From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <liuzhensong@loongson.cn>
Received: from loongson.cn (mail.loongson.cn [114.242.206.163])
	by sourceware.org (Postfix) with ESMTP id 7BEC53858036
	for <binutils@sourceware.org>; Thu, 15 Sep 2022 01:47:53 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7BEC53858036
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=loongson.cn
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=loongson.cn
Received: from [10.20.4.152] (unknown [10.20.4.152])
	by localhost.localdomain (Coremail) with SMTP id AQAAf8CxbWtEhCJjhaMZAA--.52437S3;
	Thu, 15 Sep 2022 09:47:48 +0800 (CST)
Subject: Re: [PATCH 1/2] LoongArch: Avoid heap-buffer-overflow in
 loongarch_elf_relocate_section
To: Xi Ruoyao <xry111@xry111.site>, binutils@sourceware.org
Cc: Chenghua Xu <xuchenghua@loongson.cn>, Lulu Cheng <chenglulu@loongson.cn>,
 Wang Xuerui <i@xen0n.name>
References: <20220913154414.554861-1-xry111@xry111.site>
 <20220913154414.554861-2-xry111@xry111.site>
 <b4d228b5-2742-a75f-432b-431feb815c14@loongson.cn>
 <a07e9df509c6171f004741fd4f9c943079585557.camel@xry111.site>
 <7f2c274b80fa79296005edaf52036745510a83fd.camel@xry111.site>
From: liuzhensong <liuzhensong@loongson.cn>
Message-ID: <6f3d0d05-c7a2-b4cf-2a3c-abb1f343ff86@loongson.cn>
Date: Thu, 15 Sep 2022 09:47:48 +0800
User-Agent: Mozilla/5.0 (X11; Linux mips64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <7f2c274b80fa79296005edaf52036745510a83fd.camel@xry111.site>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-CM-TRANSID:AQAAf8CxbWtEhCJjhaMZAA--.52437S3
X-Coremail-Antispam: 1UD129KBjvJXoW7Ar45Cr4kKrykJw1xXFW8JFb_yoW8uw15pr
	93u345KF1fAF1fWr9rt345Za1agw18Wr9Fg34ftw1FvwnxAr97Wa1fXFsruF40ya1xZrZF
	qFW0qa4UW3Z7A37anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUvq14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
	rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
	1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j
	6r4UJwA2z4x0Y4vEx4A2jsIE14v26r4UJVWxJr1l84ACjcxK6I8E87Iv6xkF7I0E14v26r
	4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2Wl
	Yx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbV
	WUJVW8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7I2V7IY0VAS07Al
	zVAYIcxG8wCY02Avz4vE-syl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr
	1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE
	14v26r126r1DMIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7
	IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E
	87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0x
	ZFpf9x0JUywZ7UUUUU=
X-CM-SenderInfo: holx6xphqv003j6o00pqjv00gofq/
X-Spam-Status: No, score=-13.5 required=5.0 tests=BAYES_00,GIT_PATCH_0,KAM_DMARC_STATUS,NICE_REPLY_A,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>


在 2022/9/14 下午7:15, Xi Ruoyao 写道:
> On Wed, 2022-09-14 at 18:15 +0800, Xi Ruoyao via Binutils wrote:
>
>>> Shouldn't write to got table when using hidden ifunc.
>> Perhaps it's true, using RELA to resolve a GOT entry should not depend
>> on any "initial" value of the entry...
>
> How about this?  We don't need to write into the GOT if R_LARCH_RELATIVE
> or R_LARCH_IRELATIVE will be used:
 > "We don't need to write into the GOT if R_LARCH_RELATIVE or 
R_LARCH_IRELATIVE will be used:"

Not only this, you can refer to the implementation of the function 
_bfd_elf_allocate_ifunc_dyn_relocs for details.

>
> diff --git a/bfd/elfnn-loongarch.c b/bfd/elfnn-loongarch.c
> index a9bb66a1e04..1e8ecb2b8e2 100644
> --- a/bfd/elfnn-loongarch.c
> +++ b/bfd/elfnn-loongarch.c
> @@ -3129,6 +3129,7 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info,
>   	      BFD_ASSERT (rel->r_addend == 0);
>   
>   	      bfd_vma got_off = 0;
> +	      bool fill_got_entry = true;
>   	      if (h != NULL)
>   		{
>   		  /* GOT ref or ifunc.  */
> @@ -3141,6 +3142,10 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info,
>   		  if (h->got.offset == MINUS_ONE && h->type == STT_GNU_IFUNC)
>   		    {
>   		      bfd_vma idx;
> +
> +		      /* An IFUNC is always resolved at runtime.  */
> +		      fill_got_entry = false;
> +
>   		      if (htab->elf.splt != NULL)
>   			{
>   			  idx = (h->plt.offset - PLT_HEADER_SIZE)
> @@ -3177,6 +3182,7 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info,
>   			  rela.r_addend = relocation;
>   			  loongarch_elf_append_rela (output_bfd,
>   						     htab->elf.srelgot, &rela);
> +			  fill_got_entry = false;
>   			}
>   		      h->got.offset |= 1;
>   		    }
> @@ -3197,12 +3203,14 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info,
>   			  rela.r_addend = relocation;
>   			  loongarch_elf_append_rela (output_bfd,
>   						     htab->elf.srelgot, &rela);
> +			  fill_got_entry = false;
>   			}
>   		      local_got_offsets[r_symndx] |= 1;
>   		    }
>   		}
>   
> -	      bfd_put_NN (output_bfd, relocation, got->contents + got_off);
> +	      if (fill_got_entry)
> +		bfd_put_NN (output_bfd, relocation, got->contents + got_off);
>   
>   	      relocation = got_off + sec_addr (got);
>   	    }
>