From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from xry111.site (xry111.site [IPv6:2001:470:683e::1]) by sourceware.org (Postfix) with ESMTPS id 855983858C2D for ; Wed, 14 Sep 2022 10:16:02 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 855983858C2D Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=xry111.site Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=xry111.site DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xry111.site; s=default; t=1663150560; bh=VnuaSaFK72q0hJsDSek2VtV1aS8FW0m3hevO0uzG2f4=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=gvCvWWdN9REgmKxVLyU3fEzE6OcFtmf+5oHmoLhFlBrCbm1b2UTlzJpr6h1atSFrr 4vyQ72nOMsMVjVqyndCkWjU/7v/Ejkw9BhEWZPO7DzzvfCeUUKvOAezpaftRvjiwNb ph3dGzgNhAxWOQAy8cLQYsrFhC1qoN93AaV5Aqr8= Received: from localhost.localdomain (xry111.site [IPv6:2001:470:683e::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) (Authenticated sender: xry111@xry111.site) by xry111.site (Postfix) with ESMTPSA id 51AFB65AE3; Wed, 14 Sep 2022 06:15:59 -0400 (EDT) Message-ID: Subject: Re: [PATCH 1/2] LoongArch: Avoid heap-buffer-overflow in loongarch_elf_relocate_section From: Xi Ruoyao To: liuzhensong , binutils@sourceware.org Cc: Lulu Cheng , Wang Xuerui , Chenghua Xu , mengqinggang@loongson.cn Date: Wed, 14 Sep 2022 18:15:57 +0800 In-Reply-To: References: <20220913154414.554861-1-xry111@xry111.site> <20220913154414.554861-2-xry111@xry111.site> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.45.3 MIME-Version: 1.0 X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROM_SUSPICIOUS_NTLD,GIT_PATCH_0,LIKELY_SPAM_FROM,PDS_OTHER_BAD_TLD,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Wed, 2022-09-14 at 16:57 +0800, liuzhensong wrote: > =E5=9C=A8 2022/9/13 =E4=B8=8B=E5=8D=8811:44, Xi Ruoyao =E5=86=99=E9=81=93= : > =C2=A0 > > If a and b are different sections, we cannot access something in b > > with > > "a->contents + (offset from a)" because "a->contents" and "b- > > >contents" > > are heap buffers allocated separately, not slices of a large buffer. > >=20 > > The issue was found during an attempt to add static-pie support to > > the > > toolchain with ASAN. > Can you provide compile parameters? To reproduce it easily, add a check to detect the heap buffer overflow: diff --git a/bfd/elfnn-loongarch.c b/bfd/elfnn-loongarch.c index a9bb66a1e04..716e3d5a246 100644 --- a/bfd/elfnn-loongarch.c +++ b/bfd/elfnn-loongarch.c @@ -3202,6 +3202,7 @@ loongarch_elf_relocate_section (bfd *output_bfd, stru= ct bfd_link_info *info, } } =20 + BFD_ASSERT (got_off < got->size); bfd_put_NN (output_bfd, relocation, got->contents + got_off); =20 relocation =3D got_off + sec_addr (got); Then $ cat test.S .text .align 2 .local ifunc .type ifunc, @gnu_indirect_function .set ifunc, resolver resolver: la.local $a0, impl jr $ra impl: li.w $a0, 42 jr $ra .global test .type test, @function test: move $s0, $ra la.got $t0, ifunc jirl $ra, $t0, 0 xori $a0, $a0, 42 jr $s0 $ cc test.S -c $ ld/ld-new test.o -shared ld/ld-new: BFD (GNU Binutils) 2.39.50.20220914 assertion fail elfnn-loongar= ch.c:3205 And if GDB is used with a breakpoint at bfd_assert, we can see got_off is "18446744073709551608" (-8). > Shouldn't write to got table when using hidden ifunc. Perhaps it's true, using RELA to resolve a GOT entry should not depend on any "initial" value of the entry... --=20 Xi Ruoyao School of Aerospace Science and Technology, Xidian University