| From 0930cb3021b8078b34cf216e79eb8608d017864f Mon Sep 17 00:00:00 2001 |
| From: Alan Modra <amodra@gmail.com> |
| Date: Sat, 13 Oct 2018 22:03:02 +1030 |
| Subject: [PATCH] _bfd_clear_contents bounds checking |
| |
| This PR shows a fuzzed binary triggering a segfault via a bad |
| relocation in .debug_line. It turns out that unlike normal |
| relocations applied to a section, the linker applies those with |
| symbols from discarded sections via _bfd_clear_contents without |
| checking that the relocation is within the section bounds. The same |
| thing now happens when reading debug sections since commit |
| a4cd947aca23, the PR23425 fix. |
| |
| PR 23770 |
| PR 23425 |
| * reloc.c (_bfd_clear_contents): Replace "location" param with |
| "buf" and "off". Bounds check "off". Return status. |
| * cofflink.c (_bfd_coff_generic_relocate_section): Update |
| _bfd_clear_contents call. |
| * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise. |
| * elf32-arc.c (elf_arc_relocate_section): Likewise. |
| * elf32-i386.c (elf_i386_relocate_section): Likewise. |
| * elf32-metag.c (metag_final_link_relocate): Likewise. |
| * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise. |
| * elf32-ppc.c (ppc_elf_relocate_section): Likewise. |
| * elf32-visium.c (visium_elf_relocate_section): Likewise. |
| * elf64-ppc.c (ppc64_elf_relocate_section): Likewise. |
| * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise. |
| * libbfd-in.h (_bfd_clear_contents): Update prototype. |
| * libbfd.h: Regenerate. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2018-18605 |
| Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> |
| --- |
| bfd/ChangeLog | 20 ++++++++++++++++++++ |
| bfd/cofflink.c | 2 +- |
| bfd/elf-bfd.h | 2 +- |
| bfd/elf32-arc.c | 2 +- |
| bfd/elf32-i386.c | 2 +- |
| bfd/elf32-metag.c | 2 +- |
| bfd/elf32-nds32.c | 8 ++++---- |
| bfd/elf32-ppc.c | 2 +- |
| bfd/elf32-visium.c | 2 +- |
| bfd/elf64-ppc.c | 2 +- |
| bfd/elf64-x86-64.c | 2 +- |
| bfd/libbfd-in.h | 4 ++-- |
| bfd/libbfd.h | 4 ++-- |
| bfd/reloc.c | 19 +++++++++++++------ |
| 14 files changed, 50 insertions(+), 23 deletions(-) |
| |
| diff --git a/bfd/ChangeLog b/bfd/ChangeLog |
| index 68c1ff665b..e9696ee314 100644 |
| --- a/bfd/ChangeLog |
| +++ b/bfd/ChangeLog |
| @@ -1,3 +1,23 @@ |
| +2018-10-13 Alan Modra <amodra@gmail.com> |
| + |
| + PR 23770 |
| + PR 23425 |
| + * reloc.c (_bfd_clear_contents): Replace "location" param with |
| + "buf" and "off". Bounds check "off". Return status. |
| + * cofflink.c (_bfd_coff_generic_relocate_section): Update |
| + _bfd_clear_contents call. |
| + * elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Likewise. |
| + * elf32-arc.c (elf_arc_relocate_section): Likewise. |
| + * elf32-i386.c (elf_i386_relocate_section): Likewise. |
| + * elf32-metag.c (metag_final_link_relocate): Likewise. |
| + * elf32-nds32.c (nds32_elf_get_relocated_section_contents): Likewise. |
| + * elf32-ppc.c (ppc_elf_relocate_section): Likewise. |
| + * elf32-visium.c (visium_elf_relocate_section): Likewise. |
| + * elf64-ppc.c (ppc64_elf_relocate_section): Likewise. |
| + * elf64-x86-64.c *(elf_x86_64_relocate_section): Likewise. |
| + * libbfd-in.h (_bfd_clear_contents): Update prototype. |
| + * libbfd.h: Regenerate. |
| + |
| 2018-09-20 Alan Modra <amodra@gmail.com> |
| |
| PR 23685 |
| diff --git a/bfd/cofflink.c b/bfd/cofflink.c |
| index 2f73f72e31..b7ea69b7f9 100644 |
| --- a/bfd/cofflink.c |
| +++ b/bfd/cofflink.c |
| @@ -3080,7 +3080,7 @@ _bfd_coff_generic_relocate_section (bfd *output_bfd, |
| if (sec != NULL && discarded_section (sec)) |
| { |
| _bfd_clear_contents (howto, input_bfd, input_section, |
| - contents + (rel->r_vaddr - input_section->vma)); |
| + contents, rel->r_vaddr - input_section->vma); |
| continue; |
| } |
| |
| diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h |
| index cf256f70e0..3374f411f9 100644 |
| --- a/bfd/elf-bfd.h |
| +++ b/bfd/elf-bfd.h |
| @@ -2811,7 +2811,7 @@ extern asection _bfd_elf_large_com_section; |
| { \ |
| int i_; \ |
| _bfd_clear_contents (howto, input_bfd, input_section, \ |
| - contents + rel[index].r_offset); \ |
| + contents, rel[index].r_offset); \ |
| \ |
| if (bfd_link_relocatable (info) \ |
| && (input_section->flags & SEC_DEBUGGING)) \ |
| diff --git a/bfd/elf32-arc.c b/bfd/elf32-arc.c |
| index 7a1b3042ae..30f47a5b22 100644 |
| --- a/bfd/elf32-arc.c |
| +++ b/bfd/elf32-arc.c |
| @@ -1549,7 +1549,7 @@ elf_arc_relocate_section (bfd * output_bfd, |
| if (sec != NULL && discarded_section (sec)) |
| { |
| _bfd_clear_contents (howto, input_bfd, input_section, |
| - contents + rel->r_offset); |
| + contents, rel->r_offset); |
| rel->r_info = 0; |
| rel->r_addend = 0; |
| |
| diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c |
| index 49797dcbfa..177471777d 100644 |
| --- a/bfd/elf32-i386.c |
| +++ b/bfd/elf32-i386.c |
| @@ -2197,7 +2197,7 @@ elf_i386_relocate_section (bfd *output_bfd, |
| if (sec != NULL && discarded_section (sec)) |
| { |
| _bfd_clear_contents (howto, input_bfd, input_section, |
| - contents + rel->r_offset); |
| + contents, rel->r_offset); |
| wrel->r_offset = rel->r_offset; |
| wrel->r_info = 0; |
| wrel->r_addend = 0; |
| diff --git a/bfd/elf32-metag.c b/bfd/elf32-metag.c |
| index efe95bddff..7f96246e5d 100644 |
| --- a/bfd/elf32-metag.c |
| +++ b/bfd/elf32-metag.c |
| @@ -1396,7 +1396,7 @@ metag_final_link_relocate (reloc_howto_type *howto, |
| rel, relend, howto, contents) \ |
| { \ |
| _bfd_clear_contents (howto, input_bfd, input_section, \ |
| - contents + rel->r_offset); \ |
| + contents, rel->r_offset); \ |
| \ |
| if (bfd_link_relocatable (info) \ |
| && (input_section->flags & SEC_DEBUGGING)) \ |
| diff --git a/bfd/elf32-nds32.c b/bfd/elf32-nds32.c |
| index 0d86e5b865..184cf320f7 100644 |
| --- a/bfd/elf32-nds32.c |
| +++ b/bfd/elf32-nds32.c |
| @@ -12582,14 +12582,14 @@ nds32_elf_get_relocated_section_contents (bfd *abfd, |
| symbol = *(*parent)->sym_ptr_ptr; |
| if (symbol->section && discarded_section (symbol->section)) |
| { |
| - bfd_byte *p; |
| + bfd_vma off; |
| static reloc_howto_type none_howto |
| = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL, |
| "unused", FALSE, 0, 0, FALSE); |
| |
| - p = data + (*parent)->address * bfd_octets_per_byte (input_bfd); |
| - _bfd_clear_contents ((*parent)->howto, input_bfd, input_section, |
| - p); |
| + off = (*parent)->address * bfd_octets_per_byte (input_bfd); |
| + _bfd_clear_contents ((*parent)->howto, input_bfd, |
| + input_section, data, off); |
| (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; |
| (*parent)->addend = 0; |
| (*parent)->howto = &none_howto; |
| diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c |
| index 61f70de12e..c31e26efd7 100644 |
| --- a/bfd/elf32-ppc.c |
| +++ b/bfd/elf32-ppc.c |
| @@ -8232,7 +8232,7 @@ ppc_elf_relocate_section (bfd *output_bfd, |
| howto = ppc_elf_howto_table[r_type]; |
| |
| _bfd_clear_contents (howto, input_bfd, input_section, |
| - contents + rel->r_offset); |
| + contents, rel->r_offset); |
| wrel->r_offset = rel->r_offset; |
| wrel->r_info = 0; |
| wrel->r_addend = 0; |
| diff --git a/bfd/elf32-visium.c b/bfd/elf32-visium.c |
| index e8f1c4c9e4..961366cd87 100644 |
| --- a/bfd/elf32-visium.c |
| +++ b/bfd/elf32-visium.c |
| @@ -621,7 +621,7 @@ visium_elf_relocate_section (bfd *output_bfd, |
| or sections discarded by a linker script, we just want the |
| section contents zeroed. Avoid any special processing. */ |
| _bfd_clear_contents (howto, input_bfd, input_section, |
| - contents + rel->r_offset); |
| + contents, rel->r_offset); |
| |
| rel->r_info = 0; |
| rel->r_addend = 0; |
| diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c |
| index eadde17615..7c3534ac65 100644 |
| --- a/bfd/elf64-ppc.c |
| +++ b/bfd/elf64-ppc.c |
| @@ -14073,7 +14073,7 @@ ppc64_elf_relocate_section (bfd *output_bfd, |
| { |
| _bfd_clear_contents (ppc64_elf_howto_table[r_type], |
| input_bfd, input_section, |
| - contents + rel->r_offset); |
| + contents, rel->r_offset); |
| wrel->r_offset = rel->r_offset; |
| wrel->r_info = 0; |
| wrel->r_addend = 0; |
| diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c |
| index c3a6c31ed2..4dcab43478 100644 |
| --- a/bfd/elf64-x86-64.c |
| +++ b/bfd/elf64-x86-64.c |
| @@ -2490,7 +2490,7 @@ elf_x86_64_relocate_section (bfd *output_bfd, |
| if (sec != NULL && discarded_section (sec)) |
| { |
| _bfd_clear_contents (howto, input_bfd, input_section, |
| - contents + rel->r_offset); |
| + contents, rel->r_offset); |
| wrel->r_offset = rel->r_offset; |
| wrel->r_info = 0; |
| wrel->r_addend = 0; |
| diff --git a/bfd/libbfd-in.h b/bfd/libbfd-in.h |
| index e53b255dad..f6d9565f03 100644 |
| --- a/bfd/libbfd-in.h |
| +++ b/bfd/libbfd-in.h |
| @@ -696,8 +696,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents |
| (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN; |
| |
| /* Clear a given location using a given howto. */ |
| -extern void _bfd_clear_contents |
| - (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN; |
| +extern bfd_reloc_status_type _bfd_clear_contents |
| + (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN; |
| |
| /* Link stabs in sections in the first pass. */ |
| |
| diff --git a/bfd/libbfd.h b/bfd/libbfd.h |
| index a8851c8026..1189e63358 100644 |
| --- a/bfd/libbfd.h |
| +++ b/bfd/libbfd.h |
| @@ -701,8 +701,8 @@ extern bfd_reloc_status_type _bfd_relocate_contents |
| (reloc_howto_type *, bfd *, bfd_vma, bfd_byte *) ATTRIBUTE_HIDDEN; |
| |
| /* Clear a given location using a given howto. */ |
| -extern void _bfd_clear_contents |
| - (reloc_howto_type *, bfd *, asection *, bfd_byte *) ATTRIBUTE_HIDDEN; |
| +extern bfd_reloc_status_type _bfd_clear_contents |
| + (reloc_howto_type *, bfd *, asection *, bfd_byte *, bfd_vma) ATTRIBUTE_HIDDEN; |
| |
| /* Link stabs in sections in the first pass. */ |
| |
| diff --git a/bfd/reloc.c b/bfd/reloc.c |
| index 8dbb8896d3..1686780669 100644 |
| --- a/bfd/reloc.c |
| +++ b/bfd/reloc.c |
| @@ -1613,16 +1613,22 @@ _bfd_relocate_contents (reloc_howto_type *howto, |
| relocations against discarded symbols, to make ignorable debug or unwind |
| information more obvious. */ |
| |
| -void |
| +bfd_reloc_status_type |
| _bfd_clear_contents (reloc_howto_type *howto, |
| bfd *input_bfd, |
| asection *input_section, |
| - bfd_byte *location) |
| + bfd_byte *buf, |
| + bfd_vma off) |
| { |
| int size; |
| bfd_vma x = 0; |
| + bfd_byte *location; |
| + |
| + if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, off)) |
| + return bfd_reloc_outofrange; |
| |
| /* Get the value we are going to relocate. */ |
| + location = buf + off; |
| size = bfd_get_reloc_size (howto); |
| switch (size) |
| { |
| @@ -1687,6 +1693,7 @@ _bfd_clear_contents (reloc_howto_type *howto, |
| #endif |
| break; |
| } |
| + return bfd_reloc_ok; |
| } |
| |
| /* |
| @@ -8275,14 +8282,14 @@ bfd_generic_get_relocated_section_contents (bfd *abfd, |
| |
| if (symbol->section && discarded_section (symbol->section)) |
| { |
| - bfd_byte *p; |
| + bfd_vma off; |
| static reloc_howto_type none_howto |
| = HOWTO (0, 0, 0, 0, FALSE, 0, complain_overflow_dont, NULL, |
| "unused", FALSE, 0, 0, FALSE); |
| |
| - p = data + (*parent)->address * bfd_octets_per_byte (input_bfd); |
| - _bfd_clear_contents ((*parent)->howto, input_bfd, input_section, |
| - p); |
| + off = (*parent)->address * bfd_octets_per_byte (input_bfd); |
| + _bfd_clear_contents ((*parent)->howto, input_bfd, |
| + input_section, data, off); |
| (*parent)->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr; |
| (*parent)->addend = 0; |
| (*parent)->howto = &none_howto; |
| -- |
| 2.13.3 |
| |