From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from loongson.cn (mail.loongson.cn [114.242.206.163]) by sourceware.org (Postfix) with ESMTP id 2584F3858C2D for ; Wed, 14 Sep 2022 08:57:35 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 2584F3858C2D Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=loongson.cn Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=loongson.cn Received: from [10.20.4.152] (unknown [10.20.4.152]) by localhost.localdomain (Coremail) with SMTP id AQAAf8Dx_2t9lyFjjPgYAA--.29531S3; Wed, 14 Sep 2022 16:57:34 +0800 (CST) Subject: Re: [PATCH 1/2] LoongArch: Avoid heap-buffer-overflow in loongarch_elf_relocate_section To: Xi Ruoyao , binutils@sourceware.org Cc: Lulu Cheng , Wang Xuerui , Chenghua Xu , mengqinggang@loongson.cn References: <20220913154414.554861-1-xry111@xry111.site> <20220913154414.554861-2-xry111@xry111.site> From: liuzhensong Message-ID: Date: Wed, 14 Sep 2022 16:57:33 +0800 User-Agent: Mozilla/5.0 (X11; Linux mips64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <20220913154414.554861-2-xry111@xry111.site> Content-Type: multipart/alternative; boundary="------------23DB890B8E6DC0B6665D2CC0" Content-Language: en-US X-CM-TRANSID:AQAAf8Dx_2t9lyFjjPgYAA--.29531S3 X-Coremail-Antispam: 1UD129KBjvJXoWxCF1kAF4UWr4kXF1rAr17trb_yoWrGF4kpr yfAryUJFyUJr1rXr1UJw1UXFW5J348GwnrKr47tF4rAr17AF1qqF45Xr1j9F4UJr48Jr4D Xr1UJr1UZF18ArUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvY14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j 6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487McIj6xIIjxv20xvE14v26r1j6r18McIj6I8E 87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lF7I21c0EjI I2zVCS5cI20VAGYxC7Mx8GjcxK6IxK0xIIj40E5I8CrwCYjI0SjxkI62AI1cAE67vIY487 MxkIecxEwVCm-wCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c 02F40E14v26r106r1rMI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_ Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7 CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v2 6r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0J UtkuxUUUUU= X-CM-SenderInfo: holx6xphqv003j6o00pqjv00gofq/ X-Spam-Status: No, score=-11.3 required=5.0 tests=BAYES_00,BODY_8BITS,GIT_PATCH_0,HTML_MESSAGE,KAM_DMARC_STATUS,KAM_STOCKGEN,NICE_REPLY_A,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: This is a multi-part message in MIME format. --------------23DB890B8E6DC0B6665D2CC0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit 在 2022/9/13 下午11:44, Xi Ruoyao 写道: > If a and b are different sections, we cannot access something in b with > "a->contents + (offset from a)" because "a->contents" and "b->contents" > are heap buffers allocated separately, not slices of a large buffer. > > The issue was found during an attempt to add static-pie support to the > toolchain with ASAN. Can you provide compile parameters? > --- > bfd/elfnn-loongarch.c | 18 ++++++++---------- > 1 file changed, 8 insertions(+), 10 deletions(-) > > diff --git a/bfd/elfnn-loongarch.c b/bfd/elfnn-loongarch.c > index ed42b8b6770..4b408b1db72 100644 > --- a/bfd/elfnn-loongarch.c > +++ b/bfd/elfnn-loongarch.c > @@ -3128,6 +3128,7 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info, > unresolved_reloc = false; > BFD_ASSERT (rel->r_addend == 0); > > + asection *my_got = got; > bfd_vma got_off = 0; > if (h != NULL) > { > @@ -3145,17 +3146,14 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info, > { > idx = (h->plt.offset - PLT_HEADER_SIZE) > / PLT_ENTRY_SIZE; > - got_off = sec_addr (htab->elf.sgotplt) > - + GOTPLT_HEADER_SIZE > - + (idx * GOT_ENTRY_SIZE) > - - sec_addr (htab->elf.sgot); > + my_got = htab->elf.sgotplt; > + got_off = GOTPLT_HEADER_SIZE + idx * GOT_ENTRY_SIZE; > } > else > { > idx = h->plt.offset / PLT_ENTRY_SIZE; > - got_off = sec_addr (htab->elf.sgotplt) > - + (idx * GOT_ENTRY_SIZE) > - - sec_addr (htab->elf.sgot); > + my_got = htab->elf.sgotplt; > + got_off = idx * GOT_ENTRY_SIZE; > } > } > > @@ -3172,7 +3170,7 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info, > && SYMBOL_REFERENCES_LOCAL (info, h)) > { > Elf_Internal_Rela rela; > - rela.r_offset = sec_addr (got) + got_off; > + rela.r_offset = sec_addr (my_got) + got_off; > rela.r_info = ELFNN_R_INFO (0, R_LARCH_RELATIVE); > rela.r_addend = relocation; > loongarch_elf_append_rela (output_bfd, > @@ -3202,9 +3200,9 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info, > } > } > > - bfd_put_NN (output_bfd, relocation, got->contents + got_off); > + bfd_put_NN (output_bfd, relocation, my_got->contents + got_off); > > - relocation = got_off + sec_addr (got); > + relocation = got_off + sec_addr (my_got); > } > > if (r_type == R_LARCH_GOT_PC_HI20) This may be the reason of overflow. Shouldn't write to got table when using hidden ifunc. diff --git a/bfd/elfnn-loongarch.c b/bfd/elfnn-loongarch.c index ed42b8b6770..9278faa91aa 100644 --- a/bfd/elfnn-loongarch.c +++ b/bfd/elfnn-loongarch.c @@ -3179,6 +3179,7 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info, htab->elf.srelgot, &rela);                         }                       h->got.offset |= 1; +                     bfd_put_NN (output_bfd, relocation, got->contents + got_off);                     }                 }               else @@ -3200,10 +3201,9 @@ loongarch_elf_relocate_section (bfd *output_bfd, struct bfd_link_info *info,                         }                       local_got_offsets[r_symndx] |= 1;                     } +                 bfd_put_NN (output_bfd, relocation, got->contents + got_off);                 } -             bfd_put_NN (output_bfd, relocation, got->contents + got_off); -               relocation = got_off + sec_addr (got);             } --------------23DB890B8E6DC0B6665D2CC0--