aboutsummaryrefslogtreecommitdiff
path: root/bfd/elfn32-mips.c
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2022-12-09 17:58:58 +1030
committerAlan Modra <amodra@gmail.com>2022-12-09 21:38:46 +1030
commit73425813c1b6286fd589fcf0ef9335e8240137a9 (patch)
tree41b84b5b2ddeb40c9fddd0e528827114a757bdb9 /bfd/elfn32-mips.c
parent8b272d7671fb9af34fe14bd274e97f05bb299635 (diff)
downloadgdb-73425813c1b6286fd589fcf0ef9335e8240137a9.zip
gdb-73425813c1b6286fd589fcf0ef9335e8240137a9.tar.gz
gdb-73425813c1b6286fd589fcf0ef9335e8240137a9.tar.bz2
PR28306, segfault in _bfd_mips_elf_reloc_unshuffle
Access to section data during relocation processing should be bounds checked, as it is in bfd_perform_relocation. bfd_perform_relocation does these checks after any special_function is called. So a reloc special_function needs to do its own bounds checking before accessing section data. This patch adds many such checks to the mips backend. Checking mips relocs is not without some difficulty. See the comment in _bfd_mips_reloc_offset_in_range. In a multitple reloc sequence applied to the same location, relocs that may appear somewhere other than the last one of the sequence need to be treated specially since they apply to the addend for the next relocation rather than the section contents. If the addend is in the section then it needs to be checked but not when the addend is in the reloc. check_inplace handles this situation. _bfd_mips_reloc_offset_in_range with check_shuffle handles the case where contents are shuffled before applying the relocation. PR 28306 * elf32-mips.c (_bfd_mips_elf32_gprel16_reloc): Check reloc address using _bfd_mips_reloc_offset_in_range. (gprel32_with_gp, mips16_gprel_reloc): Likewise. * elf64-mips.c (mips_elf64_gprel32_reloc): Likewise. (mips16_gprel_reloc): Likewise. * elfn32-mips.c (mips16_gprel_reloc): Likewise. (gprel32_with_gp): Check reloc address using bfd_reloc_offset_in_range. * elfxx-mips.h (enum reloc_check): Define. (_bfd_mips_reloc_offset_in_range): Declare. * elfxx-mips.c (needs_shuffle): New function. (_bfd_mips_elf_reloc_unshuffle, _bfd_mips_elf_reloc_shuffle): Use it. (_bfd_mips_reloc_offset_in_range): New function. (_bfd_mips_elf_gprel16_with_gp): Move reloc address checks to partial_inplace handling. Use bfd_reloc_offset_in_range. (_bfd_mips_elf_lo16_reloc): Check reloc address using bfd_reloc_offset_in_range. (_bfd_mips_elf_generic_reloc): Check reloc address using _bfd_mips_reloc_offset_in_range. (mips_elf_calculate_relocation): Check reloc address before calling mips_elf_nullify_got_load. (_bfd_mips_elf_check_relocs): Likewise. (mips_elf_read_rel_addend): Add sec param, check reloc address before reading. Adjust callers. (mips_elf_add_lo16_rel_addend): Add sec param, adjust callers.
Diffstat (limited to 'bfd/elfn32-mips.c')
-rw-r--r--bfd/elfn32-mips.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/bfd/elfn32-mips.c b/bfd/elfn32-mips.c
index ac604ed..d222d1a 100644
--- a/bfd/elfn32-mips.c
+++ b/bfd/elfn32-mips.c
@@ -3411,7 +3411,8 @@ gprel32_with_gp (bfd *abfd, asymbol *symbol, arelent *reloc_entry,
relocation += symbol->section->output_section->vma;
relocation += symbol->section->output_offset;
- if (reloc_entry->address > bfd_get_section_limit (abfd, input_section))
+ if (!bfd_reloc_offset_in_range (reloc_entry->howto, abfd, input_section,
+ reloc_entry->address))
return bfd_reloc_outofrange;
if (reloc_entry->howto->src_mask == 0)
@@ -3491,6 +3492,10 @@ mips16_gprel_reloc (bfd *abfd, arelent *reloc_entry, asymbol *symbol,
if (ret != bfd_reloc_ok)
return ret;
+ if (!_bfd_mips_reloc_offset_in_range (abfd, input_section, reloc_entry,
+ check_shuffle))
+ return bfd_reloc_outofrange;
+
location = (bfd_byte *) data + reloc_entry->address;
_bfd_mips_elf_reloc_unshuffle (abfd, reloc_entry->howto->type, false,
location);