From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <macro@orcam.me.uk>
Received: from angie.orcam.me.uk (angie.orcam.me.uk [78.133.224.34])
 by sourceware.org (Postfix) with ESMTP id 46FB13858C39
 for <binutils@sourceware.org>; Fri, 10 Sep 2021 09:50:05 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 46FB13858C39
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=orcam.me.uk
Authentication-Results: sourceware.org; spf=none smtp.mailfrom=orcam.me.uk
Received: by angie.orcam.me.uk (Postfix, from userid 500)
 id 8D50492009C; Fri, 10 Sep 2021 11:50:04 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by angie.orcam.me.uk (Postfix) with ESMTP id 806E192009B;
 Fri, 10 Sep 2021 11:50:04 +0200 (CEST)
Date: Fri, 10 Sep 2021 11:50:04 +0200 (CEST)
From: "Maciej W. Rozycki" <macro@orcam.me.uk>
To: Alan Modra <amodra@gmail.com>
cc: Chenghua Xu <paul.hua.gm@gmail.com>, binutils@sourceware.org
Subject: Re: PR28306, segfault in _bfd_mips_elf_reloc_unshuffle
In-Reply-To: <YTsW4HOZ8dc9hMvD@squeak.grove.modra.org>
Message-ID: <alpine.DEB.2.21.2109101140250.38640@angie.orcam.me.uk>
References: <YTiXxtuLP+Cwcbkw@squeak.grove.modra.org>
 <alpine.DEB.2.21.2109091128060.38640@angie.orcam.me.uk>
 <YToWzhkFbzJ8Qs/P@squeak.grove.modra.org>
 <YTsW4HOZ8dc9hMvD@squeak.grove.modra.org>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Spam-Status: No, score=-1162.9 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
 KAM_INFOUSMEBIZ, KAM_LAZY_DOMAIN_SECURITY, SPF_HELO_NONE, SPF_NONE,
 TXREP autolearn=no autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2021 09:50:07 -0000

On Fri, 10 Sep 2021, Alan Modra wrote:

> > I don't think there is any easy and safe way of doing that.  Even
> > though there is a nice tidy array of NULL terminated arelent pointers,
> > the special_function doesn't see an arelent** but rather an arelent*.
> > 
> > Hmm, how about replacing !relocatable above with
> > !(relocatable && !reloc_entry->howto->partial_inplace) ie. the
> > condition under which _bfd_mips_elf_generic_reloc writes section
> > contents?
> 
> Testing revealed some fails
> mipsisa32r2el-elf  +FAIL: MIPS reloc against local symbol overflow
> mipstx39-elf  +FAIL: MIPS reloc against local symbol overflow
> 
> The test in question puts a ".half" at the end of a section, with
> resultant R_MIPS_16, a 4 byte relocation, 2 bytes before the end of
> the section.  I think the test should fail on these targets.  With a
> very carefully crafted testcase it should be possible to cause a gas
> buffer overflow.

 Hmm, it looks to me like a bug in the implementation of the `.half' 
pseudo-op (that it emits a 16-bit rather than a 32-bit data quantity with 
R_MIPS_16 attached to the least significant halfword), but I'm not sure if 
at this time of MIPS target's history it is safe to fix it.  I'll have to 
chew it over a bit and I'll be travelling over the next couple of days 
anyway, so I'll get back to this discussion after the weekend (including 
the issue of `arelent*' vs `arelent**').

  Maciej