did not happen until after the version of binutils in precise was released, in commit https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=e7ebb214834628b2b0d9d3233febc9fef2912515 . This means the write to native[1]->is_sym goes beyond the auto variables and overwrites the return pointer, causing the segfault and corrupted stack backtrace seen in gdb.

I'm currently working on a patch to address this.

Revision history for this message
Steve Beattie (sbeattie) wrote :

I've pushed a version of binutils that in local testing fixes the segfault in objcopy on pecoff binaries, addressing the sbsigntool FTBFS, to the ubuntu-security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages . If people could test these to confirm and verify they're not seeing any weirdness, I'll push it to precise-security next week.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package binutils - 2.22-6ubuntu1.4

---------------
binutils (2.22-6ubuntu1.4) precise-security; urgency=medium

  * debian/patches/binutils-bz17512-misc.patch: fix segfault
    in objcopy on i386 to compensate for missing commit
    e7ebb214834628b2b0d9d3233febc9fef2912515 to address
    sbsigntool FTBFS (LP: #1477350)

 -- Steve Beattie <email address hidden> Wed, 01 Jun 2016 00:48:14 -0700

Changed in binutils (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.