This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: [committed, PATCH] x86: Check for valid PLT section size
- From: "H.J. Lu" <hjl dot tools at gmail dot com>
- To: Binutils <binutils at sourceware dot org>
- Date: Sat, 9 Sep 2017 04:32:33 -0700
- Subject: Re: [committed, PATCH] x86: Check for valid PLT section size
- Authentication-results: sourceware.org; auth=none
- References: <20170828182927.GA31226@gmail.com>
On Mon, Aug 28, 2017 at 11:29 AM, H.J. Lu <hongjiu.lu@intel.com> wrote:
> Update x86 get_synthetic_symtab to check for valid PLT section size
> before examining PLT section contents.
>
> PR binutils/22018
> * elf32-i386.c (elf_i386_get_synthetic_symtab): Check for valid
> PLT section size.
> * elf64-x86-64.c (elf_x86_64_get_synthetic_symtab): Likewise.
> ---
> bfd/ChangeLog | 7 +++++++
> bfd/elf32-i386.c | 19 +++++++++++++------
> bfd/elf64-x86-64.c | 14 +++++++++++---
> 3 files changed, 31 insertions(+), 9 deletions(-)
>
> diff --git a/bfd/ChangeLog b/bfd/ChangeLog
> index 063253f4a5..419c311eea 100644
> --- a/bfd/ChangeLog
> +++ b/bfd/ChangeLog
> @@ -1,3 +1,10 @@
> +2017-08-28 H.J. Lu <hongjiu.lu@intel.com>
> +
> + PR binutils/22018
> + * elf32-i386.c (elf_i386_get_synthetic_symtab): Check for valid
> + PLT section size.
> + * elf64-x86-64.c (elf_x86_64_get_synthetic_symtab): Likewise.
> +
> 2017-08-27 H.J. Lu <hongjiu.lu@intel.com>
>
> * elf32-i386.c (elf_i386_link_hash_newfunc): Initialize
> diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
> index 999cd48ee4..05ba2c3b15 100644
> --- a/bfd/elf32-i386.c
> +++ b/bfd/elf32-i386.c
> @@ -6362,7 +6362,7 @@ elf_i386_get_synthetic_symtab (bfd *abfd,
> for (j = 0; plts[j].name != NULL; j++)
> {
> plt = bfd_get_section_by_name (abfd, plts[j].name);
> - if (plt == NULL)
> + if (plt == NULL || plt->size == 0)
> continue;
>
> /* Get the PLT section contents. */
> @@ -6378,7 +6378,9 @@ elf_i386_get_synthetic_symtab (bfd *abfd,
>
> /* Check what kind of PLT it is. */
> plt_type = plt_unknown;
> - if (plts[j].type == plt_unknown)
> + if (plts[j].type == plt_unknown
> + && (plt->size >= (lazy_plt->plt0_entry_size
> + + lazy_plt->plt_entry_size)))
> {
> /* Match lazy PLT first. */
> if (memcmp (plt_contents, lazy_plt->plt0_entry,
> @@ -6387,7 +6389,7 @@ elf_i386_get_synthetic_symtab (bfd *abfd,
> /* The fist entry in the lazy IBT PLT is the same as the
> normal lazy PLT. */
> if (lazy_ibt_plt != NULL
> - && (memcmp (plt_contents + lazy_ibt_plt->plt_entry_size,
> + && (memcmp (plt_contents + lazy_ibt_plt->plt0_entry_size,
> lazy_ibt_plt->plt_entry,
> lazy_ibt_plt->plt_got_offset) == 0))
> plt_type = plt_lazy | plt_second;
> @@ -6400,7 +6402,7 @@ elf_i386_get_synthetic_symtab (bfd *abfd,
> /* The fist entry in the PIC lazy IBT PLT is the same as
> the normal PIC lazy PLT. */
> if (lazy_ibt_plt != NULL
> - && (memcmp (plt_contents + lazy_ibt_plt->plt_entry_size,
> + && (memcmp (plt_contents + lazy_ibt_plt->plt0_entry_size,
> lazy_ibt_plt->pic_plt_entry,
> lazy_ibt_plt->plt_got_offset) == 0))
> plt_type = plt_lazy | plt_pic | plt_second;
> @@ -6410,7 +6412,8 @@ elf_i386_get_synthetic_symtab (bfd *abfd,
> }
>
> if (non_lazy_plt != NULL
> - && (plt_type == plt_unknown || plt_type == plt_non_lazy))
> + && (plt_type == plt_unknown || plt_type == plt_non_lazy)
> + && plt->size >= non_lazy_plt->plt_entry_size)
> {
> /* Match non-lazy PLT. */
> if (memcmp (plt_contents, non_lazy_plt->plt_entry,
> @@ -6422,7 +6425,8 @@ elf_i386_get_synthetic_symtab (bfd *abfd,
> }
>
> if ((non_lazy_ibt_plt != NULL)
> - && (plt_type == plt_unknown || plt_type == plt_second))
> + && (plt_type == plt_unknown || plt_type == plt_second)
> + && plt->size >= non_lazy_ibt_plt->plt_entry_size)
> {
> if (memcmp (plt_contents,
> non_lazy_ibt_plt->plt_entry,
> @@ -6480,6 +6484,9 @@ elf_i386_get_synthetic_symtab (bfd *abfd,
> got_addr = (bfd_vma) -1;
> }
>
> + if (count == 0)
> + return -1;
> +
> size = count * sizeof (asymbol);
>
> /* Allocate space for @plt suffixes. */
> diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
> index c9c6dba8c5..25ce295c17 100644
> --- a/bfd/elf64-x86-64.c
> +++ b/bfd/elf64-x86-64.c
> @@ -6763,7 +6763,7 @@ elf_x86_64_get_synthetic_symtab (bfd *abfd,
> for (j = 0; plts[j].name != NULL; j++)
> {
> plt = bfd_get_section_by_name (abfd, plts[j].name);
> - if (plt == NULL)
> + if (plt == NULL || plt->size == 0)
> continue;
>
> /* Get the PLT section contents. */
> @@ -6779,7 +6779,9 @@ elf_x86_64_get_synthetic_symtab (bfd *abfd,
>
> /* Check what kind of PLT it is. */
> plt_type = plt_unknown;
> - if (plts[j].type == plt_unknown)
> + if (plts[j].type == plt_unknown
> + && (plt->size >= (lazy_plt->plt_entry_size
> + + lazy_plt->plt_entry_size)))
> {
> /* Match lazy PLT first. Need to check the first two
> instructions. */
> @@ -6807,7 +6809,8 @@ elf_x86_64_get_synthetic_symtab (bfd *abfd,
> }
>
> if (non_lazy_plt != NULL
> - && (plt_type == plt_unknown || plt_type == plt_non_lazy))
> + && (plt_type == plt_unknown || plt_type == plt_non_lazy)
> + && plt->size >= non_lazy_plt->plt_entry_size)
> {
> /* Match non-lazy PLT. */
> if (memcmp (plt_contents, non_lazy_plt->plt_entry,
> @@ -6818,6 +6821,7 @@ elf_x86_64_get_synthetic_symtab (bfd *abfd,
> if (plt_type == plt_unknown || plt_type == plt_second)
> {
> if (non_lazy_bnd_plt != NULL
> + && plt->size >= non_lazy_bnd_plt->plt_entry_size
> && (memcmp (plt_contents, non_lazy_bnd_plt->plt_entry,
> non_lazy_bnd_plt->plt_got_offset) == 0))
> {
> @@ -6826,6 +6830,7 @@ elf_x86_64_get_synthetic_symtab (bfd *abfd,
> non_lazy_plt = non_lazy_bnd_plt;
> }
> else if (non_lazy_ibt_plt != NULL
> + && plt->size >= non_lazy_ibt_plt->plt_entry_size
> && (memcmp (plt_contents,
> non_lazy_ibt_plt->plt_entry,
> non_lazy_ibt_plt->plt_got_offset) == 0))
> @@ -6871,6 +6876,9 @@ elf_x86_64_get_synthetic_symtab (bfd *abfd,
> plts[j].contents = plt_contents;
> }
>
> + if (count == 0)
> + return -1;
> +
> size = count * sizeof (asymbol);
>
> /* Allocate space for @plt suffixes. */
> --
> 2.13.5
>
I am backporting it to 2.29 branch.
--
H.J.