* [patch bfd]: Prevent possible buffer overflow on pdata-section sorting @ 2011-04-06 16:50 Kai Tietz 2011-04-06 21:55 ` h.becker 2011-04-07 1:09 ` Alan Modra 0 siblings, 2 replies; 11+ messages in thread From: Kai Tietz @ 2011-04-06 16:50 UTC (permalink / raw) To: Binutils; +Cc: Nick Clifton [-- Attachment #1: Type: text/plain, Size: 455 bytes --] Hello, this issue was reported by H. Becker to me. He found that the code in peXXigen.c about pdata-section sorting might cause a buffer-overrun for large pdata-data. By working in private allocated buffer - instead of using the pfinfo->contents - avoids this. ChangeLog 2011-04-06 Kai Tietz * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary buffer. Tested for x86_64-w64-mingw32. Ok for apply? Regards, Kai [-- Attachment #2: pdata_x64_sort.txt --] [-- Type: text/plain, Size: 1074 bytes --] Index: src/bfd/peXXigen.c =================================================================== --- src.orig/bfd/peXXigen.c 2010-12-21 19:33:07.000000000 +0100 +++ src/bfd/peXXigen.c 2011-04-06 18:19:45.945394800 +0200 @@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab if (sec) { bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size; + bfd_byte *tmp_data = NULL; - if (x && bfd_get_section_contents (abfd, sec, pfinfo->contents, 0, x)) + if (x) + tmp_data = bfd_malloc (x); + + if (tmp_data != NULL) { - qsort (pfinfo->contents, - (size_t) ((sec->size <x ? sec->size : x) / 12), - 12, sort_x64_pdata); - bfd_set_section_contents (pfinfo->output_bfd, sec, - pfinfo->contents, 0, x); + if (bfd_get_section_contents (abfd, sec, tmp_data, 0, x)) + { + qsort (tmp_data, + (size_t) ((sec->size <x ? sec->size : x) / 12), + 12, sort_x64_pdata); + bfd_set_section_contents (pfinfo->output_bfd, sec, + tmp_data, 0, x); + } + free (tmp_data); } } } ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting 2011-04-06 16:50 [patch bfd]: Prevent possible buffer overflow on pdata-section sorting Kai Tietz @ 2011-04-06 21:55 ` h.becker 2011-04-07 1:09 ` Alan Modra 1 sibling, 0 replies; 11+ messages in thread From: h.becker @ 2011-04-06 21:55 UTC (permalink / raw) To: Kai Tietz; +Cc: Binutils, Nick Clifton The underlying problem is how the size of the buffer is calculated. It's size is the maximum of the input sections. However, the sort is for the pdata output section. Obviously there is no problem as long as there is at least one input section big enough to hold the collected pdata. I don't want to argue about the fix, what I have is similar to what is suggested here. I just want to point out that another option to fix the calculation how the size for pfinfo->contents. Or to save that size in pinfo as well, so that the buffer can be made bigger whenever that is necessary. Hartmut Kai Tietz wrote: > Hello, > > this issue was reported by H. Becker to me. He found that the code in > peXXigen.c about pdata-section sorting might cause a buffer-overrun > for large pdata-data. By working in private allocated buffer - > instead of using the pfinfo->contents - avoids this. > > ChangeLog > > 2011-04-06 Kai Tietz > > * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary > buffer. > > Tested for x86_64-w64-mingw32. Ok for apply? > > Regards, > Kai > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting 2011-04-06 16:50 [patch bfd]: Prevent possible buffer overflow on pdata-section sorting Kai Tietz 2011-04-06 21:55 ` h.becker @ 2011-04-07 1:09 ` Alan Modra 2011-04-07 5:55 ` Kai Tietz 1 sibling, 1 reply; 11+ messages in thread From: Alan Modra @ 2011-04-07 1:09 UTC (permalink / raw) To: Kai Tietz; +Cc: Binutils, Nick Clifton On Wed, Apr 06, 2011 at 06:50:15PM +0200, Kai Tietz wrote: > Hello, > > this issue was reported by H. Becker to me. He found that the code in > peXXigen.c about pdata-section sorting might cause a buffer-overrun > for large pdata-data. By working in private allocated buffer - > instead of using the pfinfo->contents - avoids this. > > ChangeLog > > 2011-04-06 Kai Tietz > > * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary > buffer. > > Tested for x86_64-w64-mingw32. Ok for apply? > > Regards, > Kai > Index: src/bfd/peXXigen.c > =================================================================== > --- src.orig/bfd/peXXigen.c 2010-12-21 19:33:07.000000000 +0100 > +++ src/bfd/peXXigen.c 2011-04-06 18:19:45.945394800 +0200 > @@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab > if (sec) > { > bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size; Since this is an output section, this should just be sec->size I think. See section.c rawsize comment. > + bfd_byte *tmp_data = NULL; > > - if (x && bfd_get_section_contents (abfd, sec, pfinfo->contents, 0, x)) > + if (x) > + tmp_data = bfd_malloc (x); > + > + if (tmp_data != NULL) > { > - qsort (pfinfo->contents, > - (size_t) ((sec->size <x ? sec->size : x) / 12), > - 12, sort_x64_pdata); > - bfd_set_section_contents (pfinfo->output_bfd, sec, > - pfinfo->contents, 0, x); > + if (bfd_get_section_contents (abfd, sec, tmp_data, 0, x)) > + { > + qsort (tmp_data, > + (size_t) ((sec->size <x ? sec->size : x) / 12), Likewise here. OK with those changes. > + 12, sort_x64_pdata); > + bfd_set_section_contents (pfinfo->output_bfd, sec, > + tmp_data, 0, x); > + } > + free (tmp_data); > } > } > } -- Alan Modra Australia Development Lab, IBM ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting 2011-04-07 1:09 ` Alan Modra @ 2011-04-07 5:55 ` Kai Tietz 2011-04-07 6:15 ` Kai Tietz 0 siblings, 1 reply; 11+ messages in thread From: Kai Tietz @ 2011-04-07 5:55 UTC (permalink / raw) To: Kai Tietz, Binutils, Nick Clifton; +Cc: Alan Modra 2011/4/7 Alan Modra <amodra@gmail.com>: > On Wed, Apr 06, 2011 at 06:50:15PM +0200, Kai Tietz wrote: >> Hello, >> >> this issue was reported by H. Becker to me. He found that the code in >> peXXigen.c about pdata-section sorting might cause a buffer-overrun >> for large pdata-data. By working in private allocated buffer - >> instead of using the pfinfo->contents - avoids this. >> >> ChangeLog >> >> 2011-04-06 Kai Tietz >> >> * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary >> buffer. >> >> Tested for x86_64-w64-mingw32. Ok for apply? >> >> Regards, >> Kai > >> Index: src/bfd/peXXigen.c >> =================================================================== >> --- src.orig/bfd/peXXigen.c 2010-12-21 19:33:07.000000000 +0100 >> +++ src/bfd/peXXigen.c 2011-04-06 18:19:45.945394800 +0200 >> @@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab >> if (sec) >> { >> bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size; > > Since this is an output section, this should just be sec->size I > think. See section.c rawsize comment. Well, the cause for using here raw_size (I will look into section.c to read the comment there9 was that we need to sort without alignment. As it is an output-section, its size might be padded already with alignment fill, which shouldn't be sorted. But you might be right here that size is suitable. Kai ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting 2011-04-07 5:55 ` Kai Tietz @ 2011-04-07 6:15 ` Kai Tietz 2011-04-07 8:52 ` Alan Modra 0 siblings, 1 reply; 11+ messages in thread From: Kai Tietz @ 2011-04-07 6:15 UTC (permalink / raw) To: Kai Tietz, Binutils, Nick Clifton; +Cc: Alan Modra 2011/4/7 Kai Tietz <ktietz70@googlemail.com>: > 2011/4/7 Alan Modra <amodra@gmail.com>: >> On Wed, Apr 06, 2011 at 06:50:15PM +0200, Kai Tietz wrote: >>> Hello, >>> >>> this issue was reported by H. Becker to me. He found that the code in >>> peXXigen.c about pdata-section sorting might cause a buffer-overrun >>> for large pdata-data. By working in private allocated buffer - >>> instead of using the pfinfo->contents - avoids this. >>> >>> ChangeLog >>> >>> 2011-04-06 Kai Tietz >>> >>> * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary >>> buffer. >>> >>> Tested for x86_64-w64-mingw32. Ok for apply? >>> >>> Regards, >>> Kai >> >>> Index: src/bfd/peXXigen.c >>> =================================================================== >>> --- src.orig/bfd/peXXigen.c 2010-12-21 19:33:07.000000000 +0100 >>> +++ src/bfd/peXXigen.c 2011-04-06 18:19:45.945394800 +0200 >>> @@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab >>> if (sec) >>> { >>> bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size; >> >> Since this is an output section, this should just be sec->size I >> think. See section.c rawsize comment. > > Well, the cause for using here raw_size (I will look into section.c to > read the comment there9 was that we need to sort without alignment. As > it is an output-section, its size might be padded already with > alignment fill, which shouldn't be sorted. But you might be right > here that size is suitable. Hmm, not sure. I think it makes sense to check here for raw_size. In section.c the member size has the following documentation: "The size of the section in octets, as it will be output. Contains a value even if the section has no contents (e.g., the size of <<.bss>>). )". And the rawsize memember has for output-sections the following definition: "For output sections, rawsize holds the section size calculated on a previous linker relaxation pass.", which seems to be the thing we need. It might be a way to allocate section's size, but then sort only in range of rawsize, but not sure if this is necessary, as on output the section alignment get applied again, isn't it? Kai ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting 2011-04-07 6:15 ` Kai Tietz @ 2011-04-07 8:52 ` Alan Modra 2011-04-07 14:31 ` Kai Tietz 2011-04-11 4:08 ` rawsize and output sections Alan Modra 0 siblings, 2 replies; 11+ messages in thread From: Alan Modra @ 2011-04-07 8:52 UTC (permalink / raw) To: Kai Tietz; +Cc: Binutils, Nick Clifton On Thu, Apr 07, 2011 at 08:15:42AM +0200, Kai Tietz wrote: > Hmm, not sure. Well, I'm 99% sure. :-) rawsize on an output section, if non-zero, is just a stale size at bfd_final_link. Hmm. Which means bfd_get_section_contents is wrong to look at rawsize on output sections. Seems I have some bugs to fix. -- Alan Modra Australia Development Lab, IBM ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting 2011-04-07 8:52 ` Alan Modra @ 2011-04-07 14:31 ` Kai Tietz 2011-04-09 4:40 ` Alan Modra 2011-04-11 4:08 ` rawsize and output sections Alan Modra 1 sibling, 1 reply; 11+ messages in thread From: Kai Tietz @ 2011-04-07 14:31 UTC (permalink / raw) To: Kai Tietz, Binutils, Nick Clifton; +Cc: Alan Modra 2011/4/7 Alan Modra <amodra@gmail.com>: > On Thu, Apr 07, 2011 at 08:15:42AM +0200, Kai Tietz wrote: >> Hmm, not sure. > > Well, I'm 99% sure. :-) rawsize on an output section, if non-zero, is > just a stale size at bfd_final_link. So this 1% hits. I changed locally to use here just sec->size and I found that pdata section doesn't get sorted proper anymore. (you can verify this by objdump -x and it prints warnings about not ascending data). So I strictly want to stick here to my posted patch, as other introduces regression. Regards, Kai ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting 2011-04-07 14:31 ` Kai Tietz @ 2011-04-09 4:40 ` Alan Modra 2011-04-09 9:50 ` Kai Tietz 0 siblings, 1 reply; 11+ messages in thread From: Alan Modra @ 2011-04-09 4:40 UTC (permalink / raw) To: Kai Tietz; +Cc: Binutils, Nick Clifton On Thu, Apr 07, 2011 at 04:31:45PM +0200, Kai Tietz wrote: > 2011/4/7 Alan Modra <amodra@gmail.com>: > > On Thu, Apr 07, 2011 at 08:15:42AM +0200, Kai Tietz wrote: > >> Hmm, not sure. > > > > Well, I'm 99% sure. :-) Â rawsize on an output section, if non-zero, is > > just a stale size at bfd_final_link. > > So this 1% hits. I changed locally to use here just sec->size and I > found that pdata section doesn't get sorted proper anymore. (you can > verify this by objdump -x and it prints warnings about not ascending > data). Ah, what I missed seeing is that coff_compute_section_file_positions is bumping the section size here: #ifdef COFF_IMAGE_WITH_PE /* Set the padded size. */ current->size = (current->size + page_size -1) & -page_size; #endif Obviously, you do want the size of data before this padding is added, but it's only a fluke that rawsize happens to be set correctly. (You get it from the lang_reset_memory_regions call during preliminary section sizing in ldlang.c:strip_excluded_output_sections.) That seems a little unreliable to me. I'd be happier if in coff_compute_section_file_positions you always set rawsize in the loop that is padding section size (do it before any block of code that changes section size!). Then just use sec->rawsize in your peXXigen.c patch. I'll preapprove those changes. -- Alan Modra Australia Development Lab, IBM ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting 2011-04-09 4:40 ` Alan Modra @ 2011-04-09 9:50 ` Kai Tietz [not found] ` <20110409131155.GH19002@bubble.grove.modra.org> 0 siblings, 1 reply; 11+ messages in thread From: Kai Tietz @ 2011-04-09 9:50 UTC (permalink / raw) To: Kai Tietz, Binutils, Nick Clifton; +Cc: Alan Modra [-- Attachment #1: Type: text/plain, Size: 1956 bytes --] 2011/4/9 Alan Modra <amodra@gmail.com>: > On Thu, Apr 07, 2011 at 04:31:45PM +0200, Kai Tietz wrote: >> 2011/4/7 Alan Modra <amodra@gmail.com>: >> > On Thu, Apr 07, 2011 at 08:15:42AM +0200, Kai Tietz wrote: >> >> Hmm, not sure. >> > >> > Well, I'm 99% sure. :-) rawsize on an output section, if non-zero, is >> > just a stale size at bfd_final_link. >> >> So this 1% hits. I changed locally to use here just sec->size and I >> found that pdata section doesn't get sorted proper anymore. (you can >> verify this by objdump -x and it prints warnings about not ascending >> data). > > Ah, what I missed seeing is that coff_compute_section_file_positions > is bumping the section size here: > > #ifdef COFF_IMAGE_WITH_PE > /* Set the padded size. */ > current->size = (current->size + page_size -1) & -page_size; > #endif > > Obviously, you do want the size of data before this padding is added, > but it's only a fluke that rawsize happens to be set correctly. (You > get it from the lang_reset_memory_regions call during preliminary > section sizing in ldlang.c:strip_excluded_output_sections.) That > seems a little unreliable to me. I'd be happier if in > coff_compute_section_file_positions you always set rawsize in the loop > that is padding section size (do it before any block of code that > changes section size!). Then just use sec->rawsize in your peXXigen.c > patch. I'll preapprove those changes. > > -- > Alan Modra > Australia Development Lab, IBM > Ok, AFAICS it is enough here to set rawsize at one place. Just for bss-section we don't want to set rawsize. ChangeLog 2011-04-09 Kai Tietz * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary buffer and use rawsize for sorting. * coffcode.h (coff_compute_section_file_positions): Set rawsize before doing alignment. Tested for x86_64-w64-mingw32. Ok for apply? Regards, Kai [-- Attachment #2: pdata_x64_sort.txt --] [-- Type: text/plain, Size: 2065 bytes --] Index: src/bfd/peXXigen.c =================================================================== --- src.orig/bfd/peXXigen.c 2011-04-08 21:08:20.230411500 +0200 +++ src/bfd/peXXigen.c 2011-04-09 11:46:00.611507900 +0200 @@ -2458,15 +2458,23 @@ _bfd_XXi_final_link_postscript (bfd * ab if (sec) { - bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size; + bfd_size_type x = sec->rawsize; + bfd_byte *tmp_data = NULL; - if (x && bfd_get_section_contents (abfd, sec, pfinfo->contents, 0, x)) + if (x) + tmp_data = bfd_malloc (x); + + if (tmp_data != NULL) { - qsort (pfinfo->contents, - (size_t) ((sec->size <x ? sec->size : x) / 12), - 12, sort_x64_pdata); - bfd_set_section_contents (pfinfo->output_bfd, sec, - pfinfo->contents, 0, x); + if (bfd_get_section_contents (abfd, sec, tmp_data, 0, x)) + { + qsort (tmp_data, + (size_t) (x / 12), + 12, sort_x64_pdata); + bfd_set_section_contents (pfinfo->output_bfd, sec, + tmp_data, 0, x); + } + free (tmp_data); } } } Index: src/bfd/coffcode.h =================================================================== --- src.orig/bfd/coffcode.h 2011-04-09 10:29:19.000000000 +0200 +++ src/bfd/coffcode.h 2011-04-09 11:46:45.938100500 +0200 @@ -3297,6 +3297,11 @@ coff_compute_section_file_positions (bfd if (!(current->flags & SEC_HAS_CONTENTS)) continue; + /* Set rawsize for each section before we are doing alignment. But + don't set rawsize for BSS section. */ + if (strcmp (current->name, _BSS) != 0) + current->rawsize = current->size; + #ifdef COFF_IMAGE_WITH_PE /* Make sure we skip empty sections in a PE image. */ if (current->size == 0) @@ -3363,7 +3368,7 @@ coff_compute_section_file_positions (bfd #ifdef COFF_IMAGE_WITH_PE /* Set the padded size. */ - current->size = (current->size + page_size -1) & -page_size; + current->size = (current->size + page_size - 1) & -page_size; #endif sofar += current->size; ^ permalink raw reply [flat|nested] 11+ messages in thread
[parent not found: <20110409131155.GH19002@bubble.grove.modra.org>]
[parent not found: <BANLkTikediRDiabar9P0k526O4Pyy_qWSQ@mail.gmail.com>]
[parent not found: <20110409140103.GI19002@bubble.grove.modra.org>]
* Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting [not found] ` <20110409140103.GI19002@bubble.grove.modra.org> @ 2011-04-09 16:07 ` Kai Tietz 0 siblings, 0 replies; 11+ messages in thread From: Kai Tietz @ 2011-04-09 16:07 UTC (permalink / raw) To: Alan Modra, Binutils 2011/4/9 Alan Modra <amodra@gmail.com>: > On Sat, Apr 09, 2011 at 03:17:31PM +0200, Kai Tietz wrote: >> 2011/4/9 Alan Modra <amodra@gmail.com>: >> > On Sat, Apr 09, 2011 at 11:50:45AM +0200, Kai Tietz wrote: >> >> Ok, AFAICS it is enough here to set rawsize at one place. >> > >> > Yes. >> > >> >> Just for bss-section we don't want to set rawsize. >> > >> > Why is that? >> > >> >> --- src.orig/bfd/coffcode.h 2011-04-09 10:29:19.000000000 +0200 >> >> +++ src/bfd/coffcode.h 2011-04-09 11:46:45.938100500 +0200 >> >> @@ -3297,6 +3297,11 @@ coff_compute_section_file_positions (bfd >> >> if (!(current->flags & SEC_HAS_CONTENTS)) >> >> continue; >> > >> > Won't the above test exclude .bss anyway? >> >> Hmm, this might be bogus. I've tested it without this check and it >> seems to work still. So I can remove this check. Ok then for apply? > > Yes, OK. > > -- > Alan Modra > Australia Development Lab, IBM > Ok, applied. Thanks, Kai ^ permalink raw reply [flat|nested] 11+ messages in thread
* rawsize and output sections 2011-04-07 8:52 ` Alan Modra 2011-04-07 14:31 ` Kai Tietz @ 2011-04-11 4:08 ` Alan Modra 1 sibling, 0 replies; 11+ messages in thread From: Alan Modra @ 2011-04-11 4:08 UTC (permalink / raw) To: binutils On Thu, Apr 07, 2011 at 06:22:38PM +0930, Alan Modra wrote: > rawsize on an output section, if non-zero, is > just a stale size at bfd_final_link. > > Hmm. Which means bfd_get_section_contents is wrong to look at rawsize > on output sections. Seems I have some bugs to fix. Committed. * bfd-in.h (bfd_get_section_limit): Don't use rawsize with output sections. * libbfd.c (_bfd_generic_get_section_contents): Likewise. (_bfd_generic_get_section_contents_in_window): Likewise. * section.c (bfd_get_section_contents): Likewise. * compress.c (bfd_get_full_section_contents): Likewise. * elf32-rx.c (rx_final_link): Ignore rawsize. * elf32-microblaze.c (microblaze_elf_relocate_section): Use correct bfd with bfd_get_section_limit. * elfxx-ia64.c (elfNN_ia64_choose_gp): Add "final" parameter. Use os->size during final link. Update callers. * bfd-in2.h: Regenerate. Index: bfd/bfd-in.h =================================================================== RCS file: /cvs/src/src/bfd/bfd-in.h,v retrieving revision 1.152 diff -u -p -r1.152 bfd-in.h --- bfd/bfd-in.h 8 Nov 2010 02:48:54 -0000 1.152 +++ bfd/bfd-in.h 10 Apr 2011 07:00:24 -0000 @@ -291,8 +291,8 @@ typedef struct bfd_section *sec_ptr; #define bfd_set_section_userdata(bfd, ptr, val) (((ptr)->userdata = (val)),TRUE) /* Find the address one past the end of SEC. */ #define bfd_get_section_limit(bfd, sec) \ - (((sec)->rawsize ? (sec)->rawsize : (sec)->size) \ - / bfd_octets_per_byte (bfd)) + (((bfd)->direction != write_direction && (sec)->rawsize != 0 \ + ? (sec)->rawsize : (sec)->size) / bfd_octets_per_byte (bfd)) /* Return TRUE if input section SEC has been discarded. */ #define elf_discarded_section(sec) \ Index: bfd/compress.c =================================================================== RCS file: /cvs/src/src/bfd/compress.c,v retrieving revision 1.8 diff -u -p -r1.8 compress.c --- bfd/compress.c 6 Mar 2011 18:37:07 -0000 1.8 +++ bfd/compress.c 10 Apr 2011 07:00:29 -0000 @@ -158,7 +158,7 @@ DESCRIPTION bfd_boolean bfd_get_full_section_contents (bfd *abfd, sec_ptr sec, bfd_byte **ptr) { - bfd_size_type sz = sec->rawsize ? sec->rawsize : sec->size; + bfd_size_type sz; bfd_byte *p = *ptr; #ifdef HAVE_ZLIB_H bfd_boolean ret; @@ -169,6 +169,10 @@ bfd_get_full_section_contents (bfd *abfd bfd_byte *uncompressed_buffer; #endif + if (abfd->direction != write_direction && sec->rawsize != 0) + sz = sec->rawsize; + else + sz = sec->size; if (sz == 0) return TRUE; Index: bfd/elf32-rx.c =================================================================== RCS file: /cvs/src/src/bfd/elf32-rx.c,v retrieving revision 1.8 diff -u -p -r1.8 elf32-rx.c --- bfd/elf32-rx.c 18 Jan 2011 14:13:43 -0000 1.8 +++ bfd/elf32-rx.c 10 Apr 2011 07:00:42 -0000 @@ -3305,13 +3305,12 @@ rx_final_link (bfd * abfd, struct bfd_li #endif if (o->flags & SEC_CODE && bfd_big_endian (abfd) - && (o->size % 4 || o->rawsize % 4)) + && o->size % 4) { #ifdef DJDEBUG fprintf (stderr, "adjusting...\n"); #endif o->size += 4 - (o->size % 4); - o->rawsize += 4 - (o->rawsize % 4); } } Index: bfd/elf32-microblaze.c =================================================================== RCS file: /cvs/src/src/bfd/elf32-microblaze.c,v retrieving revision 1.9 diff -u -p -r1.9 elf32-microblaze.c --- bfd/elf32-microblaze.c 4 Oct 2010 14:13:09 -0000 1.9 +++ bfd/elf32-microblaze.c 11 Apr 2011 00:16:47 -0000 @@ -824,7 +824,7 @@ microblaze_elf_relocate_section (bfd *ou } /* Sanity check the address. */ - if (offset > bfd_get_section_limit (output_bfd, input_section)) + if (offset > bfd_get_section_limit (input_bfd, input_section)) { r = bfd_reloc_outofrange; goto check_reloc; Index: bfd/elfxx-ia64.c =================================================================== RCS file: /cvs/src/src/bfd/elfxx-ia64.c,v retrieving revision 1.231 diff -u -p -r1.231 elfxx-ia64.c --- bfd/elfxx-ia64.c 1 Apr 2011 08:38:55 -0000 1.231 +++ bfd/elfxx-ia64.c 11 Apr 2011 02:42:11 -0000 @@ -215,7 +215,7 @@ static bfd_boolean elfNN_ia64_dynamic_sy static bfd_reloc_status_type elfNN_ia64_install_value (bfd_byte *hit_addr, bfd_vma val, unsigned int r_type); static bfd_boolean elfNN_ia64_choose_gp - (bfd *abfd, struct bfd_link_info *info); + (bfd *abfd, struct bfd_link_info *info, bfd_boolean final); static void elfNN_ia64_relax_ldxmov (bfd_byte *contents, bfd_vma off); static void elfNN_ia64_dyn_sym_traverse @@ -1221,7 +1221,7 @@ elfNN_ia64_relax_section (bfd *abfd, ase gp = _bfd_get_gp_value (obfd); if (gp == 0) { - if (!elfNN_ia64_choose_gp (obfd, link_info)) + if (!elfNN_ia64_choose_gp (obfd, link_info, FALSE)) goto error_return; gp = _bfd_get_gp_value (obfd); } @@ -4298,7 +4298,7 @@ elfNN_ia64_unwind_entry_compare (const P /* Make sure we've got ourselves a nice fat __gp value. */ static bfd_boolean -elfNN_ia64_choose_gp (bfd *abfd, struct bfd_link_info *info) +elfNN_ia64_choose_gp (bfd *abfd, struct bfd_link_info *info, bfd_boolean final) { bfd_vma min_vma = (bfd_vma) -1, max_vma = 0; bfd_vma min_short_vma = min_vma, max_short_vma = 0; @@ -4321,7 +4321,12 @@ elfNN_ia64_choose_gp (bfd *abfd, struct continue; lo = os->vma; - hi = os->vma + (os->rawsize ? os->rawsize : os->size); + /* When this function is called from elfNN_ia64_final_link + the correct value to use is os->size. When called from + elfNN_ia64_relax_section we are in the middle of section + sizing; some sections will already have os->size set, others + will have os->size zero and os->rawsize the previous size. */ + hi = os->vma + (!final && os->rawsize ? os->rawsize : os->size); if (hi < lo) hi = (bfd_vma) -1; @@ -4462,7 +4467,7 @@ elfNN_ia64_final_link (bfd *abfd, struct /* We assume after gp is set, section size will only decrease. We need to adjust gp for it. */ _bfd_set_gp_value (abfd, 0); - if (! elfNN_ia64_choose_gp (abfd, info)) + if (! elfNN_ia64_choose_gp (abfd, info, TRUE)) return FALSE; gp_val = _bfd_get_gp_value (abfd); Index: bfd/libbfd.c =================================================================== RCS file: /cvs/src/src/bfd/libbfd.c,v retrieving revision 1.54 diff -u -p -r1.54 libbfd.c --- bfd/libbfd.c 14 Jan 2011 12:35:55 -0000 1.54 +++ bfd/libbfd.c 10 Apr 2011 07:00:55 -0000 @@ -866,7 +866,15 @@ _bfd_generic_get_section_contents (bfd * return FALSE; } - sz = section->rawsize ? section->rawsize : section->size; + /* We do allow reading of a section after bfd_final_link has + written the contents out to disk. In that situation, rawsize is + just a stale version of size, so ignore it. Otherwise we must be + reading an input section, where rawsize, if different to size, + is the on-disk size. */ + if (abfd->direction != write_direction && section->rawsize != 0) + sz = section->rawsize; + else + sz = section->size; if (offset + count < count || offset + count > sz) { @@ -919,7 +927,10 @@ _bfd_generic_get_section_contents_in_win w->data = w->i->data; return bfd_get_section_contents (abfd, section, w->data, offset, count); } - sz = section->rawsize ? section->rawsize : section->size; + if (abfd->direction != write_direction && section->rawsize != 0) + sz = section->rawsize; + else + sz = section->size; if (offset + count > sz || ! bfd_get_file_window (abfd, section->filepos + offset, count, w, TRUE)) Index: bfd/section.c =================================================================== RCS file: /cvs/src/src/bfd/section.c,v retrieving revision 1.108 diff -u -p -r1.108 section.c --- bfd/section.c 8 Nov 2010 02:48:54 -0000 1.108 +++ bfd/section.c 10 Apr 2011 07:00:56 -0000 @@ -1456,7 +1456,10 @@ bfd_get_section_contents (bfd *abfd, return TRUE; } - sz = section->rawsize ? section->rawsize : section->size; + if (abfd->direction != write_direction && section->rawsize != 0) + sz = section->rawsize; + else + sz = section->size; if ((bfd_size_type) offset > sz || count > sz || offset + count > sz -- Alan Modra Australia Development Lab, IBM ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2011-04-11 4:08 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2011-04-06 16:50 [patch bfd]: Prevent possible buffer overflow on pdata-section sorting Kai Tietz 2011-04-06 21:55 ` h.becker 2011-04-07 1:09 ` Alan Modra 2011-04-07 5:55 ` Kai Tietz 2011-04-07 6:15 ` Kai Tietz 2011-04-07 8:52 ` Alan Modra 2011-04-07 14:31 ` Kai Tietz 2011-04-09 4:40 ` Alan Modra 2011-04-09 9:50 ` Kai Tietz [not found] ` <20110409131155.GH19002@bubble.grove.modra.org> [not found] ` <BANLkTikediRDiabar9P0k526O4Pyy_qWSQ@mail.gmail.com> [not found] ` <20110409140103.GI19002@bubble.grove.modra.org> 2011-04-09 16:07 ` Kai Tietz 2011-04-11 4:08 ` rawsize and output sections Alan Modra
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).