_bfd_clear_contents bounds checking
This PR shows a fuzzed binary triggering a segfault via a bad
relocation in .debug_line. It turns out that unlike normal
relocations applied to a section, the linker applies those with
symbols from discarded sections via _bfd_clear_contents without
checking that the relocation is within the section bounds. The same
thing now happens when reading debug sections since commit
a4cd947aca, the PR23425 fix.
PR 23770
PR 23425
* reloc.c (_bfd_clear_contents): Replace "location" param with
"buf" and "off". Bounds check "off". Return status.
* cofflink.c (_bfd_coff_generic_relocate_section): Update
_bfd_clear_contents call.
* elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
* elf32-arc.c (elf_arc_relocate_section): Likewise.
* elf32-i386.c (elf_i386_relocate_section): Likewise.
* elf32-metag.c (metag_final_link_relocate): Likewise.
* elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
* elf32-visium.c (visium_elf_relocate_section): Likewise.
* elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
* elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
* libbfd-in.h (_bfd_clear_contents): Update prototype.
* libbfd.h: Regenerate.
This commit is contained in:
Alan Modra
parent
2bf2bf23da
commit
0930cb3021
@ -1,3 +1,23 @@
|
||||
2018-10-13 Alan Modra <amodra@gmail.com>
|
||||
|
||||
PR 23770
|
||||
PR 23425
|
||||
* reloc.c (_bfd_clear_contents): Replace "location" param with
|
||||
"buf" and "off". Bounds check "off". Return status.
|
||||
* cofflink.c (_bfd_coff_generic_relocate_section): Update
|
||||
_bfd_clear_contents call.
|
||||
* elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
|
||||
* elf32-arc.c (elf_arc_relocate_section): Likewise.
|
||||
* elf32-i386.c (elf_i386_relocate_section): Likewise.
|
||||
* elf32-metag.c (metag_final_link_relocate): Likewise.
|
||||
* elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
|
||||
* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
|
||||
* elf32-visium.c (visium_elf_relocate_section): Likewise.
|
||||
* elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
|
||||
* elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
|
||||
* libbfd-in.h (_bfd_clear_contents): Update prototype.
|
||||
* libbfd.h: Regenerate.
|
||||
|
||||
2018-10-09 Egeyar Bagcioglu <egeyar.bagcioglu@oracle.com>
|
||||
|
||||
* elflink.c (elf_link_output_extsym): Do not place symbols into a
|
||||
|
||||
@ -3080,7 +3080,7 @@ _bfd_coff_generic_relocate_section (bfd *output_bfd,
|
||||
if (sec != NULL && discarded_section (sec))
|
||||
{
|
||||
_bfd_clear_contents (howto, input_bfd, input_section,
|
||||
contents + (rel->r_vaddr - input_section->vma));
|
||||
contents, rel->r_vaddr - input_section->vma);
|
||||
continue;
|
||||
}
|
||||
|
||||
|
||||
@ -2847,7 +2847,7 @@ extern asection _bfd_elf_large_com_section;
|
||||
{ \
|
||||
int i_; \
|
||||
_bfd_clear_contents (howto, input_bfd, input_section, \
|
||||
contents + rel[index].r_offset); \
|
||||
contents, rel[index].r_offset); \
|
||||
\
|
||||
if (bfd_link_relocatable (info) \
|
||||
&& (input_section->flags & SEC_DEBUGGING)) \
|
||||
|
||||
@ -1568,7 +1568,7 @@ elf_arc_relocate_section (bfd * output_bfd,
|
||||
if (sec != NULL && discarded_section (sec))
|
||||
{
|
||||
_bfd_clear_contents (howto, input_bfd, input_section,
|
||||
contents + rel->r_offset);
|
||||
contents, rel->r_offset);
|
||||
rel->r_info = 0;
|
||||
rel->r_addend = 0;
|
||||
|
||||
|
||||
@ -2197,7 +2197,7 @@ elf_i386_relocate_section (bfd *output_bfd,
|
||||
if (sec != NULL && discarded_section (sec))
|
||||
{
|
||||
_bfd_clear_contents (howto, input_bfd, input_section,
|
||||
contents + rel->r_offset);
|
||||
contents, rel->r_offset);
|
||||
wrel->r_offset = rel->r_offset;
|
||||
wrel->r_info = 0;
|
||||
wrel->r_addend = 0;
|
||||
|
||||
@ -1396,7 +1396,7 @@ metag_final_link_relocate (reloc_howto_type *howto,
|
||||
rel, relend, howto, contents) \
|
||||
{ \
|
||||
_bfd_clear_contents (howto, input_bfd, input_section, \
|
||||
contents + rel->r_offset); \
|
||||
contents, rel->r_offset); \
|
||||
\
|
||||
if (bfd_link_relocatable (info) \
|
||||
&& (input_section->flags & SEC_DEBUGGING)) \
|
||||
|
||||
@ -13217,14 +13217,14 @@ nds32_elf_get_relocated_section_contents (bfd *abfd,
|
||||
symbol = *(*parent)->sym_ptr_ptr;
|
||||
if (symbol->section && discarded_section (symbol->section))
|
||||
{
|
||||
bfd_byte *p;
|
||||
bfd_vma off;
|
||||
static reloc_howto_type none_howto
|
||||
= HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
|
||||
"unused", FALSE, 0, 0, FALSE);
|
||||
|
||||
p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
|
||||
_bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
|
||||
p);
|
||||
off = (*parent)->address * bfd_octets_per_byte (input_bfd);
|
||||
_bfd_clear_contents ((*parent)->howto, input_bfd,
|
||||
input_section, data, off);
|
||||
(*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
|
||||
(*parent)->addend = 0;
|
||||
(*parent)->howto = &none_howto;
|
||||
|
||||
@ -7090,7 +7090,7 @@ ppc_elf_relocate_section (bfd *output_bfd,
|
||||
howto = ppc_elf_howto_table[r_type];
|
||||
|
||||
_bfd_clear_contents (howto, input_bfd, input_section,
|
||||
contents + rel->r_offset);
|
||||
contents, rel->r_offset);
|
||||
wrel->r_offset = rel->r_offset;
|
||||
wrel->r_info = 0;
|
||||
wrel->r_addend = 0;
|
||||
|
||||
@ -621,7 +621,7 @@ visium_elf_relocate_section (bfd *output_bfd,
|
||||
or sections discarded by a linker script, we just want the
|
||||
section contents zeroed. Avoid any special processing. */
|
||||
_bfd_clear_contents (howto, input_bfd, input_section,
|
||||
contents + rel->r_offset);
|
||||
contents, rel->r_offset);
|
||||
|
||||
rel->r_info = 0;
|
||||
rel->r_addend = 0;
|
||||
|
||||
@ -13491,7 +13491,7 @@ ppc64_elf_relocate_section (bfd *output_bfd,
|
||||
{
|
||||
_bfd_clear_contents (ppc64_elf_howto_table[r_type],
|
||||
input_bfd, input_section,
|
||||
contents + rel->r_offset);
|
||||
contents, rel->r_offset);
|
||||
wrel->r_offset = rel->r_offset;
|
||||
wrel->r_info = 0;
|
||||
wrel->r_addend = 0;
|
||||
|
||||
@ -2490,7 +2490,7 @@ elf_x86_64_relocate_section (bfd *output_bfd,
|
||||
if (sec != NULL && discarded_section (sec))
|
||||
{
|
||||
_bfd_clear_contents (howto, input_bfd, input_section,
|
||||
contents + rel->r_offset);
|
||||
contents, rel->r_offset);
|
||||
wrel->r_offset = rel->r_offset;
|
||||
wrel->r_info = 0;
|
||||
wrel->r_addend = 0;
|
||||
|
||||
@ -697,8 +697,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
|
||||
(reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
|
||||
|
||||
/* Clear a given location using a given howto. */
|
||||
extern void _bfd_clear_contents
|
||||
(reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
|
||||
extern bfd_reloc_status_type _bfd_clear_contents
|
||||
(reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
|
||||
|
||||
/* Link stabs in sections in the first pass. */
|
||||
|
||||
|
||||
@ -702,8 +702,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
|
||||
(reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
|
||||
|
||||
/* Clear a given location using a given howto. */
|
||||
extern void _bfd_clear_contents
|
||||
(reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
|
||||
extern bfd_reloc_status_type _bfd_clear_contents
|
||||
(reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
|
||||
|
||||
/* Link stabs in sections in the first pass. */
|
||||
|
||||
|
||||
19
bfd/reloc.c
19
bfd/reloc.c
@ -1504,15 +1504,21 @@ _bfd_relocate_contents (reloc_howto_type *howto,
|
||||
relocations against discarded symbols, to make ignorable debug or unwind
|
||||
information more obvious. */
|
||||
|
||||
void
|
||||
bfd_reloc_status_type
|
||||
_bfd_clear_contents (reloc_howto_type *howto,
|
||||
bfd *input_bfd,
|
||||
asection *input_section,
|
||||
bfd_byte *location)
|
||||
bfd_byte *buf,
|
||||
bfd_vma off)
|
||||
{
|
||||
bfd_vma x;
|
||||
bfd_byte *location;
|
||||
|
||||
if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, off))
|
||||
return bfd_reloc_outofrange;
|
||||
|
||||
/* Get the value we are going to relocate. */
|
||||
location = buf + off;
|
||||
x = read_reloc (input_bfd, location, howto);
|
||||
|
||||
/* Zero out the unwanted bits of X. */
|
||||
@ -1527,6 +1533,7 @@ _bfd_clear_contents (reloc_howto_type *howto,
|
||||
|
||||
/* Put the relocated value back in the object file. */
|
||||
write_reloc (input_bfd, x, location, howto);
|
||||
return bfd_reloc_ok;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -8336,14 +8343,14 @@ bfd_generic_get_relocated_section_contents (bfd *abfd,
|
||||
&& (input_section->flags & SEC_DEBUGGING) != 0
|
||||
&& link_info->input_bfds == link_info->output_bfd))
|
||||
{
|
||||
bfd_byte *p;
|
||||
bfd_vma off;
|
||||
static reloc_howto_type none_howto
|
||||
= HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
|
||||
"unused", FALSE, 0, 0, FALSE);
|
||||
|
||||
p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
|
||||
_bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
|
||||
p);
|
||||
off = (*parent)->address * bfd_octets_per_byte (input_bfd);
|
||||
_bfd_clear_contents ((*parent)->howto, input_bfd,
|
||||
input_section, data, off);
|
||||
(*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
|
||||
(*parent)->addend = 0;
|
||||
(*parent)->howto = &none_howto;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user