From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by sourceware.org (Postfix) with ESMTPS id 143D6384F6DC for ; Wed, 23 Nov 2022 12:29:14 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 143D6384F6DC Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-x635.google.com with SMTP id g10so16476441plo.11 for ; Wed, 23 Nov 2022 04:29:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=ZdpquaBss51PdwdSNJJ1lnBif9OrROE79PAm15mNjGI=; b=jtvG3+2HbPxaWHFAJEIEWcQN3zPJA2TAiFiLFnz4i6a0yDo2PUAKXggJLKbf1GViTS hQI/TcvFoPoG9qKDlHtYuYCD98LP+XR7l1bmqBfrOi8pjeHbT1MkzmpNMqp6qLM2VDAu MfgVURYzCFHmnLA7UVjocNL1fk5s4x7zCAa51jMJLUhQ1OoebTjsKpJkEpX2K3Gmi8+Z mrzUO+k5vVWU/OJmHazMcjMYH/Foz0U0B0DGNdhICTrEsjDn8lundPhmKhppbjDnLd/w eEps0z2dwbtk0i8uKuSpxpAjPYS3dX+4x4yQS/FpXFIFjE5gPgPaDPejYo196Ck+zGwz kJEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZdpquaBss51PdwdSNJJ1lnBif9OrROE79PAm15mNjGI=; b=mtEI44sFo73Ta3/ZfeVNKJP7bDAiCUfgw73F+d+dMJ9U07r0jIEpbLmDnWXrnohFFi O2ap76dX1SEEubAT0ol5h17AKzcVT0VaES7GCpjccJKtVzkL5eCs595O5dgiVCr+DqmQ +vYyg2shGG9RY0vXH+J/fWnUgsOKB8T2X3aAlaaUut/svcAeEFPXrwYkT4gaKpf+IUGc MWiZNgSNX0sRL9Ye+99CR2XMeJ0rSSGKFD71PNZUpd3SH+uEaGjW/NI/ZctrsRvggv18 6j6s6o9PiMHMwc8sGE71LxyvuJdcXc7/0+0cQhoQtTo7UqRQWyUYk5LEUCzd4YzCcdVQ KONg== X-Gm-Message-State: ANoB5pkbh81vfa1oZooE/FuxvoS8374a8+YS2w77XYxQAvVp3gtlOjLM qXuRN/STKYUGXu2lNUgurtGRhZi7YdM= X-Google-Smtp-Source: AA0mqf7fnfLO9wDifLADznTPCuCnV64lx4e0dMhSOalC7GVjk+6d0+aXDiBLrxPn4zJnwQRQokIdsQ== X-Received: by 2002:a17:90a:a589:b0:217:b6d1:968 with SMTP id b9-20020a17090aa58900b00217b6d10968mr37352212pjq.52.1669206552460; Wed, 23 Nov 2022 04:29:12 -0800 (PST) Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:55f0:77c:a420:4ce5]) by smtp.gmail.com with ESMTPSA id l3-20020a622503000000b0056bf4f8d542sm12568660pfl.74.2022.11.23.04.29.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Nov 2022 04:29:11 -0800 (PST) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id 8564F1142D3F; Wed, 23 Nov 2022 22:59:09 +1030 (ACDT) Date: Wed, 23 Nov 2022 22:59:09 +1030 From: Alan Modra To: binutils@sourceware.org Subject: PR22509 - Null pointer dereference on coff_slurp_reloc_table Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-3035.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: This extends the commit 4581a1c7d304 fix to more targets, which hardens BFD a little. I think the real underlying problem was the bfd_canonicalize_reloc call in load_specific_debug_section which passed a NULL for "symbols". Fix that too. PR 22509 bfd/ * aoutx.h (swap_ext_reloc_out): Gracefully handle NULL symbols. * i386lynx.c (swap_ext_reloc_out): Likewise. * pdp11.c (pdp11_aout_swap_reloc_out): Likewise. * coff-tic30.c (reloc_processing): Likewise. * coff-tic4x.c (tic4x_reloc_processing): Likewise. * coff-tic54x.c (tic54x_reloc_processing): Likewise. * coff-z80.c (reloc_processing): Likewise. * coff-z8k.c (reloc_processing): Likewise. * ecoff.c (ecoff_slurp_reloc_table): Likewise. * som.c (som_set_reloc_info): Likewise. binutils/ * objdump.c (load_specific_debug_section): Pass syms to bfd_canonicalize_reloc. diff --git a/bfd/aoutx.h b/bfd/aoutx.h index 61ea9f7ce04..38e30431589 100644 --- a/bfd/aoutx.h +++ b/bfd/aoutx.h @@ -2122,8 +2122,10 @@ NAME (aout, swap_ext_reloc_out) (bfd *abfd, if (r_extern) \ { \ /* Undefined symbol. */ \ - if (r_index < bfd_get_symcount (abfd)) \ + if (symbols != NULL && r_index < bfd_get_symcount (abfd)) \ cache_ptr->sym_ptr_ptr = symbols + r_index; \ + else \ + cache_ptr->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; \ cache_ptr->addend = ad; \ } \ else \ diff --git a/bfd/coff-tic30.c b/bfd/coff-tic30.c index 874fd79f3fa..fcc85754068 100644 --- a/bfd/coff-tic30.c +++ b/bfd/coff-tic30.c @@ -161,7 +161,7 @@ reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; rtype2howto (relent, reloc); - if (reloc->r_symndx == -1) + if (reloc->r_symndx == -1 || symbols == NULL) relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd)) relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx]; diff --git a/bfd/coff-tic4x.c b/bfd/coff-tic4x.c index 02013e1655f..be295259915 100644 --- a/bfd/coff-tic4x.c +++ b/bfd/coff-tic4x.c @@ -219,7 +219,7 @@ tic4x_reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; - if (reloc->r_symndx != -1) + if (reloc->r_symndx != -1 && symbols != NULL) { if (reloc->r_symndx < 0 || reloc->r_symndx >= obj_conv_table_size (abfd)) { diff --git a/bfd/coff-tic54x.c b/bfd/coff-tic54x.c index 8b493584503..9ec4b2064c3 100644 --- a/bfd/coff-tic54x.c +++ b/bfd/coff-tic54x.c @@ -357,7 +357,7 @@ tic54x_reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; - if (reloc->r_symndx != -1) + if (reloc->r_symndx != -1 && symbols != NULL) { if (reloc->r_symndx < 0 || reloc->r_symndx >= obj_conv_table_size (abfd)) { diff --git a/bfd/coff-z80.c b/bfd/coff-z80.c index ba0f2609bf0..7fb2f137331 100644 --- a/bfd/coff-z80.c +++ b/bfd/coff-z80.c @@ -314,7 +314,7 @@ reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; rtype2howto (relent, reloc); - if (reloc->r_symndx == -1) + if (reloc->r_symndx == -1 || symbols == NULL) relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd)) relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx]; diff --git a/bfd/coff-z8k.c b/bfd/coff-z8k.c index b9f6f9773ad..974bffc9a6f 100644 --- a/bfd/coff-z8k.c +++ b/bfd/coff-z8k.c @@ -177,7 +177,7 @@ reloc_processing (arelent *relent, relent->address = reloc->r_vaddr; rtype2howto (relent, reloc); - if (reloc->r_symndx == -1) + if (reloc->r_symndx == -1 || symbols == NULL) relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd)) relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx]; diff --git a/bfd/ecoff.c b/bfd/ecoff.c index a4edf7a2e6c..2d26b855e4c 100644 --- a/bfd/ecoff.c +++ b/bfd/ecoff.c @@ -1612,7 +1612,8 @@ ecoff_slurp_reloc_table (bfd *abfd, if (intern.r_extern) { /* r_symndx is an index into the external symbols. */ - if (intern.r_symndx >= 0 + if (symbols != NULL + && intern.r_symndx >= 0 && (intern.r_symndx < (ecoff_data (abfd)->debug_info.symbolic_header.iextMax))) rptr->sym_ptr_ptr = symbols + intern.r_symndx; diff --git a/bfd/i386lynx.c b/bfd/i386lynx.c index 5df3d19ffe0..acc38d24438 100644 --- a/bfd/i386lynx.c +++ b/bfd/i386lynx.c @@ -283,8 +283,10 @@ NAME(lynx,swap_ext_reloc_out) (bfd *abfd, if (r_extern) \ { \ /* undefined symbol */ \ - if (r_index < bfd_get_symcount (abfd)) \ + if (symbols != NULL && r_index < bfd_get_symcount (abfd)) \ cache_ptr->sym_ptr_ptr = symbols + r_index; \ + else \ + cache_ptr->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; \ cache_ptr->addend = ad; \ } \ else \ diff --git a/bfd/pdp11.c b/bfd/pdp11.c index de9c8690e20..806e0e12a61 100644 --- a/bfd/pdp11.c +++ b/bfd/pdp11.c @@ -1861,8 +1861,10 @@ pdp11_aout_swap_reloc_out (bfd *abfd, arelent *g, bfd_byte *natptr) if (r_extern) \ { \ /* Undefined symbol. */ \ - if (r_index < bfd_get_symcount (abfd)) \ + if (symbols != NULL && r_index < bfd_get_symcount (abfd)) \ cache_ptr->sym_ptr_ptr = symbols + r_index; \ + else \ + cache_ptr->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; \ cache_ptr->addend = ad; \ } \ else \ diff --git a/bfd/som.c b/bfd/som.c index 7a5ee35f0e2..3e89c937b5e 100644 --- a/bfd/som.c +++ b/bfd/som.c @@ -5099,7 +5099,7 @@ som_set_reloc_info (unsigned char *fixup, /* A symbol to use in the relocation. Make a note of this if we are not just counting. */ case 'S': - if (! just_count && (unsigned int) c < symcount) + if (!just_count && symbols != NULL && (unsigned int) c < symcount) rptr->sym_ptr_ptr = &symbols[c]; break; /* Argument relocation bits for a function call. */ diff --git a/binutils/objdump.c b/binutils/objdump.c index 61a18746fde..9b27ce73a87 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -4238,7 +4238,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, relocs = (arelent **) xmalloc (reloc_size); - reloc_count = bfd_canonicalize_reloc (abfd, sec, relocs, NULL); + reloc_count = bfd_canonicalize_reloc (abfd, sec, relocs, syms); if (reloc_count <= 0) free (relocs); else -- Alan Modra Australia Development Lab, IBM