[patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Kai Tietz]

[-- Attachment #1: Type: text/plain, Size: 455 bytes --]

Hello,

this issue was reported by H. Becker to me.  He found that the code in
peXXigen.c about pdata-section sorting might cause a buffer-overrun
for large pdata-data.  By working in private allocated buffer -
instead of using the pfinfo->contents - avoids this.

ChangeLog

2011-04-06  Kai Tietz

        * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary
        buffer.

Tested for x86_64-w64-mingw32. Ok for apply?

Regards,
Kai

[-- Attachment #2: pdata_x64_sort.txt --]
[-- Type: text/plain, Size: 1074 bytes --]

Index: src/bfd/peXXigen.c
===================================================================
--- src.orig/bfd/peXXigen.c	2010-12-21 19:33:07.000000000 +0100
+++ src/bfd/peXXigen.c	2011-04-06 18:19:45.945394800 +0200
@@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab
     if (sec)
       {
 	bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size;
+	bfd_byte *tmp_data = NULL;
 
-	if (x && bfd_get_section_contents (abfd, sec, pfinfo->contents, 0, x))
+	if (x)
+	  tmp_data = bfd_malloc (x);
+
+	if (tmp_data != NULL)
 	  {
-	    qsort (pfinfo->contents,
-	    	   (size_t) ((sec->size <x ? sec->size : x) / 12),
-	    	   12, sort_x64_pdata);
-	    bfd_set_section_contents (pfinfo->output_bfd, sec,
-	    			      pfinfo->contents, 0, x);
+	    if (bfd_get_section_contents (abfd, sec, tmp_data, 0, x))
+	      {
+		qsort (tmp_data,
+		       (size_t) ((sec->size <x ? sec->size : x) / 12),
+		       12, sort_x64_pdata);
+		bfd_set_section_contents (pfinfo->output_bfd, sec,
+					  tmp_data, 0, x);
+	      }
+	    free (tmp_data);
 	  }
       }
   }

Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[h.becker]

The underlying problem is how the size of the buffer is calculated. It's 
size is the maximum of the input sections. However, the sort is for the 
pdata output section. Obviously there is no problem as long as there is 
at least one input section big enough to hold the collected pdata.

I don't want to argue about the fix, what I have is similar to what is 
suggested here. I just want to point out that another option to fix the 
calculation how the size for pfinfo->contents. Or to save that size in 
pinfo as well, so that the buffer can be made bigger whenever that is 
necessary.

Hartmut

Kai Tietz wrote:
> Hello,
> 
> this issue was reported by H. Becker to me.  He found that the code in
> peXXigen.c about pdata-section sorting might cause a buffer-overrun
> for large pdata-data.  By working in private allocated buffer -
> instead of using the pfinfo->contents - avoids this.
> 
> ChangeLog
> 
> 2011-04-06  Kai Tietz
> 
>         * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary
>         buffer.
> 
> Tested for x86_64-w64-mingw32. Ok for apply?
> 
> Regards,
> Kai
> 

Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Alan Modra]

On Wed, Apr 06, 2011 at 06:50:15PM +0200, Kai Tietz wrote:
> Hello,
> 
> this issue was reported by H. Becker to me.  He found that the code in
> peXXigen.c about pdata-section sorting might cause a buffer-overrun
> for large pdata-data.  By working in private allocated buffer -
> instead of using the pfinfo->contents - avoids this.
> 
> ChangeLog
> 
> 2011-04-06  Kai Tietz
> 
>         * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary
>         buffer.
> 
> Tested for x86_64-w64-mingw32. Ok for apply?
> 
> Regards,
> Kai

> Index: src/bfd/peXXigen.c
> ===================================================================
> --- src.orig/bfd/peXXigen.c	2010-12-21 19:33:07.000000000 +0100
> +++ src/bfd/peXXigen.c	2011-04-06 18:19:45.945394800 +0200
> @@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab
>      if (sec)
>        {
>  	bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size;

Since this is an output section, this should just be sec->size I
think.  See section.c rawsize comment.

> +	bfd_byte *tmp_data = NULL;
>  
> -	if (x && bfd_get_section_contents (abfd, sec, pfinfo->contents, 0, x))
> +	if (x)
> +	  tmp_data = bfd_malloc (x);
> +
> +	if (tmp_data != NULL)
>  	  {
> -	    qsort (pfinfo->contents,
> -	    	   (size_t) ((sec->size <x ? sec->size : x) / 12),
> -	    	   12, sort_x64_pdata);
> -	    bfd_set_section_contents (pfinfo->output_bfd, sec,
> -	    			      pfinfo->contents, 0, x);
> +	    if (bfd_get_section_contents (abfd, sec, tmp_data, 0, x))
> +	      {
> +		qsort (tmp_data,
> +		       (size_t) ((sec->size <x ? sec->size : x) / 12),

Likewise here.  OK with those changes.

> +		       12, sort_x64_pdata);
> +		bfd_set_section_contents (pfinfo->output_bfd, sec,
> +					  tmp_data, 0, x);
> +	      }
> +	    free (tmp_data);
>  	  }
>        }
>    }


-- 
Alan Modra
Australia Development Lab, IBM

Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Kai Tietz]

2011/4/7 Alan Modra <amodra@gmail.com>:
> On Wed, Apr 06, 2011 at 06:50:15PM +0200, Kai Tietz wrote:
>> Hello,
>>
>> this issue was reported by H. Becker to me.  He found that the code in
>> peXXigen.c about pdata-section sorting might cause a buffer-overrun
>> for large pdata-data.  By working in private allocated buffer -
>> instead of using the pfinfo->contents - avoids this.
>>
>> ChangeLog
>>
>> 2011-04-06  Kai Tietz
>>
>>         * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary
>>         buffer.
>>
>> Tested for x86_64-w64-mingw32. Ok for apply?
>>
>> Regards,
>> Kai
>
>> Index: src/bfd/peXXigen.c
>> ===================================================================
>> --- src.orig/bfd/peXXigen.c   2010-12-21 19:33:07.000000000 +0100
>> +++ src/bfd/peXXigen.c        2011-04-06 18:19:45.945394800 +0200
>> @@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab
>>      if (sec)
>>        {
>>       bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size;
>
> Since this is an output section, this should just be sec->size I
> think.  See section.c rawsize comment.

Well, the cause for using here raw_size (I will look into section.c to
read the comment there9 was that we need to sort without alignment. As
it is an output-section, its size might be padded already with
alignment fill, which shouldn't be sorted.  But you might be right
here that size is suitable.

Kai

Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Kai Tietz]

2011/4/7 Kai Tietz <ktietz70@googlemail.com>:
> 2011/4/7 Alan Modra <amodra@gmail.com>:
>> On Wed, Apr 06, 2011 at 06:50:15PM +0200, Kai Tietz wrote:
>>> Hello,
>>>
>>> this issue was reported by H. Becker to me.  He found that the code in
>>> peXXigen.c about pdata-section sorting might cause a buffer-overrun
>>> for large pdata-data.  By working in private allocated buffer -
>>> instead of using the pfinfo->contents - avoids this.
>>>
>>> ChangeLog
>>>
>>> 2011-04-06  Kai Tietz
>>>
>>>         * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary
>>>         buffer.
>>>
>>> Tested for x86_64-w64-mingw32. Ok for apply?
>>>
>>> Regards,
>>> Kai
>>
>>> Index: src/bfd/peXXigen.c
>>> ===================================================================
>>> --- src.orig/bfd/peXXigen.c   2010-12-21 19:33:07.000000000 +0100
>>> +++ src/bfd/peXXigen.c        2011-04-06 18:19:45.945394800 +0200
>>> @@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab
>>>      if (sec)
>>>        {
>>>       bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size;
>>
>> Since this is an output section, this should just be sec->size I
>> think.  See section.c rawsize comment.
>
> Well, the cause for using here raw_size (I will look into section.c to
> read the comment there9 was that we need to sort without alignment. As
> it is an output-section, its size might be padded already with
> alignment fill, which shouldn't be sorted.  But you might be right
> here that size is suitable.

Hmm, not sure. I think it makes sense to check here for raw_size. In
section.c the member size has the following documentation: "The size
of the section in octets, as it will be output. Contains a value even
if the section has no contents (e.g., the size of <<.bss>>). )".
And the rawsize memember has for output-sections the following
definition: "For output sections, rawsize holds the  section size
calculated on a previous linker relaxation pass.", which seems to be
the thing we need. It might be a way to allocate section's size, but
then sort only in range of rawsize, but not sure if this is necessary,
as on output the section alignment get applied again, isn't it?

Kai

Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Alan Modra]

On Thu, Apr 07, 2011 at 08:15:42AM +0200, Kai Tietz wrote:
> Hmm, not sure.

Well, I'm 99% sure. :-)  rawsize on an output section, if non-zero, is
just a stale size at bfd_final_link.

Hmm.  Which means bfd_get_section_contents is wrong to look at rawsize
on output sections.  Seems I have some bugs to fix.

-- 
Alan Modra
Australia Development Lab, IBM

Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Kai Tietz]

2011/4/7 Alan Modra <amodra@gmail.com>:
> On Thu, Apr 07, 2011 at 08:15:42AM +0200, Kai Tietz wrote:
>> Hmm, not sure.
>
> Well, I'm 99% sure. :-)  rawsize on an output section, if non-zero, is
> just a stale size at bfd_final_link.

So this 1% hits. I changed locally to use here just sec->size and I
found that pdata section doesn't get sorted proper anymore. (you can
verify this by objdump -x and it prints warnings about not ascending
data).

So I strictly want to stick here to my posted patch, as other
introduces regression.

Regards,
Kai

Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Alan Modra]

On Thu, Apr 07, 2011 at 04:31:45PM +0200, Kai Tietz wrote:
> 2011/4/7 Alan Modra <amodra@gmail.com>:
> > On Thu, Apr 07, 2011 at 08:15:42AM +0200, Kai Tietz wrote:
> >> Hmm, not sure.
> >
> > Well, I'm 99% sure. :-)  rawsize on an output section, if non-zero, is
> > just a stale size at bfd_final_link.
> 
> So this 1% hits. I changed locally to use here just sec->size and I
> found that pdata section doesn't get sorted proper anymore. (you can
> verify this by objdump -x and it prints warnings about not ascending
> data).

Ah, what I missed seeing is that coff_compute_section_file_positions
is bumping the section size here:

#ifdef COFF_IMAGE_WITH_PE
      /* Set the padded size.  */
      current->size = (current->size + page_size -1) & -page_size;
#endif

Obviously, you do want the size of data before this padding is added,
but it's only a fluke that rawsize happens to be set correctly.  (You
get it from the lang_reset_memory_regions call during preliminary
section sizing in ldlang.c:strip_excluded_output_sections.)  That
seems a little unreliable to me.  I'd be happier if in
coff_compute_section_file_positions you always set rawsize in the loop
that is padding section size (do it before any block of code that
changes section size!).  Then just use sec->rawsize in your peXXigen.c
patch.  I'll preapprove those changes.

-- 
Alan Modra
Australia Development Lab, IBM

Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Kai Tietz]

[-- Attachment #1: Type: text/plain, Size: 1956 bytes --]

2011/4/9 Alan Modra <amodra@gmail.com>:
> On Thu, Apr 07, 2011 at 04:31:45PM +0200, Kai Tietz wrote:
>> 2011/4/7 Alan Modra <amodra@gmail.com>:
>> > On Thu, Apr 07, 2011 at 08:15:42AM +0200, Kai Tietz wrote:
>> >> Hmm, not sure.
>> >
>> > Well, I'm 99% sure. :-)  rawsize on an output section, if non-zero, is
>> > just a stale size at bfd_final_link.
>>
>> So this 1% hits. I changed locally to use here just sec->size and I
>> found that pdata section doesn't get sorted proper anymore. (you can
>> verify this by objdump -x and it prints warnings about not ascending
>> data).
>
> Ah, what I missed seeing is that coff_compute_section_file_positions
> is bumping the section size here:
>
> #ifdef COFF_IMAGE_WITH_PE
>      /* Set the padded size.  */
>      current->size = (current->size + page_size -1) & -page_size;
> #endif
>
> Obviously, you do want the size of data before this padding is added,
> but it's only a fluke that rawsize happens to be set correctly.  (You
> get it from the lang_reset_memory_regions call during preliminary
> section sizing in ldlang.c:strip_excluded_output_sections.)  That
> seems a little unreliable to me.  I'd be happier if in
> coff_compute_section_file_positions you always set rawsize in the loop
> that is padding section size (do it before any block of code that
> changes section size!).  Then just use sec->rawsize in your peXXigen.c
> patch.  I'll preapprove those changes.
>
> --
> Alan Modra
> Australia Development Lab, IBM
>

Ok, AFAICS it is enough here to set rawsize at one place.  Just for
bss-section we don't want to set rawsize.

ChangeLog

2011-04-09  Kai Tietz

       * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary
       buffer and use rawsize for sorting.
       * coffcode.h (coff_compute_section_file_positions): Set rawsize
before doing alignment.

Tested for x86_64-w64-mingw32. Ok for apply?

Regards,
Kai

[-- Attachment #2: pdata_x64_sort.txt --]
[-- Type: text/plain, Size: 2065 bytes --]

Index: src/bfd/peXXigen.c
===================================================================
--- src.orig/bfd/peXXigen.c	2011-04-08 21:08:20.230411500 +0200
+++ src/bfd/peXXigen.c	2011-04-09 11:46:00.611507900 +0200
@@ -2458,15 +2458,23 @@ _bfd_XXi_final_link_postscript (bfd * ab
 
     if (sec)
       {
-	bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size;
+	bfd_size_type x = sec->rawsize;
+	bfd_byte *tmp_data = NULL;
 
-	if (x && bfd_get_section_contents (abfd, sec, pfinfo->contents, 0, x))
+	if (x)
+	  tmp_data = bfd_malloc (x);
+
+	if (tmp_data != NULL)
 	  {
-	    qsort (pfinfo->contents,
-	    	   (size_t) ((sec->size <x ? sec->size : x) / 12),
-	    	   12, sort_x64_pdata);
-	    bfd_set_section_contents (pfinfo->output_bfd, sec,
-	    			      pfinfo->contents, 0, x);
+	    if (bfd_get_section_contents (abfd, sec, tmp_data, 0, x))
+	      {
+		qsort (tmp_data,
+		       (size_t) (x / 12),
+		       12, sort_x64_pdata);
+		bfd_set_section_contents (pfinfo->output_bfd, sec,
+					  tmp_data, 0, x);
+	      }
+	    free (tmp_data);
 	  }
       }
   }
Index: src/bfd/coffcode.h
===================================================================
--- src.orig/bfd/coffcode.h	2011-04-09 10:29:19.000000000 +0200
+++ src/bfd/coffcode.h	2011-04-09 11:46:45.938100500 +0200
@@ -3297,6 +3297,11 @@ coff_compute_section_file_positions (bfd
       if (!(current->flags & SEC_HAS_CONTENTS))
 	continue;
 
+      /* Set rawsize for each section before we are doing alignment.  But
+         don't set rawsize for BSS section.  */
+      if (strcmp (current->name, _BSS) != 0)
+        current->rawsize = current->size;
+
 #ifdef COFF_IMAGE_WITH_PE
       /* Make sure we skip empty sections in a PE image.  */
       if (current->size == 0)
@@ -3363,7 +3368,7 @@ coff_compute_section_file_positions (bfd
 
 #ifdef COFF_IMAGE_WITH_PE
       /* Set the padded size.  */
-      current->size = (current->size + page_size -1) & -page_size;
+      current->size = (current->size + page_size - 1) & -page_size;
 #endif
 
       sofar += current->size;

Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Kai Tietz]

2011/4/9 Alan Modra <amodra@gmail.com>:
> On Sat, Apr 09, 2011 at 03:17:31PM +0200, Kai Tietz wrote:
>> 2011/4/9 Alan Modra <amodra@gmail.com>:
>> > On Sat, Apr 09, 2011 at 11:50:45AM +0200, Kai Tietz wrote:
>> >> Ok, AFAICS it is enough here to set rawsize at one place.
>> >
>> > Yes.
>> >
>> >> Just for bss-section we don't want to set rawsize.
>> >
>> > Why is that?
>> >
>> >> --- src.orig/bfd/coffcode.h   2011-04-09 10:29:19.000000000 +0200
>> >> +++ src/bfd/coffcode.h        2011-04-09 11:46:45.938100500 +0200
>> >> @@ -3297,6 +3297,11 @@ coff_compute_section_file_positions (bfd
>> >>        if (!(current->flags & SEC_HAS_CONTENTS))
>> >>       continue;
>> >
>> > Won't the above test exclude .bss anyway?
>>
>> Hmm, this might be bogus. I've tested it without this check and it
>> seems to work still. So I can remove this check. Ok then for apply?
>
> Yes, OK.
>
> --
> Alan Modra
> Australia Development Lab, IBM
>


Ok, applied.

Thanks,
Kai

rawsize and output sections

[Alan Modra]

On Thu, Apr 07, 2011 at 06:22:38PM +0930, Alan Modra wrote:
> rawsize on an output section, if non-zero, is
> just a stale size at bfd_final_link.
> 
> Hmm.  Which means bfd_get_section_contents is wrong to look at rawsize
> on output sections.  Seems I have some bugs to fix.

Committed.

	* bfd-in.h (bfd_get_section_limit): Don't use rawsize with output
	sections.
	* libbfd.c (_bfd_generic_get_section_contents): Likewise.
	(_bfd_generic_get_section_contents_in_window): Likewise.
	* section.c (bfd_get_section_contents): Likewise.
	* compress.c (bfd_get_full_section_contents): Likewise.
	* elf32-rx.c (rx_final_link): Ignore rawsize.
	* elf32-microblaze.c (microblaze_elf_relocate_section): Use correct
	bfd with bfd_get_section_limit.
	* elfxx-ia64.c (elfNN_ia64_choose_gp): Add "final" parameter.  Use
	os->size during final link.  Update callers.
	* bfd-in2.h: Regenerate.

Index: bfd/bfd-in.h
===================================================================
RCS file: /cvs/src/src/bfd/bfd-in.h,v
retrieving revision 1.152
diff -u -p -r1.152 bfd-in.h
--- bfd/bfd-in.h	8 Nov 2010 02:48:54 -0000	1.152
+++ bfd/bfd-in.h	10 Apr 2011 07:00:24 -0000
@@ -291,8 +291,8 @@ typedef struct bfd_section *sec_ptr;
 #define bfd_set_section_userdata(bfd, ptr, val) (((ptr)->userdata = (val)),TRUE)
 /* Find the address one past the end of SEC.  */
 #define bfd_get_section_limit(bfd, sec) \
-  (((sec)->rawsize ? (sec)->rawsize : (sec)->size) \
-   / bfd_octets_per_byte (bfd))
+  (((bfd)->direction != write_direction && (sec)->rawsize != 0	\
+    ? (sec)->rawsize : (sec)->size) / bfd_octets_per_byte (bfd))
 
 /* Return TRUE if input section SEC has been discarded.  */
 #define elf_discarded_section(sec)				\
Index: bfd/compress.c
===================================================================
RCS file: /cvs/src/src/bfd/compress.c,v
retrieving revision 1.8
diff -u -p -r1.8 compress.c
--- bfd/compress.c	6 Mar 2011 18:37:07 -0000	1.8
+++ bfd/compress.c	10 Apr 2011 07:00:29 -0000
@@ -158,7 +158,7 @@ DESCRIPTION
 bfd_boolean
 bfd_get_full_section_contents (bfd *abfd, sec_ptr sec, bfd_byte **ptr)
 {
-  bfd_size_type sz = sec->rawsize ? sec->rawsize : sec->size;
+  bfd_size_type sz;
   bfd_byte *p = *ptr;
 #ifdef HAVE_ZLIB_H
   bfd_boolean ret;
@@ -169,6 +169,10 @@ bfd_get_full_section_contents (bfd *abfd
   bfd_byte *uncompressed_buffer;
 #endif
 
+  if (abfd->direction != write_direction && sec->rawsize != 0)
+    sz = sec->rawsize;
+  else
+    sz = sec->size;
   if (sz == 0)
     return TRUE;
 
Index: bfd/elf32-rx.c
===================================================================
RCS file: /cvs/src/src/bfd/elf32-rx.c,v
retrieving revision 1.8
diff -u -p -r1.8 elf32-rx.c
--- bfd/elf32-rx.c	18 Jan 2011 14:13:43 -0000	1.8
+++ bfd/elf32-rx.c	10 Apr 2011 07:00:42 -0000
@@ -3305,13 +3305,12 @@ rx_final_link (bfd * abfd, struct bfd_li
 #endif
       if (o->flags & SEC_CODE
 	  && bfd_big_endian (abfd)
-	  && (o->size % 4 || o->rawsize % 4))
+	  && o->size % 4)
 	{
 #ifdef DJDEBUG
 	  fprintf (stderr, "adjusting...\n");
 #endif
 	  o->size += 4 - (o->size % 4);
-	  o->rawsize += 4 - (o->rawsize % 4);
 	}
     }
 
Index: bfd/elf32-microblaze.c
===================================================================
RCS file: /cvs/src/src/bfd/elf32-microblaze.c,v
retrieving revision 1.9
diff -u -p -r1.9 elf32-microblaze.c
--- bfd/elf32-microblaze.c	4 Oct 2010 14:13:09 -0000	1.9
+++ bfd/elf32-microblaze.c	11 Apr 2011 00:16:47 -0000
@@ -824,7 +824,7 @@ microblaze_elf_relocate_section (bfd *ou
 	    }
 
 	  /* Sanity check the address.  */
-	  if (offset > bfd_get_section_limit (output_bfd, input_section))
+	  if (offset > bfd_get_section_limit (input_bfd, input_section))
 	    {
 	      r = bfd_reloc_outofrange;
 	      goto check_reloc;
Index: bfd/elfxx-ia64.c
===================================================================
RCS file: /cvs/src/src/bfd/elfxx-ia64.c,v
retrieving revision 1.231
diff -u -p -r1.231 elfxx-ia64.c
--- bfd/elfxx-ia64.c	1 Apr 2011 08:38:55 -0000	1.231
+++ bfd/elfxx-ia64.c	11 Apr 2011 02:42:11 -0000
@@ -215,7 +215,7 @@ static bfd_boolean elfNN_ia64_dynamic_sy
 static bfd_reloc_status_type elfNN_ia64_install_value
   (bfd_byte *hit_addr, bfd_vma val, unsigned int r_type);
 static bfd_boolean elfNN_ia64_choose_gp
-  (bfd *abfd, struct bfd_link_info *info);
+  (bfd *abfd, struct bfd_link_info *info, bfd_boolean final);
 static void elfNN_ia64_relax_ldxmov
   (bfd_byte *contents, bfd_vma off);
 static void elfNN_ia64_dyn_sym_traverse
@@ -1221,7 +1221,7 @@ elfNN_ia64_relax_section (bfd *abfd, ase
 	      gp = _bfd_get_gp_value (obfd);
 	      if (gp == 0)
 		{
-		  if (!elfNN_ia64_choose_gp (obfd, link_info))
+		  if (!elfNN_ia64_choose_gp (obfd, link_info, FALSE))
 		    goto error_return;
 		  gp = _bfd_get_gp_value (obfd);
 		}
@@ -4298,7 +4298,7 @@ elfNN_ia64_unwind_entry_compare (const P
 
 /* Make sure we've got ourselves a nice fat __gp value.  */
 static bfd_boolean
-elfNN_ia64_choose_gp (bfd *abfd, struct bfd_link_info *info)
+elfNN_ia64_choose_gp (bfd *abfd, struct bfd_link_info *info, bfd_boolean final)
 {
   bfd_vma min_vma = (bfd_vma) -1, max_vma = 0;
   bfd_vma min_short_vma = min_vma, max_short_vma = 0;
@@ -4321,7 +4321,12 @@ elfNN_ia64_choose_gp (bfd *abfd, struct 
 	continue;
 
       lo = os->vma;
-      hi = os->vma + (os->rawsize ? os->rawsize : os->size);
+      /* When this function is called from elfNN_ia64_final_link
+	 the correct value to use is os->size.  When called from
+	 elfNN_ia64_relax_section we are in the middle of section
+	 sizing; some sections will already have os->size set, others
+	 will have os->size zero and os->rawsize the previous size.  */
+      hi = os->vma + (!final && os->rawsize ? os->rawsize : os->size);
       if (hi < lo)
 	hi = (bfd_vma) -1;
 
@@ -4462,7 +4467,7 @@ elfNN_ia64_final_link (bfd *abfd, struct
       /* We assume after gp is set, section size will only decrease. We
 	 need to adjust gp for it.  */
       _bfd_set_gp_value (abfd, 0);
-      if (! elfNN_ia64_choose_gp (abfd, info))
+      if (! elfNN_ia64_choose_gp (abfd, info, TRUE))
 	return FALSE;
       gp_val = _bfd_get_gp_value (abfd);
 
Index: bfd/libbfd.c
===================================================================
RCS file: /cvs/src/src/bfd/libbfd.c,v
retrieving revision 1.54
diff -u -p -r1.54 libbfd.c
--- bfd/libbfd.c	14 Jan 2011 12:35:55 -0000	1.54
+++ bfd/libbfd.c	10 Apr 2011 07:00:55 -0000
@@ -866,7 +866,15 @@ _bfd_generic_get_section_contents (bfd *
       return FALSE;
     }
 
-  sz = section->rawsize ? section->rawsize : section->size;
+  /* We do allow reading of a section after bfd_final_link has
+     written the contents out to disk.  In that situation, rawsize is
+     just a stale version of size, so ignore it.  Otherwise we must be
+     reading an input section, where rawsize, if different to size,
+     is the on-disk size.  */
+  if (abfd->direction != write_direction && section->rawsize != 0)
+    sz = section->rawsize;
+  else
+    sz = section->size;
   if (offset + count < count
       || offset + count > sz)
     {
@@ -919,7 +927,10 @@ _bfd_generic_get_section_contents_in_win
       w->data = w->i->data;
       return bfd_get_section_contents (abfd, section, w->data, offset, count);
     }
-  sz = section->rawsize ? section->rawsize : section->size;
+  if (abfd->direction != write_direction && section->rawsize != 0)
+    sz = section->rawsize;
+  else
+    sz = section->size;
   if (offset + count > sz
       || ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
 				TRUE))
Index: bfd/section.c
===================================================================
RCS file: /cvs/src/src/bfd/section.c,v
retrieving revision 1.108
diff -u -p -r1.108 section.c
--- bfd/section.c	8 Nov 2010 02:48:54 -0000	1.108
+++ bfd/section.c	10 Apr 2011 07:00:56 -0000
@@ -1456,7 +1456,10 @@ bfd_get_section_contents (bfd *abfd,
       return TRUE;
     }
 
-  sz = section->rawsize ? section->rawsize : section->size;
+  if (abfd->direction != write_direction && section->rawsize != 0)
+    sz = section->rawsize;
+  else
+    sz = section->size;
   if ((bfd_size_type) offset > sz
       || count > sz
       || offset + count > sz

-- 
Alan Modra
Australia Development Lab, IBM