Fixes for memory access violations triggered by running nlmconv on
fuzzed binaries. PR binutils/17512 * nlmconv.c (i386_mangle_relocs): Skip relocs without an associated symbol. (powerpc_mangle_relocs): Skip unrecognised relocs. Check address range before applying a reloc.
This commit is contained in:
Nick Clifton
parent
025ac41482
commit
3565cf8fed
@ -1,3 +1,11 @@
|
|||||||
|
2015-01-08 Nick Clifton <nickc@redhat.com>
|
||||||
|
|
||||||
|
PR binutils/17512
|
||||||
|
* nlmconv.c (i386_mangle_relocs): Skip relocs without an
|
||||||
|
associated symbol.
|
||||||
|
(powerpc_mangle_relocs): Skip unrecognised relocs. Check address
|
||||||
|
range before applying a reloc.
|
||||||
|
|
||||||
2015-01-07 Nick Clifton <nickc@redhat.com>
|
2015-01-07 Nick Clifton <nickc@redhat.com>
|
||||||
|
|
||||||
PR binutils/17512
|
PR binutils/17512
|
||||||
|
|||||||
@ -1415,6 +1415,9 @@ i386_mangle_relocs (bfd *outbfd, asection *insec, arelent ***relocs_ptr,
|
|||||||
bfd_vma addend;
|
bfd_vma addend;
|
||||||
|
|
||||||
rel = *relocs++;
|
rel = *relocs++;
|
||||||
|
/* PR 17512: file: 057f89c1. */
|
||||||
|
if (rel->sym_ptr_ptr == NULL)
|
||||||
|
continue;
|
||||||
sym = *rel->sym_ptr_ptr;
|
sym = *rel->sym_ptr_ptr;
|
||||||
|
|
||||||
/* We're moving the relocs from the input section to the output
|
/* We're moving the relocs from the input section to the output
|
||||||
@ -1871,7 +1874,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
|
|||||||
|
|
||||||
toc_howto = bfd_reloc_type_lookup (insec->owner, BFD_RELOC_PPC_TOC16);
|
toc_howto = bfd_reloc_type_lookup (insec->owner, BFD_RELOC_PPC_TOC16);
|
||||||
if (toc_howto == (reloc_howto_type *) NULL)
|
if (toc_howto == (reloc_howto_type *) NULL)
|
||||||
abort ();
|
fatal (_("Unable to locate PPC_TOC16 reloc information"));
|
||||||
|
|
||||||
/* If this is the .got section, clear out all the contents beyond
|
/* If this is the .got section, clear out all the contents beyond
|
||||||
the initial size. We must do this here because copy_sections is
|
the initial size. We must do this here because copy_sections is
|
||||||
@ -1910,6 +1913,10 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* PR 17512: file: 70cfde95. */
|
||||||
|
if (rel->howto == NULL)
|
||||||
|
continue;
|
||||||
|
|
||||||
/* We must be able to resolve all PC relative relocs at this
|
/* We must be able to resolve all PC relative relocs at this
|
||||||
point. If we get a branch to an undefined symbol we build a
|
point. If we get a branch to an undefined symbol we build a
|
||||||
stub, since NetWare will resolve undefined symbols into a
|
stub, since NetWare will resolve undefined symbols into a
|
||||||
@ -1927,6 +1934,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
|
|||||||
{
|
{
|
||||||
bfd_vma val;
|
bfd_vma val;
|
||||||
|
|
||||||
|
if (rel->address > contents_size - 4)
|
||||||
|
{
|
||||||
|
non_fatal (_("Out of range relocation: %lx"), rel->address);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
assert (rel->howto->size == 2 && rel->howto->pcrel_offset);
|
assert (rel->howto->size == 2 && rel->howto->pcrel_offset);
|
||||||
val = bfd_get_32 (outbfd, (bfd_byte *) contents + rel->address);
|
val = bfd_get_32 (outbfd, (bfd_byte *) contents + rel->address);
|
||||||
val = ((val &~ rel->howto->dst_mask)
|
val = ((val &~ rel->howto->dst_mask)
|
||||||
@ -1976,6 +1989,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
|
|||||||
switch (rel->howto->size)
|
switch (rel->howto->size)
|
||||||
{
|
{
|
||||||
case 1:
|
case 1:
|
||||||
|
if (rel->address > contents_size - 2)
|
||||||
|
{
|
||||||
|
non_fatal (_("Out of range relocation: %lx"), rel->address);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
val = bfd_get_16 (outbfd,
|
val = bfd_get_16 (outbfd,
|
||||||
(bfd_byte *) contents + rel->address);
|
(bfd_byte *) contents + rel->address);
|
||||||
val = ((val &~ rel->howto->dst_mask)
|
val = ((val &~ rel->howto->dst_mask)
|
||||||
@ -1991,6 +2010,13 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 2:
|
case 2:
|
||||||
|
/* PR 17512: file: 0455a112. */
|
||||||
|
if (rel->address > contents_size - 4)
|
||||||
|
{
|
||||||
|
non_fatal (_("Out of range relocation: %lx"), rel->address);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
val = bfd_get_32 (outbfd,
|
val = bfd_get_32 (outbfd,
|
||||||
(bfd_byte *) contents + rel->address);
|
(bfd_byte *) contents + rel->address);
|
||||||
val = ((val &~ rel->howto->dst_mask)
|
val = ((val &~ rel->howto->dst_mask)
|
||||||
@ -2002,7 +2028,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
abort ();
|
fatal (_("Unsupported relocation size: %d"), rel->howto->size);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (! bfd_is_und_section (bfd_get_section (sym)))
|
if (! bfd_is_und_section (bfd_get_section (sym)))
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user