NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: toolchain/42479: netbsd-5-0 tools config(1) generates bad config_file.h on i386 5.99.22
<tsutsui%ceres.dti.ne.jp@localhost> writes:
> >Number: 42479
> >Category: toolchain
> >Synopsis: netbsd-5-0 tools config(1) generates bad config_file.h on
> >i386 5.99.22
I've found that this is reproducable even on NetBSD/amd64.
enami@quasiquote% uname -rm
5.99.22 amd64
enami@quasiquote% cc -O -c -o /tmp/vis.o
-Isrc/netbsd-5/src/lib/libc/include src/netbsd-5/src/lib/libc/gen/vis.c
enami@quasiquote% cat /tmp/main.c
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <vis.h>
main(){
char b[256];
int n = strvis(b, "abc", 0);
printf("%d, %s\n", n, strerror(errno));
}
enami@quasiquote% cc -o /tmp/bug /tmp/vis.o /tmp/main.c
enami@quasiquote% /tmp/bug
0, Cannot allocate memory
enami@quasiquote%
It looks like linker tries to compat the rodata. The strvis is
compiled like this:
enami@quasiquote% cc -O -S -o /tmp/vis.s
-Isrc/netbsd-5/src/lib/libc/include src/netbsd-5/src/lib/libc/gen/vis.c
enami@quasiquote% grep -A30 'strvis:' /tmp/vis.s
_strvis:
.LFB23:
pushq %r13
.LCFI34:
pushq %r12
.LCFI35:
pushq %rbp
.LCFI36:
pushq %rbx
.LCFI37:
subq $8, %rsp
.LCFI38:
movq %rdi, %r12
movq %rsi, %r13
movl %edx, %ebx
movl $.LC2, %edx
.L163:
movzbl (%rdx), %eax
addq $1, %rdx
testb %al, %al
jne .L163
movq %rdx, %rdi
subq $.LC2-5, %rdi
call malloc
testq %rax, %rax
je .L165
movq %rax, %rbp
movq %rax, %rdx
movl $.LC2, %ecx
.L167:
and the line `movl $.LC2, %edx' and `subq $.LC2-5, %rdi' are assembled
as follows:
enami@quasiquote% as /tmp/vis.s -o /tmp/vis.o
enami@quasiquote% objdump -D /tmp/vis.o | grep -A20 'strvis>:'
00000000000006ad <_strvis>:
6ad: 41 55 push %r13
6af: 41 54 push %r12
6b1: 55 push %rbp
6b2: 53 push %rbx
6b3: 48 83 ec 08 sub $0x8,%rsp
6b7: 49 89 fc mov %rdi,%r12
6ba: 49 89 f5 mov %rsi,%r13
6bd: 89 d3 mov %edx,%ebx
6bf: ba 00 00 00 00 mov $0x0,%edx
6c4: 0f b6 02 movzbl (%rdx),%eax
6c7: 48 83 c2 01 add $0x1,%rdx
6cb: 84 c0 test %al,%al
6cd: 75 f5 jne 6c4 <_strvis+0x17>
6cf: 48 89 d7 mov %rdx,%rdi
6d2: 48 81 ef 00 00 00 00 sub $0x0,%rdi
6d9: e8 00 00 00 00 callq 6de <_strvis+0x31>
6de: 48 85 c0 test %rax,%rax
6e1: 74 6f je 752 <_strvis+0xa5>
6e3: 48 89 c5 mov %rax,%rbp
6e6: 48 89 c2 mov %rax,%rdx
enami@quasiquote% objdump -r /tmp/vis.o | egrep '6c0|6d5'
00000000000006c0 R_X86_64_32 .rodata.str1.1+0x000000000000001d
00000000000006d5 R_X86_64_32S .rodata.str1.1+0x0000000000000018
enami@quasiquote% objdump -j .rodata.str1.1 -s /tmp/vis.o
/tmp/vis.o: file format elf64-x86-64
Contents of section .rodata.str1.1:
0000 242d5f2e 2b212a27 28292c00 30313233 $-_.+!*'(),.0123
0010 34353637 38396162 63646566 0000 456789abcdef..
enami@quasiquote%
Note that `.rodata.str1.1+0x000000000000001d' points the last `00' and
`.rodata.str1.1+0x0000000000000018' points the `63'.
But after the object is linked, the references to $.LC2 is moved to
point another empty string while $.LC2-5 left unchanged:
enami@quasiquote% cc -o /tmp/bug /tmp/vis.o /tmp/main.cenami@quasiquote%
objdump -D /tmp/bug | grep -A20 'strvis>:'
000000000040122d <_strvis>:
40122d: 41 55 push %r13
40122f: 41 54 push %r12
401231: 55 push %rbp
401232: 53 push %rbx
401233: 48 83 ec 08 sub $0x8,%rsp
401237: 49 89 fc mov %rdi,%r12
40123a: 49 89 f5 mov %rsi,%r13
40123d: 89 d3 mov %edx,%ebx
40123f: ba d3 15 40 00 mov $0x4015d3,%edx
401244: 0f b6 02 movzbl (%rdx),%eax
401247: 48 83 c2 01 add $0x1,%rdx
40124b: 84 c0 test %al,%al
40124d: 75 f5 jne 401244 <_strvis+0x17>
40124f: 48 89 d7 mov %rdx,%rdi
401252: 48 81 ef e0 15 40 00 sub $0x4015e0,%rdi
401259: e8 86 f6 ff ff callq 4008e4 <malloc@plt>
40125e: 48 85 c0 test %rax,%rax
401261: 74 6f je 4012d2 <_strvis+0xa5>
401263: 48 89 c5 mov %rax,%rbp
401266: 48 89 c2 mov %rax,%rdx
enami@quasiquote% objdump -j .rodata -s /tmp/bug
/tmp/bug: file format elf64-x86-64
Contents of section .rodata:
401470 436f7272 75707420 4f626a5f 456e7472 Corrupt Obj_Entr
401480 7920706f 696e7465 7220696e 20474f54 y pointer in GOT
401490 0a000000 00000000 44796e61 6d696320 ........Dynamic
4014a0 6c696e6b 65722076 65727369 6f6e206d linker version m
4014b0 69736d61 7463680a 00000000 00000000 ismatch.........
4014c0 970c4000 00000000 c00c4000 00000000 ..@.......@.....
4014d0 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
4014e0 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
4014f0 c00c4000 00000000 420c4000 00000000 ..@.....B.@.....
401500 310c4000 00000000 640c4000 00000000 1.@.....d.@.....
401510 0f0c4000 00000000 530c4000 00000000 ..@.....S.@.....
401520 750c4000 00000000 200c4000 00000000 u.@..... .@.....
401530 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
401540 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
401550 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
401560 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
401570 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
401580 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
401590 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
4015a0 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
4015b0 c00c4000 00000000 c00c4000 00000000 ..@.......@.....
4015c0 860c4000 00000000 242d5f2e 2b212a27 ..@.....$-_.+!*'
4015d0 28292c00 30313233 34353637 38396162 (),.0123456789ab
4015e0 63646566 00616263 0025642c 2025730a cdef.abc.%d, %s.
4015f0 00 .
enami@quasiquote%
Now, $0x4015d3 points `00' which is terminating byte of sting
"$-_.+!*'()," while $0x4015e0 still points same `63'.
So, $.LC2 - ($.LC2 - 5) becomes negative number and for malloc() it is
considered as very large number and it fails.
enami.
Home |
Main Index |
Thread Index |
Old Index