Fixes for memory access violations triggered by running nlmconv on

fuzzed binaries.

	PR binutils/17512
	* nlmconv.c (i386_mangle_relocs): Skip relocs without an
	associated symbol.
	(powerpc_mangle_relocs): Skip unrecognised relocs.  Check address
	range before applying a reloc.
This commit is contained in:
Nick Clifton 2015-01-08 12:37:46 +00:00
parent 025ac41482
commit 3565cf8fed
2 changed files with 36 additions and 2 deletions

View File

@ -1,3 +1,11 @@
2015-01-08 Nick Clifton <nickc@redhat.com>
PR binutils/17512
* nlmconv.c (i386_mangle_relocs): Skip relocs without an
associated symbol.
(powerpc_mangle_relocs): Skip unrecognised relocs. Check address
range before applying a reloc.
2015-01-07 Nick Clifton <nickc@redhat.com> 2015-01-07 Nick Clifton <nickc@redhat.com>
PR binutils/17512 PR binutils/17512

View File

@ -1415,6 +1415,9 @@ i386_mangle_relocs (bfd *outbfd, asection *insec, arelent ***relocs_ptr,
bfd_vma addend; bfd_vma addend;
rel = *relocs++; rel = *relocs++;
/* PR 17512: file: 057f89c1. */
if (rel->sym_ptr_ptr == NULL)
continue;
sym = *rel->sym_ptr_ptr; sym = *rel->sym_ptr_ptr;
/* We're moving the relocs from the input section to the output /* We're moving the relocs from the input section to the output
@ -1871,7 +1874,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
toc_howto = bfd_reloc_type_lookup (insec->owner, BFD_RELOC_PPC_TOC16); toc_howto = bfd_reloc_type_lookup (insec->owner, BFD_RELOC_PPC_TOC16);
if (toc_howto == (reloc_howto_type *) NULL) if (toc_howto == (reloc_howto_type *) NULL)
abort (); fatal (_("Unable to locate PPC_TOC16 reloc information"));
/* If this is the .got section, clear out all the contents beyond /* If this is the .got section, clear out all the contents beyond
the initial size. We must do this here because copy_sections is the initial size. We must do this here because copy_sections is
@ -1910,6 +1913,10 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
} }
} }
/* PR 17512: file: 70cfde95. */
if (rel->howto == NULL)
continue;
/* We must be able to resolve all PC relative relocs at this /* We must be able to resolve all PC relative relocs at this
point. If we get a branch to an undefined symbol we build a point. If we get a branch to an undefined symbol we build a
stub, since NetWare will resolve undefined symbols into a stub, since NetWare will resolve undefined symbols into a
@ -1927,6 +1934,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
{ {
bfd_vma val; bfd_vma val;
if (rel->address > contents_size - 4)
{
non_fatal (_("Out of range relocation: %lx"), rel->address);
break;
}
assert (rel->howto->size == 2 && rel->howto->pcrel_offset); assert (rel->howto->size == 2 && rel->howto->pcrel_offset);
val = bfd_get_32 (outbfd, (bfd_byte *) contents + rel->address); val = bfd_get_32 (outbfd, (bfd_byte *) contents + rel->address);
val = ((val &~ rel->howto->dst_mask) val = ((val &~ rel->howto->dst_mask)
@ -1976,6 +1989,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
switch (rel->howto->size) switch (rel->howto->size)
{ {
case 1: case 1:
if (rel->address > contents_size - 2)
{
non_fatal (_("Out of range relocation: %lx"), rel->address);
break;
}
val = bfd_get_16 (outbfd, val = bfd_get_16 (outbfd,
(bfd_byte *) contents + rel->address); (bfd_byte *) contents + rel->address);
val = ((val &~ rel->howto->dst_mask) val = ((val &~ rel->howto->dst_mask)
@ -1991,6 +2010,13 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
break; break;
case 2: case 2:
/* PR 17512: file: 0455a112. */
if (rel->address > contents_size - 4)
{
non_fatal (_("Out of range relocation: %lx"), rel->address);
break;
}
val = bfd_get_32 (outbfd, val = bfd_get_32 (outbfd,
(bfd_byte *) contents + rel->address); (bfd_byte *) contents + rel->address);
val = ((val &~ rel->howto->dst_mask) val = ((val &~ rel->howto->dst_mask)
@ -2002,7 +2028,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
break; break;
default: default:
abort (); fatal (_("Unsupported relocation size: %d"), rel->howto->size);
} }
if (! bfd_is_und_section (bfd_get_section (sym))) if (! bfd_is_und_section (bfd_get_section (sym)))