Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 1 | From 102def4da826b3d9e169741421e5e67e8731909a Mon Sep 17 00:00:00 2001 |
| 2 | From: Alan Modra <amodra@gmail.com> |
| 3 | Date: Tue, 23 Oct 2018 18:30:22 +1030 |
| 4 | Subject: [PATCH] PR23805, NULL pointer dereference in elf_link_input_bfd |
| 5 | |
| 6 | PR 23805 |
| 7 | * elflink.c (elf_link_input_bfd): Don't segfault on finding |
| 8 | STT_TLS symbols without any TLS sections. Instead, change the |
| 9 | symbol type to STT_NOTYPE. |
| 10 | |
| 11 | Upstream-Status: Backport |
| 12 | CVE: CVE-2018-18606 |
| 13 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> |
| 14 | --- |
| 15 | bfd/ChangeLog | 7 +++++++ |
| 16 | bfd/elflink.c | 20 ++++++++++++++------ |
| 17 | 2 files changed, 21 insertions(+), 6 deletions(-) |
| 18 | |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 19 | --- a/bfd/elflink.c |
| 20 | +++ b/bfd/elflink.c |
Brad Bishop | 977dc1a | 2019-02-06 16:01:43 -0500 | [diff] [blame] | 21 | @@ -10496,8 +10496,11 @@ elf_link_input_bfd (struct elf_final_lin |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 22 | if (ELF_ST_TYPE (osym.st_info) == STT_TLS) |
| 23 | { |
| 24 | /* STT_TLS symbols are relative to PT_TLS segment base. */ |
| 25 | - BFD_ASSERT (elf_hash_table (flinfo->info)->tls_sec != NULL); |
| 26 | - osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma; |
| 27 | + if (elf_hash_table (flinfo->info)->tls_sec != NULL) |
| 28 | + osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma; |
| 29 | + else |
| 30 | + osym.st_info = ELF_ST_INFO (ELF_ST_BIND (osym.st_info), |
| 31 | + STT_NOTYPE); |
| 32 | } |
| 33 | } |
| 34 | |
Brad Bishop | 977dc1a | 2019-02-06 16:01:43 -0500 | [diff] [blame] | 35 | @@ -11053,12 +11056,17 @@ elf_link_input_bfd (struct elf_final_lin |
Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 36 | sym.st_value += osec->vma; |
| 37 | if (ELF_ST_TYPE (sym.st_info) == STT_TLS) |
| 38 | { |
| 39 | + struct elf_link_hash_table *htab |
| 40 | + = elf_hash_table (flinfo->info); |
| 41 | + |
| 42 | /* STT_TLS symbols are relative to PT_TLS |
| 43 | segment base. */ |
| 44 | - BFD_ASSERT (elf_hash_table (flinfo->info) |
| 45 | - ->tls_sec != NULL); |
| 46 | - sym.st_value -= (elf_hash_table (flinfo->info) |
| 47 | - ->tls_sec->vma); |
| 48 | + if (htab->tls_sec != NULL) |
| 49 | + sym.st_value -= htab->tls_sec->vma; |
| 50 | + else |
| 51 | + sym.st_info |
| 52 | + = ELF_ST_INFO (ELF_ST_BIND (sym.st_info), |
| 53 | + STT_NOTYPE); |
| 54 | } |
| 55 | } |
| 56 | |