mirrors/binutils-gdb
1
0
Fork 0
mirror of https://sourceware.org/git/binutils-gdb.git synced 2024-11-23 18:14:13 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

PR28172, bfin_pcrel24_reloc heap-buffer-overflow

Browse Source 
bfin pcrel24 relocs are weird, they apply to the reloc address minus
two.  That means reloc addresses of 0 and 1 are invalid.  Check that,
and fix other reloc range checking.

	PR 28172
	* elf32-bfin.c (bfin_pcrel24_reloc): Correct reloc range check.
	(bfin_imm16_reloc, bfin_byte4_reloc, bfin_bfd_reloc): Likewise.
	(bfin_final_link_relocate): Likewise.
This commit is contained in:
Alan Modra 2021-08-06 17:26:14 +09:30
parent 8179e388b6
commit 352bd3aa1c
1 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
bfd/elf32-bfin.c
View File

@ -59,8 +59,9 @@ bfin_pcrel24_reloc (bfd *abfd,
reloc_howto_type *howto = reloc_entry->howto;
asection *output_section;
bool relocatable = (output_bfd != NULL);
bfd_size_type limit = bfd_get_section_limit_octets (abfd, input_section);
if (reloc_entry->address > bfd_get_section_limit (abfd, input_section))
if (addr - 2 > limit || limit - (addr - 2) < 2)
return bfd_reloc_outofrange;
if (bfd_is_und_section (symbol->section)
@ -156,9 +157,10 @@ bfin_imm16_reloc (bfd *abfd,
reloc_howto_type *howto = reloc_entry->howto;
asection *output_section;
bool relocatable = (output_bfd != NULL);
bfd_size_type limit = bfd_get_section_limit_octets (abfd, input_section);
/* Is the address of the relocation really within the section? */
if (reloc_entry->address > bfd_get_section_limit (abfd, input_section))
if (reloc_addr > limit || limit - reloc_addr < 2)
return bfd_reloc_outofrange;
if (bfd_is_und_section (symbol->section)
@ -227,9 +229,10 @@ bfin_byte4_reloc (bfd *abfd,
bfd_vma output_base = 0;
asection *output_section;
bool relocatable = (output_bfd != NULL);
bfd_size_type limit = bfd_get_section_limit_octets (abfd, input_section);
/* Is the address of the relocation really within the section? */
if (reloc_entry->address > bfd_get_section_limit (abfd, input_section))
if (addr > limit || limit - addr < 4)
return bfd_reloc_outofrange;
if (bfd_is_und_section (symbol->section)
@ -294,9 +297,10 @@ bfin_bfd_reloc (bfd *abfd,
reloc_howto_type *howto = reloc_entry->howto;
asection *output_section;
bool relocatable = (output_bfd != NULL);
bfd_size_type limit = bfd_get_section_limit_octets (abfd, input_section);
/* Is the address of the relocation really within the section? */
if (reloc_entry->address > bfd_get_section_limit (abfd, input_section))
if (addr > limit || limit - addr < howto->size + 1u)
return bfd_reloc_outofrange;
if (bfd_is_und_section (symbol->section)
@ -1316,8 +1320,10 @@ bfin_final_link_relocate (Elf_Internal_Rela *rel, reloc_howto_type *howto,
{
bfd_reloc_status_type r = bfd_reloc_ok;
bfd_vma x;
bfd_size_type limit = bfd_get_section_limit_octets (input_bfd,
input_section);
if (address > bfd_get_section_limit (input_bfd, input_section))
if (address - 2 > limit || limit - (address - 2) < 4)
return bfd_reloc_outofrange;
value += addend;