This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
x86 synthetic plt symbols
- From: Alan Modra <amodra at gmail dot com>
- To: Adarsh Dinesh <adarsh dot dinesh at gmail dot com>
- Cc: binutils at sourceware dot org
- Date: Mon, 1 Feb 2016 21:33:00 +1030
- Subject: x86 synthetic plt symbols
- Authentication-results: sourceware.org; auth=none
- References: <CAGk-QrK9Z28ZSDKpLbez+eKLEVB02MNUGTMcLzo1gOkf-tT8ew at mail dot gmail dot com>
On Sat, Jan 23, 2016 at 03:32:05PM +0530, Adarsh Dinesh wrote:
http://lists.gnu.org/archive/html/bug-binutils/2016-01/msg00130.html
> BFD failed to load ELF files with manipulated instructions in
> __stack_chk_fail@plt which can be made for anti debugging purpose.
Changing "pushq $1" in the following to "pushq $too_big" results in an
abort. BFD shouldn't abort on (deliberately) bad user input.
400480: ff 25 9a 0b 20 00 jmpq *0x200b9a(%rip)
400486: 68 01 00 00 00 pushq $0x1
40048b: e9 d0 ff ff ff jmpq 400460 <_init+0x20>
* elf64-x86-64.c (elf_x86_64_get_plt_sym_val): Don't abort on
an out of range reloc_index.
* elf32-i386.c (elf_i386_get_plt_sym_val): Likewise.
diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
index 81a95e0..ccd0135 100644
--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
@@ -5684,9 +5684,9 @@ bad_return:
reloc_index = H_GET_32 (abfd, (plt_contents + plt_offset
+ bed->plt->plt_reloc_offset));
reloc_index /= sizeof (Elf32_External_Rel);
- if (reloc_index >= count)
- abort ();
- plt_sym_val[reloc_index] = plt->vma + plt_offset;
+ if (reloc_index < count)
+ plt_sym_val[reloc_index] = plt->vma + plt_offset;
+
plt_offset += bed->plt->plt_entry_size;
/* PR binutils/18437: Skip extra relocations in the .rel.plt
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index 37528be..88ed00e 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -6066,19 +6066,20 @@ bad_return:
reloc_index = H_GET_32 (abfd, (plt_contents + plt_offset
+ bed->plt_reloc_offset));
- if (reloc_index >= count)
- abort ();
- if (plt_bnd)
+ if (reloc_index < count)
{
- /* This is the index in .plt section. */
- long plt_index = plt_offset / bed->plt_entry_size;
- /* Store VMA + the offset in .plt.bnd section. */
- plt_sym_val[reloc_index] =
- (plt_bnd->vma
- + (plt_index - 1) * sizeof (elf_x86_64_legacy_plt2_entry));
+ if (plt_bnd)
+ {
+ /* This is the index in .plt section. */
+ long plt_index = plt_offset / bed->plt_entry_size;
+ /* Store VMA + the offset in .plt.bnd section. */
+ plt_sym_val[reloc_index] =
+ (plt_bnd->vma
+ + (plt_index - 1) * sizeof (elf_x86_64_legacy_plt2_entry));
+ }
+ else
+ plt_sym_val[reloc_index] = plt->vma + plt_offset;
}
- else
- plt_sym_val[reloc_index] = plt->vma + plt_offset;
plt_offset += bed->plt_entry_size;
/* PR binutils/18437: Skip extra relocations in the .rela.plt
--
Alan Modra
Australia Development Lab, IBM