[committed v2 2/6] PR binutils/22875: FRV/ELF: Prevent an out-of-bounds howto table access

Maciej W. Rozycki macro@mips.com
Wed Apr 4 01:06:00 GMT 2018 

Prevent an out-of-bounds `elf32_frv_howto_table' table access in 
`frv_info_to_howto_rela' by using the size of the table rather than 
R_FRV_max to determine the number of entries in the contiguous regular 
FRV relocation range defined and described in the table.

	bfd/
	* elf32-frv.c (frv_info_to_howto_rela): Correct the range check 
	for `elf32_frv_howto_table' table access.
---
On Fri, 30 Mar 2018, Alan Modra wrote:

> I think it would be better to leave R_FRV_max unchanged and change the
> single use of R_FRV_max to "sizeof (elf32_frv_howto_table)
> / sizeof (elf32_frv_howto_table[0])".  Or include libiberty.h and use
> ARRAY_SIZE.

 Good point.  I find code using ARRAY_SIZE cleaner and easier to read, and 
the macro is already rather generously used across BFD, so I chose that 
variant.

> That way the next time I look at include/elf/frv.h I won't wonder why
> R_FRV_max is defined rather oddly, questioning why it isn't the
> highest defined reloc plus one, and when looking at elf32-frv.c I
> won't need to check that R_FRV_max is correct.

 Though I think that large holes in the numbers assigned to enumerations 
make the usefulness of R_*_max enumeration constants rather questionable.

> The same comment applies to the other R_*_max patches.

 This is the new version of the patch then.  Regression-tested and 
applied.  Thank you for your review.

  Maciej

Changes from v1:

- Use ARRAY_SIZE on `elf32_frv_howto_table' to prevent an out-of-bounds 
  table access in `frv_info_to_howto_rela'.

- Keep R_FRV_max unchanged.
---
 bfd/elf32-frv.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

binutils-frv-bfd-unsupp-reloc.diff
Index: binutils/bfd/elf32-frv.c
===================================================================
--- binutils.orig/bfd/elf32-frv.c	2018-03-28 17:13:31.000000000 +0100
+++ binutils/bfd/elf32-frv.c	2018-04-03 19:06:10.036046586 +0100
@@ -25,6 +25,7 @@
 #include "elf/frv.h"
 #include "dwarf2.h"
 #include "hashtab.h"
+#include "libiberty.h"
 
 /* Forward declarations.  */
 
@@ -2551,7 +2552,7 @@ frv_info_to_howto_rela (bfd *abfd ATTRIB
       break;
 
     default:
-      if (r_type >= (unsigned int) R_FRV_max)
+      if (r_type >= ARRAY_SIZE (elf32_frv_howto_table))
 	{
 	  /* xgettext:c-format */
 	  _bfd_error_handler (_("%pB: unsupported relocation type %#x"),

More information about the Binutils mailing list