This (and other) code from coffcode.h is broken for x86_64_coff_vec,
and has been ever since support was added in 2006 commit 99ad839030
Here, bfd_coff_aoutsz must match coff_swap_aouthdr_out otherwise we
end up writing garbage.
/* Note that peicode.h fills in a PEAOUTHDR, not an AOUTHDR.
include/coff/pe.h sets AOUTSZ == sizeof (PEAOUTHDR)). */
char * buff;
bfd_size_type amount = bfd_coff_aoutsz (abfd);
buff = (char *) bfd_malloc (amount);
if (buff == NULL)
return false;
coff_swap_aouthdr_out (abfd, & internal_a, buff);
amount = bfd_bwrite (buff, amount, abfd);
We have removed support for --target=x86_64-coff, likely because it
never worked properly, but still produce coff-x86_64.o with
--enable-targets=all. This means objcopy can recognize x86_64 COFF
files but will write garbage to the output file, a fact found by
fuzzers. I suspect x86_64 COFF is still broken after this fix, and
mention of coff-x86_64.* should be removed from bfd/Makefile.am.
* coff-x86_64.c: Don't include coff/pe.h.
(COFF_WITH_pex64): Don't define here.
* pe-x86_64.c: Include coff/pe.h and other headers.
(PEI_HEADERS): Define.
mmo_get_loc can return NULL. It's commented even, and that the caller
then must handle a split field. mmo_xore_* don't handle split fields,
instead just segfault. Stop that happening, and refuse to recognise
fuzzed mmo files that trigger this problem.
* mmo.c (mmo_get_loc): Don't declare inline.
(mmo_xore_64, mmo_xore_32, mmo_xore_16): Remove forward decls.
Return pointer, don't dereference NULL.
(mmo_scan): Return error on mmo_get_loc returning NULL.
No need to use anything fancy, plain inline works just as well.
* bfd-in.h (INLINE): Don't define.
* bfd-in2.h: Regenerate.
* aoutx.h: Replace use of INLINE with inline.
* elf-eh-frame.c: Likewise.
* elf32-score7.c: Likewise.
* elfxx-mips.c: Likewise.
* ihex.c: Likewise.
* mach-o.c: Likewise.
* mmo.c: Likewise.
Yet more anti-fuzzer sanity checking
* vms-alpha.c (evax_bfd_print_egsd): Sanity check record and
name lengths before access.
(evax_bfd_print_etir_stc_ir, evax_bfd_print_etir): Likewise.
Sometimes the investigation of a fuzzing bug report leads into areas
you'd rather not go. In this instance by the time I'd figured out the
real cause was a target variant that had never been properly supported
in binutils, the time needed to fix it was less than the time needed
to rip it out.
* coffcode.h (coff_set_alignment_hook): Call bfd_coff_swap_reloc_in
not coff_swap_reloc_in.
(coff_slurp_reloc_table): Likewise. Don't use RELOC type.
(ticoff0_swap_table): Use coff_swap_reloc_v0_out and
coff_swap_reloc_v0_in.
* coffswap.h (coff_swap_reloc_v0_in, coff_swap_reloc_v0_out): New.
* coff-tic54x.c (tic54x_lookup_howto): Don't abort.
* coffgen.c (coff_get_normalized_symtab): Use PTR_ADD.
* bfd-in.h (PTR_ADD, NPTR_ADD): Avoid warnings when passing an
expression.
* bfd-in2.h: Regenerate.
PR 21813
* mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Sanity
check PAIR reloc in other branch of condition as was done for
PR21813. Formatting. Delete debug printf.
Commit abd20cb637 and
ebdcad3fdd introduced additional
complexity into the paths run by the RISC-V relaxation pass in order to
resolve the issue of accurately keeping track of pcrel_hi and pcrel_lo
pairs. The first commit split up relaxation of these relocs into a pass
which occurred after other relaxations in order to prevent the situation
where bytes were deleted in between a pcrel_lo/pcrel_hi pair, inhibiting
our ability to find the corresponding pcrel_hi relocation from the
address attached to the pcrel_lo.
Since the relaxation was split into two passes the 'again' parameter
could not be used to perform the entire relaxation process again and so
the second commit added a way to restart ldelf_map_segments, thus
starting the whole process again.
Unfortunately this process could not account for the fact that we were
not finished with the relaxation process so in some cases - such as the
case where code would not fit in a memory region before the
R_RISCV_ALIGN relocation was relaxed - sanity checks in generic code
would fail.
This patch fixes all three of these concerns by reverting back to a
system of having only one target relax pass but updating entries in the
table of pcrel_hi/pcrel_lo relocs every time any bytes are deleted. Thus
we can keep track of the pairs accurately, and we can use the 'again'
parameter to restart the entire target relax pass, behaving in the way
that generic code expects. Unfortunately we must still have an
additional pass to delay deleting AUIPC bytes to avoid ambiguity between
pcrel_hi relocs stored in the table after deletion. This pass can only
be run once so we may potentially miss out on relaxation opportunities
but this is likely to be rare.
https://sourceware.org/bugzilla/show_bug.cgi?id=28410
bfd/
* elfnn-riscv.c (riscv_elf_link_hash_table): Removed restart_relax.
(riscv_elf_link_hash_table_create): Updated.
(riscv_relax_delete_bytes): Moved after the riscv_update_pcgp_relocs.
Update the pcgp_relocs table whenever bytes are deleted.
(riscv_update_pcgp_relocs): Add function to update the section
offset of pcrel_hi and pcrel_lo, and also update the symbol value
of pcrel_hi.
(_bfd_riscv_relax_call): Need to update the pcgp_relocs table
when deleting codes.
(_bfd_riscv_relax_lui): Likewise.
(_bfd_riscv_relax_tls_le): Likewise.
(_bfd_riscv_relax_align): Once we've handled an R_RISCV_ALIGN,
we can't relax anything else, so set the sec->sec_flg0 to true.
Besides, we don't need to update the pcgp_relocs table at this
stage, so just pass NULL pointer as the pcgp_relocs table for
riscv_relax_delete_bytes.
(_bfd_riscv_relax_section): Use only one pass for all target
relaxations.
(_bfd_riscv_relax_delete): Likewise, we don't need to update
the pcgp_relocs table at this stage, and don't need to set
the `again' since restart_relax mechanism is abandoned.
(bfd_elfNN_riscv_restart_relax_sections): Removed.
(_bfd_riscv_relax_section): Updated.
* elfxx-riscv.h (bfd_elf32_riscv_restart_relax_sections): Removed.
(bfd_elf64_riscv_restart_relax_sections): Likewise.
ld/
* emultempl/riscvelf.em: Revert restart_relax changes and set
relax_pass to 3.
* testsuite/ld-riscv-elf/align-small-region.d: New testcase.
* testsuite/ld-riscv-elf/align-small-region.ld: Likewise.
* testsuite/ld-riscv-elf/align-small-region.s: Likewise.
* testsuite/ld-riscv-elf/restart-relax.d: Removed sine the
restart_relax mechanism is abandoned.
* testsuite/ld-riscv-elf/restart-relax.s: Likewise.
* testsuite/ld-riscv-elf/ld-riscv-elf.exp: Updated.
bfd * linker.c (_bfd_generic_link_add_one_symbol): Test for a NULL
name before checking to see if the symbol is __gnu_lto_slim.
* archive.c (_bfd_compute_and_write_armap): Likewise.
binutils
* nm.c (filter_symbols): Test for a NULL name before checking to
see if the symbol is __gnu_lto_slim.
* objcopy.c (filter_symbols): Likewise.
2021-10-06 Philipp Tomsich <philipp.tomsich@vrull.eu>
bfd/
* elfxx-riscv.c (riscv_supported_std_z_ext): Update the version
number for zba, zbb and zbc to 1.0.0
Signed-off-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Version-changes: 3
- Updated version numbers for zba, zbb and zbc to 1.0.0
XCOFF archives use a bi-directional linked list for file members. So
one member points to both the previous member and the next member.
Members may not be sequentially ordered in the file. This of course
is over-engineered nonsense and an attractive target for fuzzers.
(There is even a free list of members!) The testcase in PR28423 is an
XCOFF archive with one member pointing to itself, which results in
lots of bad behaviour. For example, "ar t" never terminates.
The use-after-free with "objdump -r" happens like this: The first
archive element is opened, its symbols are read and "canonicalized"
for objdump, then relocations are read and printed. Those relocations
use the canonicalized symbols, and also happen to be cached by the
coff bfd backend support. objdump frees the symbols. The next
archive element is then opened. This must be done before the first
element is closed, because finding the next element uses data held in
the currect element. Unfortunately the next element happens to be the
original, so we aren't opening, we're reopening a bfd which has cached
data. When the relocations are printed they use the cached copy
containing references to the freed canonical symbols.
This patch adds a little sanity checking to the XCOFF "open next
archive file" support, so that it rejects archive members pointing at
themselves. That is sufficient to cure this problem. Anything more
is overkill. If someone deliberately fuzzes an XCOFF archive with an
element loop then reports an "ar" bug when it runs forever, they will
find their bug report closed WONTFIX.
PR 28423
* coff-rs6000.c (_bfd_xcoff_read_ar_hdr): Save size occupied
by member name in areltdata.extra_size.
(_bfd_xcoff_openr_next_archived_file): Sanity check nextoff.
* coff64-rs6000.c (xcoff64_openr_next_archived_file): Call
_bfd_xcoff_openr_next_archived_file.
This fixes a bug in commit 5d9bbb73c1. All fields preserved from a
bfd in struct bfd_preserve need to be cleared in bfd_reinit.
PR 28422
* format.c (bfd_reinit): Clear build_id.
Rather than reporting "memory exhausted", report "file truncated".
You can hit this error on small fuzzed object files, or on files that
are actually truncated. In either case sizes can be such that an out
of memory error is a little confusing.
* compress.c (bfd_get_full_section_contents): Set
bfd_error_file_truncated rather than bfd_error_no_memory when
section size exceeds file size.
