_bfd_clear_contents bounds checking
authorAlan Modra <amodra@gmail.com>
Sat, 13 Oct 2018 11:33:02 +0000 (22:03 +1030)
committerAlan Modra <amodra@gmail.com>
Sat, 13 Oct 2018 13:24:33 +0000 (23:54 +1030)
This PR shows a fuzzed binary triggering a segfault via a bad
relocation in .debug_line.  It turns out that unlike normal
relocations applied to a section, the linker applies those with
symbols from discarded sections via _bfd_clear_contents without
checking that the relocation is within the section bounds.  The same
thing now happens when reading debug sections since commit
a4cd947aca23, the PR23425 fix.

PR 23770
PR 23425
* reloc.c (_bfd_clear_contents): Replace "location" param with
"buf" and "off".  Bounds check "off".  Return status.
* cofflink.c (_bfd_coff_generic_relocate_section): Update
_bfd_clear_contents call.
* elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
* elf32-arc.c (elf_arc_relocate_section): Likewise.
* elf32-i386.c (elf_i386_relocate_section): Likewise.
* elf32-metag.c (metag_final_link_relocate): Likewise.
* elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
* elf32-visium.c (visium_elf_relocate_section): Likewise.
* elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
* elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
* libbfd-in.h (_bfd_clear_contents): Update prototype.
* libbfd.h: Regenerate.

14 files changed:
bfd/ChangeLog
bfd/cofflink.c
bfd/elf-bfd.h
bfd/elf32-arc.c
bfd/elf32-i386.c
bfd/elf32-metag.c
bfd/elf32-nds32.c
bfd/elf32-ppc.c
bfd/elf32-visium.c
bfd/elf64-ppc.c
bfd/elf64-x86-64.c
bfd/libbfd-in.h
bfd/libbfd.h
bfd/reloc.c

index 68c1ff665be5e08f4a28545d13c8e2e0656d27b0..e9696ee314307d63fa11b525a9270cf8b8005758 100644 (file)
@@ -1,3 +1,23 @@
+2018-10-13  Alan Modra  <amodra@gmail.com>
+
+       PR 23770
+       PR 23425
+       * reloc.c (_bfd_clear_contents): Replace "location" param with
+       "buf" and "off".  Bounds check "off".  Return status.
+       * cofflink.c (_bfd_coff_generic_relocate_section): Update
+       _bfd_clear_contents call.
+       * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
+       * elf32-arc.c (elf_arc_relocate_section): Likewise.
+       * elf32-i386.c (elf_i386_relocate_section): Likewise.
+       * elf32-metag.c (metag_final_link_relocate): Likewise.
+       * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
+       * elf32-ppc.c (ppc_elf_relocate_section): Likewise.
+       * elf32-visium.c (visium_elf_relocate_section): Likewise.
+       * elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
+       * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
+       * libbfd-in.h (_bfd_clear_contents): Update prototype.
+       * libbfd.h: Regenerate.
+
 2018-10-09  Egeyar Bagcioglu  <egeyar.bagcioglu@oracle.com>
 
        * elflink.c (elf_link_output_extsym): Do not place symbols into a
index 2f73f72e318d743c8ea403e751ab26c13e180835..b7ea69b7f94885961c38e40886125b8a0da86f0d 100644 (file)
@@ -3080,7 +3080,7 @@ _bfd_coff_generic_relocate_section (bfd *output_bfd,
       if (sec != NULL && discarded_section (sec))
        {
          _bfd_clear_contents (howto, input_bfd, input_section,
-                              contents + (rel->r_vaddr - input_section->vma));
+                              contents, rel->r_vaddr - input_section->vma);
          continue;
        }
 
index cf256f70e07da20231353b0cb3902972e4bf2827..3374f411f98d0dfb4264d3fc87dc2ea831716b05 100644 (file)
@@ -2847,7 +2847,7 @@ extern asection _bfd_elf_large_com_section;
   {                                                                    \
     int i_;                                                            \
     _bfd_clear_contents (howto, input_bfd, input_section,              \
-                        contents + rel[index].r_offset);               \
+                        contents, rel[index].r_offset);                \
                                                                        \
     if (bfd_link_relocatable (info)                                    \
        && (input_section->flags & SEC_DEBUGGING))                      \
index 7a1b3042aec45c6bb842a295d82d5cfeb7058e55..30f47a5b220fbae2174cad8a3e3b50749d0613c3 100644 (file)
@@ -1568,7 +1568,7 @@ elf_arc_relocate_section (bfd *                     output_bfd,
       if (sec != NULL && discarded_section (sec))
        {
          _bfd_clear_contents (howto, input_bfd, input_section,
-                              contents + rel->r_offset);
+                              contents, rel->r_offset);
          rel->r_info = 0;
          rel->r_addend = 0;
 
index 49797dcbfaffd335a326e50a068dd456b74ad78d..177471777df4a679139ef4ba2e23af7e299846a7 100644 (file)
@@ -2197,7 +2197,7 @@ elf_i386_relocate_section (bfd *output_bfd,
       if (sec != NULL && discarded_section (sec))
        {
          _bfd_clear_contents (howto, input_bfd, input_section,
-                              contents + rel->r_offset);
+                              contents, rel->r_offset);
          wrel->r_offset = rel->r_offset;
          wrel->r_info = 0;
          wrel->r_addend = 0;
index efe95bddff574395427df046b1b61d2c0662f538..7f96246e5dd08ddef2c1d1da3c56522c317fc310 100644 (file)
@@ -1396,7 +1396,7 @@ metag_final_link_relocate (reloc_howto_type *howto,
                                              rel, relend, howto, contents) \
   {                                                                    \
     _bfd_clear_contents (howto, input_bfd, input_section,              \
-                        contents + rel->r_offset);                     \
+                        contents, rel->r_offset);                      \
                                                                        \
     if (bfd_link_relocatable (info)                                    \
        && (input_section->flags & SEC_DEBUGGING))                      \
index 0d86e5b865043501f56cadb937d62aee64a829ce..184cf320f7c1a5af746e2a30bfc87a9235140d6e 100644 (file)
@@ -13217,14 +13217,14 @@ nds32_elf_get_relocated_section_contents (bfd *abfd,
          symbol = *(*parent)->sym_ptr_ptr;
          if (symbol->section && discarded_section (symbol->section))
            {
-             bfd_byte *p;
+             bfd_vma off;
              static reloc_howto_type none_howto
                = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
                         "unused", FALSE, 0, 0, FALSE);
 
-             p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
-             _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
-                                  p);
+             off = (*parent)->address * bfd_octets_per_byte (input_bfd);
+             _bfd_clear_contents ((*parent)->howto, input_bfd,
+                                  input_section, data, off);
              (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
              (*parent)->addend = 0;
              (*parent)->howto = &none_howto;
index 61f70de12e983121dfa779f128455f31275b4e79..c31e26efd79dd5b06d29b35579892da15267d2a1 100644 (file)
@@ -7090,7 +7090,7 @@ ppc_elf_relocate_section (bfd *output_bfd,
            howto = ppc_elf_howto_table[r_type];
 
          _bfd_clear_contents (howto, input_bfd, input_section,
-                              contents + rel->r_offset);
+                              contents, rel->r_offset);
          wrel->r_offset = rel->r_offset;
          wrel->r_info = 0;
          wrel->r_addend = 0;
index e8f1c4c9e4c27641a019e5fac83815cd91c4224d..961366cd871aa38299c8608b9000a11cf5cf6d04 100644 (file)
@@ -621,7 +621,7 @@ visium_elf_relocate_section (bfd *output_bfd,
             or sections discarded by a linker script, we just want the
             section contents zeroed.  Avoid any special processing.  */
          _bfd_clear_contents (howto, input_bfd, input_section,
-                              contents + rel->r_offset);
+                              contents, rel->r_offset);
 
          rel->r_info = 0;
          rel->r_addend = 0;
index eadde17615154606d87ab0ec814fa4b64fe10c6b..7c3534ac654c67404c7ba9a2669da89cb27df461 100644 (file)
@@ -13491,7 +13491,7 @@ ppc64_elf_relocate_section (bfd *output_bfd,
        {
          _bfd_clear_contents (ppc64_elf_howto_table[r_type],
                               input_bfd, input_section,
-                              contents + rel->r_offset);
+                              contents, rel->r_offset);
          wrel->r_offset = rel->r_offset;
          wrel->r_info = 0;
          wrel->r_addend = 0;
index c3a6c31ed2247514bb86f873eeed3570f1d82a30..4dcab4347882d97b12c046528896ec572839256c 100644 (file)
@@ -2490,7 +2490,7 @@ elf_x86_64_relocate_section (bfd *output_bfd,
       if (sec != NULL && discarded_section (sec))
        {
          _bfd_clear_contents (howto, input_bfd, input_section,
-                              contents + rel->r_offset);
+                              contents, rel->r_offset);
          wrel->r_offset = rel->r_offset;
          wrel->r_info = 0;
          wrel->r_addend = 0;
index e53b255dad1dac0097ff9f2a03a64d01fef40184..f6d9565f0345375b1d510cc0f7bcb1139d152afe 100644 (file)
@@ -697,8 +697,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
   (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
 
 /* Clear a given location using a given howto.  */
-extern void _bfd_clear_contents
-  (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
+extern bfd_reloc_status_type _bfd_clear_contents
+  (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
 
 /* Link stabs in sections in the first pass.  */
 
index a8851c802636daf69f1342d748f4c78693384794..1189e633584a3bc8fc8c1bf3de5b303d39b3040a 100644 (file)
@@ -702,8 +702,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
   (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
 
 /* Clear a given location using a given howto.  */
-extern void _bfd_clear_contents
-  (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
+extern bfd_reloc_status_type _bfd_clear_contents
+  (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
 
 /* Link stabs in sections in the first pass.  */
 
index 8dbb8896d397efa269a9082e6a66a1af0397baaa..1686780669924c75797812c6c5154883aee857a5 100644 (file)
@@ -1504,15 +1504,21 @@ _bfd_relocate_contents (reloc_howto_type *howto,
    relocations against discarded symbols, to make ignorable debug or unwind
    information more obvious.  */
 
-void
+bfd_reloc_status_type
 _bfd_clear_contents (reloc_howto_type *howto,
                     bfd *input_bfd,
                     asection *input_section,
-                    bfd_byte *location)
+                    bfd_byte *buf,
+                    bfd_vma off)
 {
   bfd_vma x;
+  bfd_byte *location;
+
+  if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, off))
+    return bfd_reloc_outofrange;
 
   /* Get the value we are going to relocate.  */
+  location = buf + off;
   x = read_reloc (input_bfd, location, howto);
 
   /* Zero out the unwanted bits of X.  */
@@ -1527,6 +1533,7 @@ _bfd_clear_contents (reloc_howto_type *howto,
 
   /* Put the relocated value back in the object file.  */
   write_reloc (input_bfd, x, location, howto);
+  return bfd_reloc_ok;
 }
 
 /*
@@ -8336,14 +8343,14 @@ bfd_generic_get_relocated_section_contents (bfd *abfd,
                  && (input_section->flags & SEC_DEBUGGING) != 0
                  && link_info->input_bfds == link_info->output_bfd))
            {
-             bfd_byte *p;
+             bfd_vma off;
              static reloc_howto_type none_howto
                = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
                         "unused", FALSE, 0, 0, FALSE);
 
-             p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
-             _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
-                                  p);
+             off = (*parent)->address * bfd_octets_per_byte (input_bfd);
+             _bfd_clear_contents ((*parent)->howto, input_bfd,
+                                  input_section, data, off);
              (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
              (*parent)->addend = 0;
              (*parent)->howto = &none_howto;