aboutsummaryrefslogtreecommitdiff
path: root/binutils
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2015-01-08 12:37:46 +0000
committerNick Clifton <nickc@redhat.com>2015-01-08 12:37:46 +0000
commit3565cf8fedf2bae2b383fae66dde62c3bdae51c9 (patch)
tree21c3b99a8b0addfa8bed0af8c376321c667c67f5 /binutils
parent025ac41482555f6273dee37988734a9f88633dbc (diff)
downloadgdb-3565cf8fedf2bae2b383fae66dde62c3bdae51c9.zip
gdb-3565cf8fedf2bae2b383fae66dde62c3bdae51c9.tar.gz
gdb-3565cf8fedf2bae2b383fae66dde62c3bdae51c9.tar.bz2
Fixes for memory access violations triggered by running nlmconv on
fuzzed binaries. PR binutils/17512 * nlmconv.c (i386_mangle_relocs): Skip relocs without an associated symbol. (powerpc_mangle_relocs): Skip unrecognised relocs. Check address range before applying a reloc.
Diffstat (limited to 'binutils')
-rw-r--r--binutils/ChangeLog8
-rw-r--r--binutils/nlmconv.c30
2 files changed, 36 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 17d2dd6..cfad0f7 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,11 @@
+2015-01-08 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17512
+ * nlmconv.c (i386_mangle_relocs): Skip relocs without an
+ associated symbol.
+ (powerpc_mangle_relocs): Skip unrecognised relocs. Check address
+ range before applying a reloc.
+
2015-01-07 Nick Clifton <nickc@redhat.com>
PR binutils/17512
diff --git a/binutils/nlmconv.c b/binutils/nlmconv.c
index d0db1b3..8c4975d 100644
--- a/binutils/nlmconv.c
+++ b/binutils/nlmconv.c
@@ -1415,6 +1415,9 @@ i386_mangle_relocs (bfd *outbfd, asection *insec, arelent ***relocs_ptr,
bfd_vma addend;
rel = *relocs++;
+ /* PR 17512: file: 057f89c1. */
+ if (rel->sym_ptr_ptr == NULL)
+ continue;
sym = *rel->sym_ptr_ptr;
/* We're moving the relocs from the input section to the output
@@ -1871,7 +1874,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
toc_howto = bfd_reloc_type_lookup (insec->owner, BFD_RELOC_PPC_TOC16);
if (toc_howto == (reloc_howto_type *) NULL)
- abort ();
+ fatal (_("Unable to locate PPC_TOC16 reloc information"));
/* If this is the .got section, clear out all the contents beyond
the initial size. We must do this here because copy_sections is
@@ -1910,6 +1913,10 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
}
}
+ /* PR 17512: file: 70cfde95. */
+ if (rel->howto == NULL)
+ continue;
+
/* We must be able to resolve all PC relative relocs at this
point. If we get a branch to an undefined symbol we build a
stub, since NetWare will resolve undefined symbols into a
@@ -1927,6 +1934,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
{
bfd_vma val;
+ if (rel->address > contents_size - 4)
+ {
+ non_fatal (_("Out of range relocation: %lx"), rel->address);
+ break;
+ }
+
assert (rel->howto->size == 2 && rel->howto->pcrel_offset);
val = bfd_get_32 (outbfd, (bfd_byte *) contents + rel->address);
val = ((val &~ rel->howto->dst_mask)
@@ -1976,6 +1989,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
switch (rel->howto->size)
{
case 1:
+ if (rel->address > contents_size - 2)
+ {
+ non_fatal (_("Out of range relocation: %lx"), rel->address);
+ break;
+ }
+
val = bfd_get_16 (outbfd,
(bfd_byte *) contents + rel->address);
val = ((val &~ rel->howto->dst_mask)
@@ -1991,6 +2010,13 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
break;
case 2:
+ /* PR 17512: file: 0455a112. */
+ if (rel->address > contents_size - 4)
+ {
+ non_fatal (_("Out of range relocation: %lx"), rel->address);
+ break;
+ }
+
val = bfd_get_32 (outbfd,
(bfd_byte *) contents + rel->address);
val = ((val &~ rel->howto->dst_mask)
@@ -2002,7 +2028,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
break;
default:
- abort ();
+ fatal (_("Unsupported relocation size: %d"), rel->howto->size);
}
if (! bfd_is_und_section (bfd_get_section (sym)))