From 0930cb3021b8078b34cf216e79eb8608d017864f Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Sat, 13 Oct 2018 22:03:02 +1030 Subject: [PATCH] _bfd_clear_contents bounds checking This PR shows a fuzzed binary triggering a segfault via a bad relocation in .debug_line. It turns out that unlike normal relocations applied to a section, the linker applies those with symbols from discarded sections via _bfd_clear_contents without checking that the relocation is within the section bounds. The same thing now happens when reading debug sections since commit a4cd947aca23, the PR23425 fix. PR 23770 PR 23425 * reloc.c (_bfd_clear_contents): Replace "location" param with "buf" and "off". Bounds check "off". Return status. * cofflink.c (_bfd_coff_generic_relocate_section): Update _bfd_clear_contents call. * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise. * elf32-arc.c (elf_arc_relocate_section): Likewise. * elf32-i386.c (elf_i386_relocate_section): Likewise. * elf32-metag.c (metag_final_link_relocate): Likewise. * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise. * elf32-ppc.c (ppc_elf_relocate_section): Likewise. * elf32-visium.c (visium_elf_relocate_section): Likewise. * elf64-ppc.c (ppc64_elf_relocate_section): Likewise. * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise. * libbfd-in.h (_bfd_clear_contents): Update prototype. * libbfd.h: Regenerate. --- bfd/ChangeLog | 20 ++++++++++++++++++++ bfd/cofflink.c | 2 +- bfd/elf-bfd.h | 2 +- bfd/elf32-arc.c | 2 +- bfd/elf32-i386.c | 2 +- bfd/elf32-metag.c | 2 +- bfd/elf32-nds32.c | 8 ++++---- bfd/elf32-ppc.c | 2 +- bfd/elf32-visium.c | 2 +- bfd/elf64-ppc.c | 2 +- bfd/elf64-x86-64.c | 2 +- bfd/libbfd-in.h | 4 ++-- bfd/libbfd.h | 4 ++-- bfd/reloc.c | 19 +++++++++++++------ 14 files changed, 50 insertions(+), 23 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 68c1ff6..e9696ee 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,23 @@ +2018-10-13 Alan Modra + + PR 23770 + PR 23425 + * reloc.c (_bfd_clear_contents): Replace "location" param with + "buf" and "off". Bounds check "off". Return status. + * cofflink.c (_bfd_coff_generic_relocate_section): Update + _bfd_clear_contents call. + * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise. + * elf32-arc.c (elf_arc_relocate_section): Likewise. + * elf32-i386.c (elf_i386_relocate_section): Likewise. + * elf32-metag.c (metag_final_link_relocate): Likewise. + * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise. + * elf32-ppc.c (ppc_elf_relocate_section): Likewise. + * elf32-visium.c (visium_elf_relocate_section): Likewise. + * elf64-ppc.c (ppc64_elf_relocate_section): Likewise. + * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise. + * libbfd-in.h (_bfd_clear_contents): Update prototype. + * libbfd.h: Regenerate. + 2018-10-09 Egeyar Bagcioglu * elflink.c (elf_link_output_extsym): Do not place symbols into a diff --git a/bfd/cofflink.c b/bfd/cofflink.c index 2f73f72..b7ea69b 100644 --- a/bfd/cofflink.c +++ b/bfd/cofflink.c @@ -3080,7 +3080,7 @@ _bfd_coff_generic_relocate_section (bfd *output_bfd, if (sec != NULL && discarded_section (sec)) { _bfd_clear_contents (howto, input_bfd, input_section, - contents + (rel->r_vaddr - input_section->vma)); + contents, rel->r_vaddr - input_section->vma); continue; } diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h index cf256f7..3374f41 100644 --- a/bfd/elf-bfd.h +++ b/bfd/elf-bfd.h @@ -2847,7 +2847,7 @@ extern asection _bfd_elf_large_com_section; { \ int i_; \ _bfd_clear_contents (howto, input_bfd, input_section, \ - contents + rel[index].r_offset); \ + contents, rel[index].r_offset); \ \ if (bfd_link_relocatable (info) \ && (input_section->flags & SEC_DEBUGGING)) \ diff --git a/bfd/elf32-arc.c b/bfd/elf32-arc.c index 7a1b304..30f47a5 100644 --- a/bfd/elf32-arc.c +++ b/bfd/elf32-arc.c @@ -1568,7 +1568,7 @@ elf_arc_relocate_section (bfd * output_bfd, if (sec != NULL && discarded_section (sec)) { _bfd_clear_contents (howto, input_bfd, input_section, - contents + rel->r_offset); + contents, rel->r_offset); rel->r_info = 0; rel->r_addend = 0; diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c index 49797dc..1774717 100644 --- a/bfd/elf32-i386.c +++ b/bfd/elf32-i386.c @@ -2197,7 +2197,7 @@ elf_i386_relocate_section (bfd *output_bfd, if (sec != NULL && discarded_section (sec)) { _bfd_clear_contents (howto, input_bfd, input_section, - contents + rel->r_offset); + contents, rel->r_offset); wrel->r_offset = rel->r_offset; wrel->r_info = 0; wrel->r_addend = 0; diff --git a/bfd/elf32-metag.c b/bfd/elf32-metag.c index efe95bd..7f96246 100644 --- a/bfd/elf32-metag.c +++ b/bfd/elf32-metag.c @@ -1396,7 +1396,7 @@ metag_final_link_relocate (reloc_howto_type *howto, rel, relend, howto, contents) \ { \ _bfd_clear_contents (howto, input_bfd, input_section, \ - contents + rel->r_offset); \ + contents, rel->r_offset); \ \ if (bfd_link_relocatable (info) \ && (input_section->flags & SEC_DEBUGGING)) \ diff --git a/bfd/elf32-nds32.c b/bfd/elf32-nds32.c index 0d86e5b..184cf32 100644 --- a/bfd/elf32-nds32.c +++ b/bfd/elf32-nds32.c @@ -13217,14 +13217,14 @@ nds32_elf_get_relocated_section_contents (bfd *abfd, symbol = *(*parent)->sym_ptr_ptr; if (symbol->section && discarded_section (symbol->section)) { - bfd_byte *p; + bfd_vma off; static reloc_howto_type none_howto = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL, "unused", FALSE, 0, 0, FALSE); - p = data + (*parent)->address * bfd_octets_per_byte (input_bfd); - _bfd_clear_contents ((*parent)->howto, input_bfd, input_section, - p); + off = (*parent)->address * bfd_octets_per_byte (input_bfd); + _bfd_clear_contents ((*parent)->howto, input_bfd, + input_section, data, off); (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; (*parent)->addend = 0; (*parent)->howto = &none_howto; diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c index 61f70de..c31e26e 100644 --- a/bfd/elf32-ppc.c +++ b/bfd/elf32-ppc.c @@ -7090,7 +7090,7 @@ ppc_elf_relocate_section (bfd *output_bfd, howto = ppc_elf_howto_table[r_type]; _bfd_clear_contents (howto, input_bfd, input_section, - contents + rel->r_offset); + contents, rel->r_offset); wrel->r_offset = rel->r_offset; wrel->r_info = 0; wrel->r_addend = 0; diff --git a/bfd/elf32-visium.c b/bfd/elf32-visium.c index e8f1c4c..961366c 100644 --- a/bfd/elf32-visium.c +++ b/bfd/elf32-visium.c @@ -621,7 +621,7 @@ visium_elf_relocate_section (bfd *output_bfd, or sections discarded by a linker script, we just want the section contents zeroed. Avoid any special processing. */ _bfd_clear_contents (howto, input_bfd, input_section, - contents + rel->r_offset); + contents, rel->r_offset); rel->r_info = 0; rel->r_addend = 0; diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c index eadde17..7c3534a 100644 --- a/bfd/elf64-ppc.c +++ b/bfd/elf64-ppc.c @@ -13491,7 +13491,7 @@ ppc64_elf_relocate_section (bfd *output_bfd, { _bfd_clear_contents (ppc64_elf_howto_table[r_type], input_bfd, input_section, - contents + rel->r_offset); + contents, rel->r_offset); wrel->r_offset = rel->r_offset; wrel->r_info = 0; wrel->r_addend = 0; diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c index c3a6c31..4dcab43 100644 --- a/bfd/elf64-x86-64.c +++ b/bfd/elf64-x86-64.c @@ -2490,7 +2490,7 @@ elf_x86_64_relocate_section (bfd *output_bfd, if (sec != NULL && discarded_section (sec)) { _bfd_clear_contents (howto, input_bfd, input_section, - contents + rel->r_offset); + contents, rel->r_offset); wrel->r_offset = rel->r_offset; wrel->r_info = 0; wrel->r_addend = 0; diff --git a/bfd/libbfd-in.h b/bfd/libbfd-in.h index e53b255..f6d9565 100644 --- a/bfd/libbfd-in.h +++ b/bfd/libbfd-in.h @@ -697,8 +697,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN; /* Clear a given location using a given howto. */ -extern void _bfd_clear_contents - (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN; +extern bfd_reloc_status_type _bfd_clear_contents + (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN; /* Link stabs in sections in the first pass. */ diff --git a/bfd/libbfd.h b/bfd/libbfd.h index a8851c8..1189e63 100644 --- a/bfd/libbfd.h +++ b/bfd/libbfd.h @@ -702,8 +702,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN; /* Clear a given location using a given howto. */ -extern void _bfd_clear_contents - (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN; +extern bfd_reloc_status_type _bfd_clear_contents + (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN; /* Link stabs in sections in the first pass. */ diff --git a/bfd/reloc.c b/bfd/reloc.c index 8dbb889..1686780 100644 --- a/bfd/reloc.c +++ b/bfd/reloc.c @@ -1504,15 +1504,21 @@ _bfd_relocate_contents (reloc_howto_type *howto, relocations against discarded symbols, to make ignorable debug or unwind information more obvious. */ -void +bfd_reloc_status_type _bfd_clear_contents (reloc_howto_type *howto, bfd *input_bfd, asection *input_section, - bfd_byte *location) + bfd_byte *buf, + bfd_vma off) { bfd_vma x; + bfd_byte *location; + + if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, off)) + return bfd_reloc_outofrange; /* Get the value we are going to relocate. */ + location = buf + off; x = read_reloc (input_bfd, location, howto); /* Zero out the unwanted bits of X. */ @@ -1527,6 +1533,7 @@ _bfd_clear_contents (reloc_howto_type *howto, /* Put the relocated value back in the object file. */ write_reloc (input_bfd, x, location, howto); + return bfd_reloc_ok; } /* @@ -8336,14 +8343,14 @@ bfd_generic_get_relocated_section_contents (bfd *abfd, && (input_section->flags & SEC_DEBUGGING) != 0 && link_info->input_bfds == link_info->output_bfd)) { - bfd_byte *p; + bfd_vma off; static reloc_howto_type none_howto = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL, "unused", FALSE, 0, 0, FALSE); - p = data + (*parent)->address * bfd_octets_per_byte (input_bfd); - _bfd_clear_contents ((*parent)->howto, input_bfd, input_section, - p); + off = (*parent)->address * bfd_octets_per_byte (input_bfd); + _bfd_clear_contents ((*parent)->howto, input_bfd, + input_section, data, off); (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; (*parent)->addend = 0; (*parent)->howto = &none_howto; -- 2.7.4