From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from xry111.site (xry111.site [IPv6:2001:470:683e::1]) by sourceware.org (Postfix) with ESMTPS id 6AC483850873 for ; Tue, 13 Sep 2022 15:44:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6AC483850873 Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=xry111.site Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=xry111.site DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xry111.site; s=default; t=1663083886; bh=g93ugitwSLuAeMp9gI1CxTV52ZgJ5P7MIH+s74ZdNu4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fsI/AHAqux90ZZ25yofnpqnbOP6Z+6ucgB6WPQhAJOt5180lhMTCFJ2sdQIPmfDFV 7axZTj8Sh2IFM+VuHbLubfILSP2yT16TF0MiXtP7Wo6gTOivQS2/HR/A0z4nPb1TLC g8vHK1Zu7HW2BNgcvWVBzs8S3ib46pqK5VE3sUnU= Received: from xry111-x57s1.. (unknown [IPv6:240e:358:1123:8b00:dc73:854d:832e:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) (Authenticated sender: xry111@xry111.site) by xry111.site (Postfix) with ESMTPSA id 1AFE365C28; Tue, 13 Sep 2022 11:44:42 -0400 (EDT) From: Xi Ruoyao To: binutils@sourceware.org Cc: liuzhensong , Lulu Cheng , Wang Xuerui , Chenghua Xu , Xi Ruoyao Subject: [PATCH 1/2] LoongArch: Avoid heap-buffer-overflow in loongarch_elf_relocate_section Date: Tue, 13 Sep 2022 23:44:13 +0800 Message-Id: <20220913154414.554861-2-xry111@xry111.site> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220913154414.554861-1-xry111@xry111.site> References: <20220913154414.554861-1-xry111@xry111.site> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-6.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROM_SUSPICIOUS_NTLD,GIT_PATCH_0,KAM_STOCKGEN,LIKELY_SPAM_FROM,PDS_OTHER_BAD_TLD,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: If a and b are different sections, we cannot access something in b with "a->contents + (offset from a)" because "a->contents" and "b->contents" are heap buffers allocated separately, not slices of a large buffer. The issue was found during an attempt to add static-pie support to the toolchain with ASAN. --- bfd/elfnn-loongarch.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/bfd/elfnn-loongarch.c b/bfd/elfnn-loongarch.c index ed42b8b6770..4b408b1db72 100644 --- a/bfd/elfnn-loongarch.c +++ b/bfd/elfnn-loongarch.c @@ -3128,6 +3128,7 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info, unresolved_reloc = false; BFD_ASSERT (rel->r_addend == 0); + asection *my_got = got; bfd_vma got_off = 0; if (h != NULL) { @@ -3145,17 +3146,14 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info, { idx = (h->plt.offset - PLT_HEADER_SIZE) / PLT_ENTRY_SIZE; - got_off = sec_addr (htab->elf.sgotplt) - + GOTPLT_HEADER_SIZE - + (idx * GOT_ENTRY_SIZE) - - sec_addr (htab->elf.sgot); + my_got = htab->elf.sgotplt; + got_off = GOTPLT_HEADER_SIZE + idx * GOT_ENTRY_SIZE; } else { idx = h->plt.offset / PLT_ENTRY_SIZE; - got_off = sec_addr (htab->elf.sgotplt) - + (idx * GOT_ENTRY_SIZE) - - sec_addr (htab->elf.sgot); + my_got = htab->elf.sgotplt; + got_off = idx * GOT_ENTRY_SIZE; } } @@ -3172,7 +3170,7 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info, && SYMBOL_REFERENCES_LOCAL (info, h)) { Elf_Internal_Rela rela; - rela.r_offset = sec_addr (got) + got_off; + rela.r_offset = sec_addr (my_got) + got_off; rela.r_info = ELFNN_R_INFO (0, R_LARCH_RELATIVE); rela.r_addend = relocation; loongarch_elf_append_rela (output_bfd, @@ -3202,9 +3200,9 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info, } } - bfd_put_NN (output_bfd, relocation, got->contents + got_off); + bfd_put_NN (output_bfd, relocation, my_got->contents + got_off); - relocation = got_off + sec_addr (got); + relocation = got_off + sec_addr (my_got); } if (r_type == R_LARCH_GOT_PC_HI20) -- 2.37.0