diff options
| author | Nick Clifton <nickc@redhat.com> | 2015-01-08 12:37:46 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2015-01-08 12:37:46 +0000 |
| commit | 3565cf8fedf2bae2b383fae66dde62c3bdae51c9 (patch) | |
| tree | 21c3b99a8b0addfa8bed0af8c376321c667c67f5 /binutils | |
| parent | 025ac41482555f6273dee37988734a9f88633dbc (diff) | |
| download | gdb-3565cf8fedf2bae2b383fae66dde62c3bdae51c9.zip gdb-3565cf8fedf2bae2b383fae66dde62c3bdae51c9.tar.gz gdb-3565cf8fedf2bae2b383fae66dde62c3bdae51c9.tar.bz2 | |
Fixes for memory access violations triggered by running nlmconv on
fuzzed binaries.
PR binutils/17512
* nlmconv.c (i386_mangle_relocs): Skip relocs without an
associated symbol.
(powerpc_mangle_relocs): Skip unrecognised relocs. Check address
range before applying a reloc.
Diffstat (limited to 'binutils')
| -rw-r--r-- | binutils/ChangeLog | 8 | ||||
| -rw-r--r-- | binutils/nlmconv.c | 30 |
2 files changed, 36 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 17d2dd6..cfad0f7 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,11 @@ +2015-01-08 Nick Clifton <nickc@redhat.com> + + PR binutils/17512 + * nlmconv.c (i386_mangle_relocs): Skip relocs without an + associated symbol. + (powerpc_mangle_relocs): Skip unrecognised relocs. Check address + range before applying a reloc. + 2015-01-07 Nick Clifton <nickc@redhat.com> PR binutils/17512 diff --git a/binutils/nlmconv.c b/binutils/nlmconv.c index d0db1b3..8c4975d 100644 --- a/binutils/nlmconv.c +++ b/binutils/nlmconv.c @@ -1415,6 +1415,9 @@ i386_mangle_relocs (bfd *outbfd, asection *insec, arelent ***relocs_ptr, bfd_vma addend; rel = *relocs++; + /* PR 17512: file: 057f89c1. */ + if (rel->sym_ptr_ptr == NULL) + continue; sym = *rel->sym_ptr_ptr; /* We're moving the relocs from the input section to the output @@ -1871,7 +1874,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec, toc_howto = bfd_reloc_type_lookup (insec->owner, BFD_RELOC_PPC_TOC16); if (toc_howto == (reloc_howto_type *) NULL) - abort (); + fatal (_("Unable to locate PPC_TOC16 reloc information")); /* If this is the .got section, clear out all the contents beyond the initial size. We must do this here because copy_sections is @@ -1910,6 +1913,10 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec, } } + /* PR 17512: file: 70cfde95. */ + if (rel->howto == NULL) + continue; + /* We must be able to resolve all PC relative relocs at this point. If we get a branch to an undefined symbol we build a stub, since NetWare will resolve undefined symbols into a @@ -1927,6 +1934,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec, { bfd_vma val; + if (rel->address > contents_size - 4) + { + non_fatal (_("Out of range relocation: %lx"), rel->address); + break; + } + assert (rel->howto->size == 2 && rel->howto->pcrel_offset); val = bfd_get_32 (outbfd, (bfd_byte *) contents + rel->address); val = ((val &~ rel->howto->dst_mask) @@ -1976,6 +1989,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec, switch (rel->howto->size) { case 1: + if (rel->address > contents_size - 2) + { + non_fatal (_("Out of range relocation: %lx"), rel->address); + break; + } + val = bfd_get_16 (outbfd, (bfd_byte *) contents + rel->address); val = ((val &~ rel->howto->dst_mask) @@ -1991,6 +2010,13 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec, break; case 2: + /* PR 17512: file: 0455a112. */ + if (rel->address > contents_size - 4) + { + non_fatal (_("Out of range relocation: %lx"), rel->address); + break; + } + val = bfd_get_32 (outbfd, (bfd_byte *) contents + rel->address); val = ((val &~ rel->howto->dst_mask) @@ -2002,7 +2028,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec, break; default: - abort (); + fatal (_("Unsupported relocation size: %d"), rel->howto->size); } if (! bfd_is_und_section (bfd_get_section (sym))) |