diff options
| author | Alan Modra <amodra@gmail.com> | 2021-12-17 13:32:36 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2021-12-17 16:01:34 +1030 |
| commit | 9b54b561858b3fb265f57d2b4ddf35fba2603069 (patch) | |
| tree | 9ff7d9d54ad410b8599faeaa0547584121162d1c /bfd/elf64-bpf.c | |
| parent | b39de8897a9a3de9a1146c020be29e0742dad747 (diff) | |
| download | gdb-9b54b561858b3fb265f57d2b4ddf35fba2603069.zip gdb-9b54b561858b3fb265f57d2b4ddf35fba2603069.tar.gz gdb-9b54b561858b3fb265f57d2b4ddf35fba2603069.tar.bz2 | |
asan: heap-buffer-overflow in bpf_elf_generic_reloc
The bpf reloc howtos are a bit weird, using bitpos to specify an
offset from r_offset that is outside the size of the reloc as given by
howto.size. That means bfd_get_reloc_size gives the wrong answer for
range checking, and thus bfd_reloc_offset_in_range can't be used.
* elf64-bpf.c (bpf_elf_generic_reloc): Handle bitpos offset reloc
range checking.
Diffstat (limited to 'bfd/elf64-bpf.c')
| -rw-r--r-- | bfd/elf64-bpf.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/bfd/elf64-bpf.c b/bfd/elf64-bpf.c index beabad7..4e5f9d1 100644 --- a/bfd/elf64-bpf.c +++ b/bfd/elf64-bpf.c @@ -608,15 +608,16 @@ bpf_elf_generic_reloc (bfd *abfd, arelent *reloc_entry, asymbol *symbol, bfd_byte *where; /* Sanity check that the address is in range. */ + bfd_size_type end = bfd_get_section_limit_octets (abfd, input_section); + bfd_size_type reloc_size; if (reloc_entry->howto->type == R_BPF_INSN_64) - { - bfd_size_type end = bfd_get_section_limit_octets (abfd, input_section); - if (reloc_entry->address > end - || end - reloc_entry->address < 16) - return bfd_reloc_outofrange; - } - else if (!bfd_reloc_offset_in_range (reloc_entry->howto, abfd, input_section, - reloc_entry->address)) + reloc_size = 16; + else + reloc_size = (reloc_entry->howto->bitsize + + reloc_entry->howto->bitpos) / 8; + + if (reloc_entry->address > end + || end - reloc_entry->address < reloc_size) return bfd_reloc_outofrange; /* Get the symbol value. */ |