_bfd_clear_contents bounds checking

This PR shows a fuzzed binary triggering a segfault via a bad
relocation in .debug_line.  It turns out that unlike normal
relocations applied to a section, the linker applies those with
symbols from discarded sections via _bfd_clear_contents without
checking that the relocation is within the section bounds.  The same
thing now happens when reading debug sections since commit
a4cd947aca23, the PR23425 fix.

	PR 23770
	PR 23425
	* reloc.c (_bfd_clear_contents): Replace "location" param with
	"buf" and "off".  Bounds check "off".  Return status.
	* cofflink.c (_bfd_coff_generic_relocate_section): Update
	_bfd_clear_contents call.
	* elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
	* elf32-arc.c (elf_arc_relocate_section): Likewise.
	* elf32-i386.c (elf_i386_relocate_section): Likewise.
	* elf32-metag.c (metag_final_link_relocate): Likewise.
	* elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
	* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
	* elf32-visium.c (visium_elf_relocate_section): Likewise.
	* elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
	* elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
	* libbfd-in.h (_bfd_clear_contents): Update prototype.
	* libbfd.h: Regenerate.

14 files changed, 50 insertions, 23 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 68c1ff6..e9696ee 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,23 @@
+2018-10-13  Alan Modra  <amodra@gmail.com>
+
+	PR 23770
+	PR 23425
+	* reloc.c (_bfd_clear_contents): Replace "location" param with
+	"buf" and "off".  Bounds check "off".  Return status.
+	* cofflink.c (_bfd_coff_generic_relocate_section): Update
+	_bfd_clear_contents call.
+	* elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise.
+	* elf32-arc.c (elf_arc_relocate_section): Likewise.
+	* elf32-i386.c (elf_i386_relocate_section): Likewise.
+	* elf32-metag.c (metag_final_link_relocate): Likewise.
+	* elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise.
+	* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
+	* elf32-visium.c (visium_elf_relocate_section): Likewise.
+	* elf64-ppc.c (ppc64_elf_relocate_section): Likewise.
+	* elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise.
+	* libbfd-in.h (_bfd_clear_contents): Update prototype.
+	* libbfd.h: Regenerate.
+
 2018-10-09  Egeyar Bagcioglu  <egeyar.bagcioglu@oracle.com>
 
 	* elflink.c (elf_link_output_extsym): Do not place symbols into a
diff --git a/bfd/cofflink.c b/bfd/cofflink.c
index 2f73f72..b7ea69b 100644
--- a/bfd/cofflink.c
+++ b/bfd/cofflink.c
@@ -3080,7 +3080,7 @@ _bfd_coff_generic_relocate_section (bfd *output_bfd,
       if (sec != NULL && discarded_section (sec))
 	{
 	  _bfd_clear_contents (howto, input_bfd, input_section,
-			       contents + (rel->r_vaddr - input_section->vma));
+			       contents, rel->r_vaddr - input_section->vma);
 	  continue;
 	}
 
diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
index cf256f7..3374f41 100644
--- a/bfd/elf-bfd.h
+++ b/bfd/elf-bfd.h
@@ -2847,7 +2847,7 @@ extern asection _bfd_elf_large_com_section;
   {									\
     int i_;								\
     _bfd_clear_contents (howto, input_bfd, input_section,		\
-			 contents + rel[index].r_offset);		\
+			 contents, rel[index].r_offset);		\
 									\
     if (bfd_link_relocatable (info)					\
 	&& (input_section->flags & SEC_DEBUGGING))			\
diff --git a/bfd/elf32-arc.c b/bfd/elf32-arc.c
index 7a1b304..30f47a5 100644
--- a/bfd/elf32-arc.c
+++ b/bfd/elf32-arc.c
@@ -1568,7 +1568,7 @@ elf_arc_relocate_section (bfd *			  output_bfd,
       if (sec != NULL && discarded_section (sec))
 	{
 	  _bfd_clear_contents (howto, input_bfd, input_section,
-			       contents + rel->r_offset);
+			       contents, rel->r_offset);
 	  rel->r_info = 0;
 	  rel->r_addend = 0;
 
diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
index 49797dc..1774717 100644
--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
@@ -2197,7 +2197,7 @@ elf_i386_relocate_section (bfd *output_bfd,
       if (sec != NULL && discarded_section (sec))
 	{
 	  _bfd_clear_contents (howto, input_bfd, input_section,
-			       contents + rel->r_offset);
+			       contents, rel->r_offset);
 	  wrel->r_offset = rel->r_offset;
 	  wrel->r_info = 0;
 	  wrel->r_addend = 0;
diff --git a/bfd/elf32-metag.c b/bfd/elf32-metag.c
index efe95bd..7f96246 100644
--- a/bfd/elf32-metag.c
+++ b/bfd/elf32-metag.c
@@ -1396,7 +1396,7 @@ metag_final_link_relocate (reloc_howto_type *howto,
 					      rel, relend, howto, contents) \
   {									\
     _bfd_clear_contents (howto, input_bfd, input_section,		\
-			 contents + rel->r_offset);			\
+			 contents, rel->r_offset);			\
 									\
     if (bfd_link_relocatable (info)					\
 	&& (input_section->flags & SEC_DEBUGGING))			\
diff --git a/bfd/elf32-nds32.c b/bfd/elf32-nds32.c
index 0d86e5b..184cf32 100644
--- a/bfd/elf32-nds32.c
+++ b/bfd/elf32-nds32.c
@@ -13217,14 +13217,14 @@ nds32_elf_get_relocated_section_contents (bfd *abfd,
 	  symbol = *(*parent)->sym_ptr_ptr;
 	  if (symbol->section && discarded_section (symbol->section))
 	    {
-	      bfd_byte *p;
+	      bfd_vma off;
 	      static reloc_howto_type none_howto
 		= HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
 			 "unused", FALSE, 0, 0, FALSE);
 
-	      p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
-	      _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
-				   p);
+	      off = (*parent)->address * bfd_octets_per_byte (input_bfd);
+	      _bfd_clear_contents ((*parent)->howto, input_bfd,
+				   input_section, data, off);
 	      (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
 	      (*parent)->addend = 0;
 	      (*parent)->howto = &none_howto;
diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c
index 61f70de..c31e26e 100644
--- a/bfd/elf32-ppc.c
+++ b/bfd/elf32-ppc.c
@@ -7090,7 +7090,7 @@ ppc_elf_relocate_section (bfd *output_bfd,
 	    howto = ppc_elf_howto_table[r_type];
 
 	  _bfd_clear_contents (howto, input_bfd, input_section,
-			       contents + rel->r_offset);
+			       contents, rel->r_offset);
 	  wrel->r_offset = rel->r_offset;
 	  wrel->r_info = 0;
 	  wrel->r_addend = 0;
diff --git a/bfd/elf32-visium.c b/bfd/elf32-visium.c
index e8f1c4c..961366c 100644
--- a/bfd/elf32-visium.c
+++ b/bfd/elf32-visium.c
@@ -621,7 +621,7 @@ visium_elf_relocate_section (bfd *output_bfd,
 	     or sections discarded by a linker script, we just want the
 	     section contents zeroed.  Avoid any special processing.  */
 	  _bfd_clear_contents (howto, input_bfd, input_section,
-			       contents + rel->r_offset);
+			       contents, rel->r_offset);
 
 	  rel->r_info = 0;
 	  rel->r_addend = 0;
diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c
index eadde17..7c3534a 100644
--- a/bfd/elf64-ppc.c
+++ b/bfd/elf64-ppc.c
@@ -13491,7 +13491,7 @@ ppc64_elf_relocate_section (bfd *output_bfd,
 	{
 	  _bfd_clear_contents (ppc64_elf_howto_table[r_type],
 			       input_bfd, input_section,
-			       contents + rel->r_offset);
+			       contents, rel->r_offset);
 	  wrel->r_offset = rel->r_offset;
 	  wrel->r_info = 0;
 	  wrel->r_addend = 0;
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index c3a6c31..4dcab43 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -2490,7 +2490,7 @@ elf_x86_64_relocate_section (bfd *output_bfd,
       if (sec != NULL && discarded_section (sec))
 	{
 	  _bfd_clear_contents (howto, input_bfd, input_section,
-			       contents + rel->r_offset);
+			       contents, rel->r_offset);
 	  wrel->r_offset = rel->r_offset;
 	  wrel->r_info = 0;
 	  wrel->r_addend = 0;
diff --git a/bfd/libbfd-in.h b/bfd/libbfd-in.h
index e53b255..f6d9565 100644
--- a/bfd/libbfd-in.h
+++ b/bfd/libbfd-in.h
@@ -697,8 +697,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
   (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
 
 /* Clear a given location using a given howto.  */
-extern void _bfd_clear_contents
-  (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
+extern bfd_reloc_status_type _bfd_clear_contents
+  (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
 
 /* Link stabs in sections in the first pass.  */
 
diff --git a/bfd/libbfd.h b/bfd/libbfd.h
index a8851c8..1189e63 100644
--- a/bfd/libbfd.h
+++ b/bfd/libbfd.h
@@ -702,8 +702,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents
   (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN;
 
 /* Clear a given location using a given howto.  */
-extern void _bfd_clear_contents
-  (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN;
+extern bfd_reloc_status_type _bfd_clear_contents
+  (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN;
 
 /* Link stabs in sections in the first pass.  */
 
diff --git a/bfd/reloc.c b/bfd/reloc.c
index 8dbb889..1686780 100644
--- a/bfd/reloc.c
+++ b/bfd/reloc.c
@@ -1504,15 +1504,21 @@ _bfd_relocate_contents (reloc_howto_type *howto,
    relocations against discarded symbols, to make ignorable debug or unwind
    information more obvious.  */
 
-void
+bfd_reloc_status_type
 _bfd_clear_contents (reloc_howto_type *howto,
 		     bfd *input_bfd,
 		     asection *input_section,
-		     bfd_byte *location)
+		     bfd_byte *buf,
+		     bfd_vma off)
 {
   bfd_vma x;
+  bfd_byte *location;
+
+  if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, off))
+    return bfd_reloc_outofrange;
 
   /* Get the value we are going to relocate.  */
+  location = buf + off;
   x = read_reloc (input_bfd, location, howto);
 
   /* Zero out the unwanted bits of X.  */
@@ -1527,6 +1533,7 @@ _bfd_clear_contents (reloc_howto_type *howto,
 
   /* Put the relocated value back in the object file.  */
   write_reloc (input_bfd, x, location, howto);
+  return bfd_reloc_ok;
 }
 
 /*
@@ -8336,14 +8343,14 @@ bfd_generic_get_relocated_section_contents (bfd *abfd,
 		  && (input_section->flags & SEC_DEBUGGING) != 0
 		  && link_info->input_bfds == link_info->output_bfd))
 	    {
-	      bfd_byte *p;
+	      bfd_vma off;
 	      static reloc_howto_type none_howto
 		= HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL,
 			 "unused", FALSE, 0, 0, FALSE);
 
-	      p = data + (*parent)->address * bfd_octets_per_byte (input_bfd);
-	      _bfd_clear_contents ((*parent)->howto, input_bfd, input_section,
-				   p);
+	      off = (*parent)->address * bfd_octets_per_byte (input_bfd);
+	      _bfd_clear_contents ((*parent)->howto, input_bfd,
+				   input_section, data, off);
 	      (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
 	      (*parent)->addend = 0;
 	      (*parent)->howto = &none_howto;