[ARM] Avoid dereferencing null pointers

Alan Modra amodra@gmail.com
Wed Nov 20 21:49:00 GMT 2019 

On Wed, Nov 20, 2019 at 04:11:51PM +0100, Christophe Lyon wrote:
> Despite your fix below, I am again facing the same crash, in a case
> which might be similar to the one you fixed.
> My link command has:
> -lgcc_s -lgcc -lc -lgcc_s
> and cmse_scan crashes again because sym_hashes is null when scanning
> the second occurrence of -lgcc_s.
> If I remove -lgcc_s, the link succeeds, which suggests that even
> though I'm not uses --as-needed in this case, the behaviour is
> similar: the second -lgcc_s is useless (does not help resolve any
> reference), so its sym_hashes is null.
> 
> Does that sound right? What's the proper way of skipping it, since
> DYN_AS_NEEDED is not set?

I guess you're hitting this code in elf_link_add_object_symbols:

      ret = elf_add_dt_needed_tag (abfd, info, soname, add_needed);
      if (ret < 0)
	goto error_return;

      /* If we have already included this dynamic object in the
	 link, just ignore it.  There is no reason to include a
	 particular dynamic object more than once.  */
      if (ret > 0)
	return TRUE;

and returning because the lib has indeed already been loaded.  That's
before sym_hashes are allocated, so sym_hashes will be NULL.  It's a
wonder I didn't think of this case last year, even though you were
reporting sym_hashes[i] being NULL rather than sym_hashes NULL.

Using this should work:

	  if (!is_arm_elf (input_bfd)
	      || elf_sym_hashes (input_bfd) == 0
	      || (elf_dyn_lib_class (input_bfd) & DYN_AS_NEEDED) != 0)
	    continue;

You may also want to cover the case of sym_hashes[i] being zero in
cmse_scan, which is possible when badly formed shared libraries hit
the following elf_link_add_object_symbols code

	  /* If we aren't prepared to handle locals within the globals
	     then we'll likely segfault on a NULL symbol hash if the
	     symbol is ever referenced in relocations.  */
	  shindex = elf_elfheader (abfd)->e_shstrndx;
	  name = bfd_elf_string_from_elf_section (abfd, shindex, hdr->sh_name);
	  _bfd_error_handler (_("%pB: %s local symbol at index %lu"
				" (>= sh_info of %lu)"),
			      abfd, name, (long) (isym - isymbuf + extsymoff),
			      (long) extsymoff);

	  /* Dynamic object relocations are not processed by ld, so
	     ld won't run into the problem mentioned above.  */
	  if (dynamic)
	    continue;


-- 
Alan Modra
Australia Development Lab, IBM

More information about the Binutils mailing list