This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb/users/hjl/linux/master] Fixes for memory access violations triggered by running nlmconv on fuzzed binaries.
- From: H.J.Lu <hjl at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 11 Jan 2015 16:22:24 -0000
- Subject: [binutils-gdb/users/hjl/linux/master] Fixes for memory access violations triggered by running nlmconv on fuzzed binaries.
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3565cf8fedf2bae2b383fae66dde62c3bdae51c9
commit 3565cf8fedf2bae2b383fae66dde62c3bdae51c9
Author: Nick Clifton <nickc@redhat.com>
Date: Thu Jan 8 12:37:46 2015 +0000
Fixes for memory access violations triggered by running nlmconv on
fuzzed binaries.
PR binutils/17512
* nlmconv.c (i386_mangle_relocs): Skip relocs without an
associated symbol.
(powerpc_mangle_relocs): Skip unrecognised relocs. Check address
range before applying a reloc.
Diff:
---
binutils/ChangeLog | 8 ++++++++
binutils/nlmconv.c | 30 ++++++++++++++++++++++++++++--
2 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 17d2dd6..cfad0f7 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,11 @@
+2015-01-08 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17512
+ * nlmconv.c (i386_mangle_relocs): Skip relocs without an
+ associated symbol.
+ (powerpc_mangle_relocs): Skip unrecognised relocs. Check address
+ range before applying a reloc.
+
2015-01-07 Nick Clifton <nickc@redhat.com>
PR binutils/17512
diff --git a/binutils/nlmconv.c b/binutils/nlmconv.c
index d0db1b3..8c4975d 100644
--- a/binutils/nlmconv.c
+++ b/binutils/nlmconv.c
@@ -1415,6 +1415,9 @@ i386_mangle_relocs (bfd *outbfd, asection *insec, arelent ***relocs_ptr,
bfd_vma addend;
rel = *relocs++;
+ /* PR 17512: file: 057f89c1. */
+ if (rel->sym_ptr_ptr == NULL)
+ continue;
sym = *rel->sym_ptr_ptr;
/* We're moving the relocs from the input section to the output
@@ -1871,7 +1874,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
toc_howto = bfd_reloc_type_lookup (insec->owner, BFD_RELOC_PPC_TOC16);
if (toc_howto == (reloc_howto_type *) NULL)
- abort ();
+ fatal (_("Unable to locate PPC_TOC16 reloc information"));
/* If this is the .got section, clear out all the contents beyond
the initial size. We must do this here because copy_sections is
@@ -1910,6 +1913,10 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
}
}
+ /* PR 17512: file: 70cfde95. */
+ if (rel->howto == NULL)
+ continue;
+
/* We must be able to resolve all PC relative relocs at this
point. If we get a branch to an undefined symbol we build a
stub, since NetWare will resolve undefined symbols into a
@@ -1927,6 +1934,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
{
bfd_vma val;
+ if (rel->address > contents_size - 4)
+ {
+ non_fatal (_("Out of range relocation: %lx"), rel->address);
+ break;
+ }
+
assert (rel->howto->size == 2 && rel->howto->pcrel_offset);
val = bfd_get_32 (outbfd, (bfd_byte *) contents + rel->address);
val = ((val &~ rel->howto->dst_mask)
@@ -1976,6 +1989,12 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
switch (rel->howto->size)
{
case 1:
+ if (rel->address > contents_size - 2)
+ {
+ non_fatal (_("Out of range relocation: %lx"), rel->address);
+ break;
+ }
+
val = bfd_get_16 (outbfd,
(bfd_byte *) contents + rel->address);
val = ((val &~ rel->howto->dst_mask)
@@ -1991,6 +2010,13 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
break;
case 2:
+ /* PR 17512: file: 0455a112. */
+ if (rel->address > contents_size - 4)
+ {
+ non_fatal (_("Out of range relocation: %lx"), rel->address);
+ break;
+ }
+
val = bfd_get_32 (outbfd,
(bfd_byte *) contents + rel->address);
val = ((val &~ rel->howto->dst_mask)
@@ -2002,7 +2028,7 @@ powerpc_mangle_relocs (bfd *outbfd, asection *insec,
break;
default:
- abort ();
+ fatal (_("Unsupported relocation size: %d"), rel->howto->size);
}
if (! bfd_is_und_section (bfd_get_section (sym)))