It didn't take long for oss-fuzz to find double frees due to a bug in
the cleanup logic. It's seen when reading in any alpha-vms object
file except when alpha_vms_vec is the default. But alpha_vms_vec is
of course the default when building for --target=alpha-dec-vms (and
naturally what I used to test the cleanup support since that is the
only target with a cleanup that does anything currently).
Anyway, the bug is that if bfd_check_format_matches is to preserve a
match the cleanup for that match can't be run. Quite obviously that
would destroy part of the match state.
* format.c (struct bfd_preserve): Add cleanup field.
(bfd_preserve_save): Add cleanup param and save.
(bfd_preserve_restore): Return cleanup.
(bfd_preserve_finish): Call the cleanup for the discarded match.
(bfd_check_format_matches): Pass cleanup to bfd_preserve_save,
and clear when preserving a match. Restore cleanup too when
restoring that match.
The object_p (and archive_p, core_file_p) functions are not supposed
to have any target specific malloc'd memory attached to the bfd on
their return. This should be obvious on a failure return, but it's
also true for a successful return. The reason is that even though the
object_p recognises the file, that particular target may not be used
and thus the bfd won't be closed calling close_and_cleanup for the
target that allocated the memory.
It turns out that the object_p bfd_target* return value isn't needed.
In all cases except ld/plugin.c the target is abfd->xvec and with
ld/plugin.c the target isn't used. So this patch returns a cleanup
function from object_p instead, called in bfd_check_format_matches to
tidy the bfd before trying a different target match. The only cleanup
that does anything at this stage is the alpha-vms one.
bfd/
* targets.c (bfd_cleanup): New typedef.
(struct bfd <_bfd_check_format>): Return a bfd_cleanup.
* libbfd-in.h (_bfd_no_cleanup): Define.
* format.c (bfd_reinit): Add cleanup parameter, call it.
(bfd_check_format_matches): Set cleanup from _bfd_check_format
call and pass to bfd_reinit. Delete temp, use abfd->xvec instead.
* aout-target.h (callback, object_p): Return bfd_cleanup.
* aout-tic30.c (tic30_aout_callback, tic30_aout_object_p): Likewise.
* archive.c (bfd_generic_archive_p): Likewise.
* binary.c (binary_object_p): Likewise.
* coff-alpha.c (alpha_ecoff_object_p): Likewise.
* coff-ia64.c (ia64coff_object_p): Likewise.
* coff-rs6000.c (_bfd_xcoff_archive_p, rs6000coff_core_p): Likewise.
* coff-sh.c (coff_small_object_p): Likewise.
* coff-stgo32.c (go32_check_format): Likewise.
* coff64-rs6000.c (xcoff64_archive_p, rs6000coff_core_p),
(xcoff64_core_p): Likewise.
* coffgen.c (coff_real_object_p, coff_object_p): Likewise.
* elf-bfd.h (bfd_elf32_object_p, bfd_elf32_core_file_p),
(bfd_elf64_object_p, bfd_elf64_core_file_p): Likewise.
* elfcode.h (elf_object_p): Likewise.
* elfcore.h (elf_core_file_p): Likewise.
* i386msdos.c (msdos_object_p): Likewise.
* ihex.c (ihex_object_p): Likewise.
* libaout.h (some_aout_object_p): Likewise.
* libbfd-in.h (bfd_generic_archive_p, _bfd_dummy_target),
(_bfd_vms_lib_alpha_archive_p, _bfd_vms_lib_ia64_archive_p): Likewise.
* libbfd.c (_bfd_dummy_target): Likewise.
* libcoff-in.h (coff_object_p): Likewise.
* mach-o-aarch64.c (bfd_mach_o_arm64_object_p),
(bfd_mach_o_arm64_core_p): Likewise.
* mach-o-arm.c (bfd_mach_o_arm_object_p),
(bfd_mach_o_arm_core_p): Likewise.
* mach-o-i386.c (bfd_mach_o_i386_object_p),
(bfd_mach_o_i386_core_p): Likewise.
* mach-o-x86-64.c (bfd_mach_o_x86_64_object_p),
(bfd_mach_o_x86_64_core_p): Likewise.
* mach-o.c (bfd_mach_o_header_p, bfd_mach_o_gen_object_p),
(bfd_mach_o_gen_core_p, bfd_mach_o_fat_archive_p): Likewise.
* mach-o.h (bfd_mach_o_object_p, bfd_mach_o_core_p),
(bfd_mach_o_fat_archive_p, bfd_mach_o_header_p): Likewise.
* mmo.c (mmo_object_p): Likewise.
* pef.c (bfd_pef_object_p, bfd_pef_xlib_object_p): Likewise.
* peicode.h (coff_real_object_p, pe_ILF_object_p),
(pe_bfd_object_p): Likewise.
* plugin.c (ld_plugin_object_p, bfd_plugin_object_p): Likewise.
* ppcboot.c (ppcboot_object_p): Likewise.
* rs6000-core.c (rs6000coff_core_p): Likewise.
* som.c (som_object_setup, som_object_p): Likewise.
* srec.c (srec_object_p, symbolsrec_object_p): Likewise.
* tekhex.c (tekhex_object_p): Likewise.
* vms-alpha.c (alpha_vms_object_p): Likewise.
* vms-lib.c (_bfd_vms_lib_archive_p, _bfd_vms_lib_alpha_archive_p),
(_bfd_vms_lib_ia64_archive_p, _bfd_vms_lib_txt_archive_p): Likewise.
* wasm-module.c (wasm_object_p): Likewise.
* xsym.c (bfd_sym_object_p): Likewise.
* xsym.h (bfd_sym_object_p): Likewise.
* aoutx.h (some_aout_object_p): Likewise, and callback parameter
return type.
* pdp11.c (some_aout_object_p): Likewise.
* plugin.c (register_ld_plugin_object_p): Update object_p
parameter type.
* plugin.h (register_ld_plugin_object_p): Likewise.
* bfd-in2.h: Regenerate.
* libbfd.h: Regenerate.
* libcoff.h: Regenerate.
ld/
* plugin.c (plugin_object_p): Return a bfd_cleanup.
(plugin_cleanup): New function.
This patch arranges for symbols defined in .sdata and .sbss to be
reported by nm with 'g' and 's' flags, for coff targets that support
.sdata and .sbss.
The assembler changes regarding SEC_SMALL_DATA are really just
documentation. As far as I'm aware, this won't change any assembler
output.
bfd/
* coff-alpha.c (alpha_ecoff_le_vec): Add SEC_SMALL_DATA to
applicable section flags.
* coff-mips.c (mips_ecoff_le_vec, mips_ecoff_be_vec): Likewise.
(mips_ecoff_bele_vec): Likewise.
* coffcode.h (sec_to_styp_flags): Set SEC_SMALL_DATA for .sdata
and .sbss sections.
* ecoff.c (_bfd_ecoff_new_section_hook): Likewise.
(_bfd_ecoff_styp_to_sec_flags): Likewise.
gas/
* config/tc-m32r.c (md_begin): Set SEC_SMALL_DATA on .scommon section.
* config/tc-mips.c (s_change_sec): Set SEC_SMALL_DATA for .sdata
and .sbss sections.
* config/tc-score.c: Delete !BFD_ASSEMBLER code throughout.
(s3_s_change_sec): Set SEC_SMALL_DATA for .sbss section.
(s3_s_score_lcomm): Likewise.
* config/tc-score7.c: Similarly.
* read.c (bss_alloc): Set SEC_SMALL_DATA for .sbss section.
For those ELF targets that have .sdata or .sbss sections, or similar
sections, arrange to mark the sections with the SEC_SMALL_DATA flag.
This fixes regressions in nm symbol type caused by removing .sdata
and .sbss from coff_section_type with commit 49d9fd42ac.
* elf32-m32r.c (m32r_elf_section_flags): New function.
(elf_backend_section_flags): Define.
* elf32-nds32.c (nds32_elf_section_flags): New function.
(elf_backend_section_flags): Define.
* elf32-ppc.c (ppc_elf_section_from_shdr): Set SEC_SMALL_DATA for
.sbss and .sdata sections.
* elf32-v850.c (v850_elf_section_from_shdr): Set SEC_SMALL_DATA
for SHF_V850_GPREL sections.
* elf64-alpha.c (elf64_alpha_section_from_shdr): Delete outdated
FIXME.
* elf64-hppa.c (elf64_hppa_section_from_shdr): Set SEC_SMALL_DATA
for SHF_PARISC_SHORT sections.
* elf64-ppc.c (ppc64_elf_section_flags): New function.
(elf_backend_section_flags): Define.
* elfxx-mips.c (_bfd_mips_elf_section_from_shdr): Set SEC_SMALL_DATA
for SHF_MIPS_GPREL sections. Delete FIXME.
I was looking at elf_backend_section_flags as a means of setting
SEC_SMALL_DATA for .sdata, .sbss and the like, and condidered adding
an asection* parameter to access the section name easily before
realising that hdr->bfd_section of course makes the section
available. So no new parameter needed. In fact the flagword*
parameter isn't needed either, so out it goes.
The patch also tidies some horrible code in _bfd_elf_new_section_hook
that can change whether known ABI sections have sh_type and sh_flags
set up depending on which of the bfd_make_section functions is used.
(Some of those set section flags before _bfd_elf_new_section_hook is
called, others leave the flags zero.) The function also had some
hacks for .init_array and .fini_array to affect how
_bfd_elf_init_private_section_data behaved for those sections. It's
cleaner to do that in _bfd_elf_init_private_section_data. So that all
goes and we now init sh_type and sh_flags for all known ABI sections
in _bfd_elf_new_section_hook. _bfd_elf_init_private_section_data is
changed to suit, and now doesn't just single out SHT_INIT_ARRAY and
SHT_FINI_ARRAY but rather any of the special section types.
The _bfd_elf_new_section_hook change resulting in
+FAIL: ld-aarch64/erratum835769-843419
exposing some errors in the aarch64 backend. elfNN_aarch64_size_stubs
should not be looking at linker created sections in the stub bfd. Nor
should code like "symtab_hdr = &elf_tdata (input_bfd)->symtab_hdr" be
run without first checking that input_bfd is ELF.
* elf-bfd.h (elf_backend_section_flags): Remove flagword* param.
* elf.c (_bfd_elf_make_section_from_shdr): Set section flags before
calling elf_backend_section_flags with adjusted params. Use
newsect->flags past that point.
(_bfd_elf_new_section_hook): Always set sh_type and sh_flags for
special sections.
(_bfd_elf_init_private_section_data): Allow normal sh_type sections
to have their type overridden, and all sh_flags but processor and
os specific.
* elf32-arm.c (elf32_arm_section_flags): Adjust for changed params.
* elf32-mep.c (mep_elf_section_flags): Likewise.
* elf32-nios2.c (nios2_elf32_section_flags): Likewise.
* elf64-alpha.c (elf64_alpha_section_flags): Likewise.
* elf64-ia64-vms.c (elf64_ia64_section_flags): Likewise.
* elfnn-ia64.c (elfNN_ia64_section_flags): Likewise.
* elfnn-aarch64.c (elfNN_aarch64_size_stubs): Exclude the linker
stub BFD and non-aarch64 input files when scanning for stubs.
When realloc fails it doesn't free the old memory. In BFD we usually
will exit with an error on a realloc fail, so want to tidy up memory
on error paths. That's done by bfd_realloc_or_free.
* vms-alpha.c (vms_get_remaining_object_record): Use
bfd_realloc_or_free rather than bfd_realloc.
(add_symbol_entry, vector_grow1, alpha_vms_slurp_relocs): Likewise.
(dst_define_location, parse_module): Likewise, and check realloc
return status before using memory. Return status from function
adjusting all callers.
This patch simplifies reading of image headers. It's really not worth
trying to avoid re-reading a 12 byte buffer and then read in
VMS_BLOCK_SIZE chunks, better just to throw the buffer away and use
_bfd_malloc_and_read which does checks against file size.
* vms-alpha.c (alpha_vms_object_p): Use _bfd_malloc_and_read.
Remove duplicate undersize check.
PR 24511
* syms.c (stt): Trim off all but 'e', 'i' and 'p' entries.
(coff_section_type): Adjust comment.
(decode_section_type): Likewise. Call coff_section_type before
decode_section_type.
(bfd_decode_symclass): Use 'c' for common sections other than
the standard one.
If you manage to put an xcoff object file into a non-xcoff archive
(created by first putting a non-xcoff object file into it), and have
xcoff support compiled into libbfd, then objdump -x on the archive
can segfault. The problem is that _bfd_xcoff_stat_arch_elt expects
abfd->arelt_data->arch_header to be one of the xcoff variants, but
arelt_data is generated depending on the archive format, *not* the
element format.
* bfd.c (bfd_stat_arch_elt): Use vector of containing archive,
if file is an archive element.
* bfd-in2.h: Regenerate.
Adds some sanity checking to size values read from file.
* archive.c (do_slurp_bsd_armap): Increase minimum parsed_size, and
bfd_set_error on failing test. Don't bother changing bfd_error on
file read error. Check symdef_count is multiple of BSD_SYMDEF_SIZE.
Check sym name is within string buffer. Use size_t for some vars.
(do_slurp_coff_armap): Use size_t for some variables, fix size of
int_buf. Don't change bfd_error on file read error. Use
_bfd_mul_overflow when calculating carsym buffer size. Reorder
calculations to catch overflows before they occur. malloc and
free raw armap rather than using bfd_alloc. Read raw armap before
allocating carsym+strings buffer.
(_bfd_slurp_extended_name_table): Localize variables. Check
name size against file size.
git commit c893ce360a changed buffer management, in the process
introducing a bug on an error return path.
* vms-lib.c (vms_lib_read_index): Release correct buffer.
* elf32-rx.c (rx_elf_relocate_section): Use bfd_malloc rather than
malloc. Check for NULL return from bfd_malloc.
(rx_table_find, rx_table_map): Likewise.
(rx_set_section_contents): Check bfd_alloc return.
(rx_dump_symtab): Don't alloc internal_syms or external_syms.
This patch delays setting up DT_NEEDED dynamic tags until all object
files and libraries have been opened and their symbols processed,
rather than adding the tags while processing symbols. Tags are
ordered according to the position of the associated library on the
command line and linker scripts. It is still possible with
--as-needed libs that are mentioned more than once for tags to be
ordered according to which mention was needed. For example with
"--as-needed a.so b.so c.so b.so" when b.so is not needed by a.so or
any other prior object file but is needed by c.so, the order of tags
will be "A C B".
bfd/
PR 25593
* elf-bfd.h (struct elf_link_hash_table): Rename "loaded" to
"dyn_loaded".
(bfd_elf_add_dt_needed_tag): Declare.
* elf-strtab.c (_bfd_elf_strtab_restore): Handle NULL buf.
* elflink.c (bfd_elf_add_dt_needed_tag): Make global and rename
from elf_add_dt_needed_tag. Remove soname and doit param.
(elf_link_add_object_symbols): Don't use elf_add_dt_needed_tag
to see whether as-needed lib is already loaded, use dyn_loaded
list instead. When saving and restoring around as-needed lib
handle possibility that dynstr has not been initialised. Don't
add DT_NEEDED tags here. Limit dyn_loaded list to dynamic libs.
Mark libs loaded via DT_NEEDED entries of other libs with
DYN_NO_NEEDED if they should not be mentioned in DT_NEEDED of
the output.
(elf_link_check_versioned_symbol): Remove now unneccesary
DYNAMIC check when traversing dyn_loaded list.
ld/
PR 25593
* ldelf.c (ldelf_try_needed): Add DT_NEEDED lib to input_bfds.
(ldelf_after_open): Save state of input_bfds list before loading
DT_NEEDED libs. Traverse input_bfds list adding DT_NEEDED tags.
Restore input_bfds list.
* testsuite/ld-cris/gotplt1.d: Adjust for changed .dynstr order.
Archive element size is given by data in the archive, and thus is
subject to attack by fuzzers. The only harm this allows is allocation
of huge amounts of memory, but some systems don't handle that well.
So limit archive element size to archive file size.
* bfdio.c (bfd_get_file_size): Ignore bogus archive element sizes.
Since ar and ranlib don't need to know symbol types to work properly,
we should avoid calling lto-wrapper for them to speed them up.
bfd/
PR binutils/25584
* plugin.c (need_lto_wrapper_p): New.
(bfd_plugin_set_program_name): Add an int argument to set
need_lto_wrapper_p.
(get_lto_wrapper): Return FALSE if need_lto_wrapper_p isn't
set.
* plugin.h (bfd_plugin_set_program_name): Add an int argument.
binutils/
PR binutils/25584
* ar.c (main): Pass 0 to bfd_plugin_set_program_name.
* nm.c (main): Pass 1 to bfd_plugin_set_program_name.
I closed this bug as invalid, but I think it is worth mentioning in NEWS
that older linkers didn't check PT_PHDR very well. The patch also allows
people to force an output file with --noinhibit-exec after the error.
bfd/
PR 25585
* elf.c (assign_file_positions_for_load_sections): Continue linking
on "PHDR segment not covered by LOAD segment" errors.
ld/
PR 25585
* NEWS: Mention better "PHDR segment not covered by LOAD segment"
checking.
It's very easy to make bfd/mach-o.c allocate huge amounts of memory
with fuzzed binaries. This make it a little harder.
The patch also fixes a number of places where an attempt to detect
overflow of multiplication was done with code like
if (x * 4 < x)
/* overflow case */
That of course doesn't work. There are plenty of values of x that
overflow x * 4 but (x * 4) mod 2^n is greater than x. For example
with 16-bit types, 0x6000 * 4 = 0x18000 mod 2^16 = 0x8000.
* mach-o.c (bfd_mach_o_canonicalize_relocs): Fix ineffective
overflow check.
(bfd_mach_o_canonicalize_reloc): Likewise.
(bfd_mach_o_canonicalize_dynamic_reloc): Likewise. Sanity check
counts and offsets against file size.
(bfd_mach_o_build_dysymtab): Fix ineffective overflow check.
(bfd_mach_o_mangle_sections): Remove unnecessary overflow check.
(bfd_mach_o_read_symtab_symbols): Sanity check count and offset
against file size. Delete symbol table error message.
(bfd_mach_o_read_dysymtab): Sanity check counts and offsets
against file size.
(bfd_mach_o_read_symtab): Likewise.
(bfd_mach_o_read_command): Pass file size.
(bfd_mach_o_scan): Sanity check command count against file size.
This patch fixes an ancient wart in aout support, in that text and
data section sizes are rounded up for alignment rather that just the
corresponding header sizes. Changing section sizes could conceivably
result in buffer overflows if section contents were held in memory.
Also, keeping the original section sizes allows this PR to be fixed
nicely.
bfd/
PR 25569
* aoutx.h (adjust_o_magic, adjust_z_magic, adjust_n_magic): Use
"text", "data" and "bss" section pointer vars. Don't update
section size, just exec header sizes.
(adjust_sizes_and_vmas): Don't update text section size. Set
initial exec header a_text. Print exec headers sizes.
* pdp11.c (adjust_o_magic, adjust_z_magic, adjust_n_magic),
(adjust_sizes_and_vmas): Similarly. Formatting.
(final_link): Correct final file extension.
gas/
PR 25569
* config/obj-aout.c (obj_aout_frob_file_before_fix): Don't loop
on section size adjustment, instead perform another write if
exec header size is larger than section size.
* elf-bfd.h (struct elf_backend_data): Add symbol_section_index
callback.
* elfxx-target.h (elf_backend_symbol_section_index): Provide
default definition.
(elfNN_bed): Initialise the symbol_section_index field.
* elf.c (swap_out_syms): Call symbol_section_index, if defined, on
OS and PROC specific section indicies. Warn if converting other
reserved incidies to SHN_ABS.
Since plugin can be used only once in try_load_plugin, call dlclose
before return.
PR binutils/25355
* plugin.c (plugin_list_entry): Remove handle.
(try_load_plugin): Call dlclose before return.
Some minor tidies. Allocating memory for internal relocs and symbols
after reading external relocs is slightly better with fuzzed files.
You can at least do something about silly sizes that way.
* aoutx.h (slurp_reloc_table): Allocate reloc_cache after
reading external relocs.
* ecoff.c (ecoff_slurp_reloc_table): Likewise.
* archive.c (_bfd_write_archive_contents): Don't twiddle bfd_error
after bfd_bread.
* archive64.c (_bfd_archive_64_bit_slurp_armap): Remove unnecessary
bfd_release.
* elf32-m32c.c (m32c_offset_for_reloc): Make shndx_buf a bfd_byte*.
(m32c_elf_relax_section): Likewise.
* elf32-rl78.c (rl78_offset_for_reloc): Likewise.
(rl78_elf_relax_section): Likewise.
* elf32-rx.c (rx_offset_for_reloc): Likewise.
(elf32_rx_relax_section): Likewise.
* mach-o.c (bfd_mach_o_alloc_and_read): Move earlier with better
parameter types and use..
(bfd_mach_o_read_dylinker, bfd_mach_o_read_dylib),
(bfd_mach_o_read_fvmlib, bfd_mach_o_read_str): ..in these functions.
* peicode.h (pe_bfd_object_p): Don't zero the part of opthdr
being read from file, just the extra.
* som.c (som_slurp_symbol_table): Allocate internal symbol buffer
after reading external syms. Free on failure.
The bfd_alloc2 series of functions were invented to handle cases where
nmemb * size can overflow. This patch changes some places where the
calculation can't overflow.
* elf.c (bfd_section_from_shdr): Use bfd_zalloc rather than
bfd_zalloc2.
(assign_section_numbers): Likewise.
(elf_map_symbols): Likewise, and bfd_alloc rather than bfd_alloc2.
(_bfd_elf_map_sections_to_segments): Use bfd_malloc rather than
bfd_malloc2, size_t amt, and unsigned tls_count.
(rewrite_elf_program_header): Use bfd_malloc and size_t amt.
* elflink.c (elf_create_symbuf): Use bfd_malloc.
(elf_output_implib): Use bfd_alloc.
Alan Modra
GDB Administrator
H.J. Lu
Nick Clifton
Sergey Belyashov