PR21432, buffer overflow in perform_relocation
The existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. PR 21432 * reloc.c (reloc_offset_in_range): New function. (bfd_perform_relocation, bfd_install_relocation): Use it. (_bfd_final_link_relocate): Likewise.
This commit is contained in:
parent
45ce1b47e4
commit
a941291cab
@ -1,3 +1,10 @@
|
|||||||
|
2017-04-29 Alan Modra <amodra@gmail.com>
|
||||||
|
|
||||||
|
PR 21432
|
||||||
|
* reloc.c (reloc_offset_in_range): New function.
|
||||||
|
(bfd_perform_relocation, bfd_install_relocation): Use it.
|
||||||
|
(_bfd_final_link_relocate): Likewise.
|
||||||
|
|
||||||
2017-04-28 H.J. Lu <hongjiu.lu@intel.com>
|
2017-04-28 H.J. Lu <hongjiu.lu@intel.com>
|
||||||
|
|
||||||
* elf32-i386.c (elf_i386_allocate_dynrelocs): Check plt_got
|
* elf32-i386.c (elf_i386_allocate_dynrelocs): Check plt_got
|
||||||
|
32
bfd/reloc.c
32
bfd/reloc.c
@ -538,6 +538,22 @@ bfd_check_overflow (enum complain_overflow how,
|
|||||||
return flag;
|
return flag;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* HOWTO describes a relocation, at offset OCTET. Return whether the
|
||||||
|
relocation field is within SECTION of ABFD. */
|
||||||
|
|
||||||
|
static bfd_boolean
|
||||||
|
reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd,
|
||||||
|
asection *section, bfd_size_type octet)
|
||||||
|
{
|
||||||
|
bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section);
|
||||||
|
bfd_size_type reloc_size = bfd_get_reloc_size (howto);
|
||||||
|
|
||||||
|
/* The reloc field must be contained entirely within the section.
|
||||||
|
Allow zero length fields (marker relocs or NONE relocs where no
|
||||||
|
relocation will be performed) at the end of the section. */
|
||||||
|
return octet <= octet_end && octet + reloc_size <= octet_end;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
FUNCTION
|
FUNCTION
|
||||||
bfd_perform_relocation
|
bfd_perform_relocation
|
||||||
@ -619,15 +635,9 @@ bfd_perform_relocation (bfd *abfd,
|
|||||||
if (howto == NULL)
|
if (howto == NULL)
|
||||||
return bfd_reloc_undefined;
|
return bfd_reloc_undefined;
|
||||||
|
|
||||||
/* Is the address of the relocation really within the section?
|
/* Is the address of the relocation really within the section? */
|
||||||
Include the size of the reloc in the test for out of range addresses.
|
|
||||||
PR 17512: file: c146ab8b, 46dff27f, 38e53ebf. */
|
|
||||||
octets = reloc_entry->address * bfd_octets_per_byte (abfd);
|
octets = reloc_entry->address * bfd_octets_per_byte (abfd);
|
||||||
if (octets + bfd_get_reloc_size (howto)
|
if (!reloc_offset_in_range (howto, abfd, input_section, octets))
|
||||||
> bfd_get_section_limit_octets (abfd, input_section)
|
|
||||||
/* Check for an overly large offset which
|
|
||||||
masquerades as a negative value too. */
|
|
||||||
|| (octets + bfd_get_reloc_size (howto) < bfd_get_reloc_size (howto)))
|
|
||||||
return bfd_reloc_outofrange;
|
return bfd_reloc_outofrange;
|
||||||
|
|
||||||
/* Work out which section the relocation is targeted at and the
|
/* Work out which section the relocation is targeted at and the
|
||||||
@ -1015,8 +1025,7 @@ bfd_install_relocation (bfd *abfd,
|
|||||||
|
|
||||||
/* Is the address of the relocation really within the section? */
|
/* Is the address of the relocation really within the section? */
|
||||||
octets = reloc_entry->address * bfd_octets_per_byte (abfd);
|
octets = reloc_entry->address * bfd_octets_per_byte (abfd);
|
||||||
if (octets + bfd_get_reloc_size (howto)
|
if (!reloc_offset_in_range (howto, abfd, input_section, octets))
|
||||||
> bfd_get_section_limit_octets (abfd, input_section))
|
|
||||||
return bfd_reloc_outofrange;
|
return bfd_reloc_outofrange;
|
||||||
|
|
||||||
/* Work out which section the relocation is targeted at and the
|
/* Work out which section the relocation is targeted at and the
|
||||||
@ -1354,8 +1363,7 @@ _bfd_final_link_relocate (reloc_howto_type *howto,
|
|||||||
bfd_size_type octets = address * bfd_octets_per_byte (input_bfd);
|
bfd_size_type octets = address * bfd_octets_per_byte (input_bfd);
|
||||||
|
|
||||||
/* Sanity check the address. */
|
/* Sanity check the address. */
|
||||||
if (octets + bfd_get_reloc_size (howto)
|
if (!reloc_offset_in_range (howto, input_bfd, input_section, octets))
|
||||||
> bfd_get_section_limit_octets (input_bfd, input_section))
|
|
||||||
return bfd_reloc_outofrange;
|
return bfd_reloc_outofrange;
|
||||||
|
|
||||||
/* This function assumes that we are dealing with a basic relocation
|
/* This function assumes that we are dealing with a basic relocation
|
||||||
|
Loading…
Reference in New Issue
Block a user