Bug 1478564

Summary: ld segfault compiling ipxe package
Product: [Fedora] Fedora Reporter: Cole Robinson <crobinso>
Component: cross-binutilsAssignee: David Howells <dhowells>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dan, dhowells, watanabe.yu
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cross-binutils-2.29.1-1 cross-binutils-2.29.1-1.fc27 cross-binutils-2.29.1-1.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-14 14:37:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Test data none

Description Cole Robinson 2017-08-04 19:46:35 UTC 
ipxe package build is crashing in rawhide on an ld step. We use cross-binutils to ensure the package is buildable on every arch. Editing the package spec to use make -j1, the failure looks like:

...
x86_64-linux-gnu-objdump -ht bin/ipxe.lkrn.tmp | perl ./util/sortobjdump.pl >> bin/ipxe.lkrn.tmp.map
x86_64-linux-gnu-objcopy -O binary -R .zinfo bin/ipxe.lkrn.tmp bin/ipxe.lkrn.bin
x86_64-linux-gnu-objcopy -O binary -j .zinfo bin/ipxe.lkrn.tmp bin/ipxe.lkrn.zinfo
./util/zbin bin/ipxe.lkrn.bin bin/ipxe.lkrn.zinfo > bin/ipxe.lkrn.zbin
cp bin/ipxe.lkrn.zbin bin/ipxe.lkrn
ISOLINUX_BIN=/usr/share/syslinux/isolinux.bin LDLINUX_C32=/usr/share/syslinux/ldlinux.c32 \
    VERSION="1.0.0+" bash util/geniso -o bin/ipxe.iso bin/ipxe.lkrn
x86_64-linux-gnu-ld  -m elf_i386 -N --no-check-sections --section-start=.prefix=0   --gc-sections -static -o bin/usbdisk.bin --oformat binary -e 0 bin/usbdisk.o
make: *** [arch/x86/Makefile.pcbios:116: bin/usbdisk.bin] Segmentation fault (core dumped)

This doesn't crash on latest f26. I confirmed the issue is present with the latest cross-gcc/cross-binutils packages from koji:

# rpm -qa | grep linux-gnu
binutils-x86_64-linux-gnu-2.29-3.fc27.x86_64
gcc-x86_64-linux-gnu-7.1.1-4.fc27.x86_64
Comment 1 David Howells 2017-08-07 14:31:04 UTC 
Created attachment 1310112 [details]
Test data

This data can be decompressed and then passed through the linker like so:

x86_64-linux-gnu-ld  -m elf_i386 -N --no-check-sections --section-start=.prefix=0 --gc-sections -static -o bin/usbdisk.bin --oformat binary -e 0 usbdisk.o
Comment 2 David Howells 2017-08-07 14:49:03 UTC 
Program received signal SIGSEGV, Segmentation fault.
0x000000000042e3a4 in gldelf_i386_place_orphan (s=0x82cea0, 
    secname=0x82c692 ".prefix", constraint=382) at eelf_i386.c:1978
1978                && (elf_section_data (os->bfd_section)->this_hdr.sh_info
(gdb) bt
#0  0x000000000042e3a4 in gldelf_i386_place_orphan (s=0x82cea0, 
    secname=0x82c692 ".prefix", constraint=382) at eelf_i386.c:1978
#1  0x0000000000412bfa in lang_place_orphans ()
    at ../../binutils-2.29/ld/ldlang.c:6396
#2  0x0000000000416f21 in lang_process ()
    at ../../binutils-2.29/ld/ldlang.c:7198
#3  0x0000000000403ee0 in main (argc=<optimized out>, argv=<optimized out>)
    at ../../binutils-2.29/ld/ldmain.c:413

The fault apparently occurs on line 1978 in the following:

1977            if (os->bfd_section != NULL
1978                && (elf_section_data (os->bfd_section)->this_hdr.sh_info
1979                    == elf_section_data (s)->this_hdr.sh_info)
1980                && (os->bfd_section->flags == 0
1981                    || ((!bfd_link_relocatable (&link_info)
1982                         || (iself && (((elf_section_flags (s)
1983                                         ^ elf_section_flags (os->bfd_section))
1984                                        & SHF_EXCLUDE) == 0)))

(gdb) p os
$1 = (lang_output_section_statement_type *) 0x81e168
(gdb) p os->bfd_section
$2 = (asection *) 0x820720
(gdb) p s
$3 = (asection *) 0x82cea0

Looking at the disassembly, line 1977 starts here:

   0x000000000042e386 <+822>:   mov    0x38(%rbx),%rsi
   0x000000000042e38a <+826>:   test   %rsi,%rsi
   0x000000000042e38d <+829>:   je     0x42e448 <gldelf_i386_place_orphan+1016>
   0x000000000042e393 <+835>:   mov    0xe0(%rsi),%rax
   0x000000000042e39a <+842>:   mov    0xe0(%rbp),%rdx
   0x000000000042e3a1 <+849>:   mov    0x2c(%rdx),%ecx
=> 0x000000000042e3a4 <+852>:   cmp    %ecx,0x2c(%rax)

So %rbx holds 'os', %rsi holds 'os->bfd_section' and %rbp holds 's'.

(gdb) p/x *(long*)($rsi+0xe0)
$13 = 0x0
(gdb) p/x *(long*)($rbp+0xe0)
$14 = 0x82f170

So elf_section_data (os->bfd_section) returns NULL and a SEGV occurs when we try and dereference it.
Comment 3 Jan Kurik 2017-08-15 07:44:22 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 4 Yu Watanabe 2017-08-25 05:12:04 UTC 
I think the following commits fix the problem. 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=a388b7afeffad6411686d39dc1c62294da48a814
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=36088682f447540fd8666a2c437fa232064044a7
Comment 5 Cole Robinson 2017-11-06 13:11:07 UTC 
Any timeline on getting this fixed with fedora packages? I still can't build ipxe on f27/rawhide. Not urgent I just don't want it to be forgotten
Comment 6 Fedora Update System 2017-11-09 13:18:03 UTC 
cross-binutils-2.29.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4ac0ead391
Comment 7 Fedora Update System 2017-11-09 13:18:10 UTC 
cross-binutils-2.29.1-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-06c4b02fd7
Comment 8 Fedora Update System 2017-11-09 19:55:53 UTC 
cross-binutils-2.29.1-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-06c4b02fd7
Comment 9 Fedora Update System 2017-11-11 17:29:59 UTC 
cross-binutils-2.29.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4ac0ead391
Comment 10 Fedora Update System 2017-12-14 14:37:13 UTC 
cross-binutils-2.29.1-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2017-12-14 16:13:34 UTC 
cross-binutils-2.29.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.