From e6b6fad2fe4d180bcd65a1e0aabc6ba763901346 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 23 Nov 2022 22:12:30 +1030 Subject: [PATCH] PR22509 - Null pointer dereference on coff_slurp_reloc_table This extends the commit 4581a1c7d304 fix to more targets, which hardens BFD a little. I think the real underlying problem was the bfd_canonicalize_reloc call in load_specific_debug_section which passed a NULL for "symbols". Fix that too. PR 22509 bfd/ * aoutx.h (swap_ext_reloc_out): Gracefully handle NULL symbols. * i386lynx.c (swap_ext_reloc_out): Likewise. * pdp11.c (pdp11_aout_swap_reloc_out): Likewise. * coff-tic30.c (reloc_processing): Likewise. * coff-tic4x.c (tic4x_reloc_processing): Likewise. * coff-tic54x.c (tic54x_reloc_processing): Likewise. * coff-z80.c (reloc_processing): Likewise. * coff-z8k.c (reloc_processing): Likewise. * ecoff.c (ecoff_slurp_reloc_table): Likewise. * som.c (som_set_reloc_info): Likewise. binutils/ * objdump.c (load_specific_debug_section): Pass syms to bfd_canonicalize_reloc. --- bfd/aoutx.h | 4 +++- bfd/coff-tic30.c | 2 +- bfd/coff-tic4x.c | 2 +- bfd/coff-tic54x.c | 2 +- bfd/coff-z80.c | 2 +- bfd/coff-z8k.c | 2 +- bfd/ecoff.c | 3 ++- bfd/i386lynx.c | 4 +++- bfd/pdp11.c | 4 +++- bfd/som.c | 2 +- binutils/objdump.c | 2 +- 11 files changed, 18 insertions(+), 11 deletions(-) diff --git a/bfd/aoutx.h b/bfd/aoutx.h index 61ea9f7ce04..38e30431589 100644 --- a/bfd/aoutx.h +++ b/bfd/aoutx.h @@ -2122,8 +2122,10 @@ NAME (aout, swap_ext_reloc_out) (bfd *abfd, if (r_extern) \ { \ /* Undefined symbol. */ \ - if (r_index < bfd_get_symcount (abfd)) \ + if (symbols != NULL && r_index < bfd_get_symcount (abfd)) \ cache_ptr->sym_ptr_ptr = symbols + r_index; \ + else \ + cache_ptr->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; \ cache_ptr->addend = ad; \ } \ else \ diff --git a/bfd/coff-tic30.c b/bfd/coff-tic30.c index 874fd79f3fa..fcc85754068 100644 --- a/bfd/coff-tic30.c +++ b/bfd/coff-tic30.c @@ -161,7 +161,7 @@ reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; rtype2howto (relent, reloc); - if (reloc->r_symndx == -1) + if (reloc->r_symndx == -1 || symbols == NULL) relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd)) relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx]; diff --git a/bfd/coff-tic4x.c b/bfd/coff-tic4x.c index 02013e1655f..be295259915 100644 --- a/bfd/coff-tic4x.c +++ b/bfd/coff-tic4x.c @@ -219,7 +219,7 @@ tic4x_reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; - if (reloc->r_symndx != -1) + if (reloc->r_symndx != -1 && symbols != NULL) { if (reloc->r_symndx < 0 || reloc->r_symndx >= obj_conv_table_size (abfd)) { diff --git a/bfd/coff-tic54x.c b/bfd/coff-tic54x.c index 8b493584503..9ec4b2064c3 100644 --- a/bfd/coff-tic54x.c +++ b/bfd/coff-tic54x.c @@ -357,7 +357,7 @@ tic54x_reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; - if (reloc->r_symndx != -1) + if (reloc->r_symndx != -1 && symbols != NULL) { if (reloc->r_symndx < 0 || reloc->r_symndx >= obj_conv_table_size (abfd)) { diff --git a/bfd/coff-z80.c b/bfd/coff-z80.c index ba0f2609bf0..7fb2f137331 100644 --- a/bfd/coff-z80.c +++ b/bfd/coff-z80.c @@ -314,7 +314,7 @@ reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; rtype2howto (relent, reloc); - if (reloc->r_symndx == -1) + if (reloc->r_symndx == -1 || symbols == NULL) relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd)) relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx]; diff --git a/bfd/coff-z8k.c b/bfd/coff-z8k.c index b9f6f9773ad..974bffc9a6f 100644 --- a/bfd/coff-z8k.c +++ b/bfd/coff-z8k.c @@ -177,7 +177,7 @@ reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; rtype2howto (relent, reloc); - if (reloc->r_symndx == -1) + if (reloc->r_symndx == -1 || symbols == NULL) relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd)) relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx]; diff --git a/bfd/ecoff.c b/bfd/ecoff.c index a4edf7a2e6c..2d26b855e4c 100644 --- a/bfd/ecoff.c +++ b/bfd/ecoff.c @@ -1612,7 +1612,8 @@ ecoff_slurp_reloc_table (bfd *abfd, if (intern.r_extern) { /* r_symndx is an index into the external symbols. */ - if (intern.r_symndx >= 0 + if (symbols != NULL + && intern.r_symndx >= 0 && (intern.r_symndx < (ecoff_data (abfd)->debug_info.symbolic_header.iextMax))) rptr->sym_ptr_ptr = symbols + intern.r_symndx; diff --git a/bfd/i386lynx.c b/bfd/i386lynx.c index 5df3d19ffe0..acc38d24438 100644 --- a/bfd/i386lynx.c +++ b/bfd/i386lynx.c @@ -283,8 +283,10 @@ NAME(lynx,swap_ext_reloc_out) (bfd *abfd, if (r_extern) \ { \ /* undefined symbol */ \ - if (r_index < bfd_get_symcount (abfd)) \ + if (symbols != NULL && r_index < bfd_get_symcount (abfd)) \ cache_ptr->sym_ptr_ptr = symbols + r_index; \ + else \ + cache_ptr->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; \ cache_ptr->addend = ad; \ } \ else \ diff --git a/bfd/pdp11.c b/bfd/pdp11.c index de9c8690e20..806e0e12a61 100644 --- a/bfd/pdp11.c +++ b/bfd/pdp11.c @@ -1861,8 +1861,10 @@ pdp11_aout_swap_reloc_out (bfd *abfd, arelent *g, bfd_byte *natptr) if (r_extern) \ { \ /* Undefined symbol. */ \ - if (r_index < bfd_get_symcount (abfd)) \ + if (symbols != NULL && r_index < bfd_get_symcount (abfd)) \ cache_ptr->sym_ptr_ptr = symbols + r_index; \ + else \ + cache_ptr->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; \ cache_ptr->addend = ad; \ } \ else \ diff --git a/bfd/som.c b/bfd/som.c index 7a5ee35f0e2..3e89c937b5e 100644 --- a/bfd/som.c +++ b/bfd/som.c @@ -5099,7 +5099,7 @@ som_set_reloc_info (unsigned char *fixup, /* A symbol to use in the relocation. Make a note of this if we are not just counting. */ case 'S': - if (! just_count && (unsigned int) c < symcount) + if (!just_count && symbols != NULL && (unsigned int) c < symcount) rptr->sym_ptr_ptr = &symbols[c]; break; /* Argument relocation bits for a function call. */ diff --git a/binutils/objdump.c b/binutils/objdump.c index 61a18746fde..9b27ce73a87 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -4238,7 +4238,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, relocs = (arelent **) xmalloc (reloc_size); - reloc_count = bfd_canonicalize_reloc (abfd, sec, relocs, NULL); + reloc_count = bfd_canonicalize_reloc (abfd, sec, relocs, syms); if (reloc_count <= 0) free (relocs); else -- 2.30.2