In MIPS the relocation calculation only ignores the overflow checks for undefined
weak symbols on relocations associated with j/jal. This patch extends this to
the relocations used by the: b* instructions; pc/gp relative symbol offsets; and the
lwpc/ldpc MIPS r6 instructions.
bfd/
* elfxx-mips.c (mips_elf_calculate_relocation): Only check for overflow
on non-weak undefined symbols.
ld/testsuite/
* ld-mips-elf/mips-elf.exp: Add in undefined weak overflow tests for
o32, n32 and n64.
* ld-mips-elf/undefweak-overflow.s: New test.
* ld-mips-elf/undefweak-overflow.d: New test.
* ld-mips-elf/undefweak-overflow-n32.d: New test.
* ld-mips-elf/undefweak-overflow-n64.d: New test.
This patch sorts .opd relocs (see pr17666) and allows .opd sections
with a mix of 16 and 24 byte entries to be edited.
* elf64-ppc.c (OPD_NDX): Define. Use throughout for sizing/indexing
_opd_sec_data array, halving required memory.
(sort_r_offset): New function.
(ppc64_elf_edit_opd): Sort incoming relocs. Accept .opd
sections with a mix of 16 and 24 byte OPD entries. Don't
attempt to honour --non-overlapping-opd for .opd sections with
unexpected relocs. Simplify opd entry size calculations by
first finding the reloc for the next entry. Make edit loop
handle one opd entry per iteration, with an inner loop
handling relocs per entry.
PR binutils/17512
* dwarf.h (struct dwarf_section): Add user_data field.
* dwarf.c (frame_need_space): Check for an over large register
number.
(display_debug_frames): Check the return value from
frame_need_space. Check for a CFA expression that is so long the
start address wraps around.
(debug_displays): Initialise the user_data field.
* objdump.c (load_specific_debug_section): Save the BFD section
pointer in the user_data field of the dwarf_section structure.
(free_debug_section): Update BFD section data when freeing section
contents.
* readelf.c (load_specific_debug_section): Initialise the
user_data field.
* archive.c (do_slurp_coff_armap): Add range checks to prevent
running off the end of the string table.
* compress.c (bfd_get_full_section_contents): Return a NULL
pointer for zero sized sections. Do not attempt to copy a buffer
onto itself.
* elf-attrs.c (_bfd_elf_parse_attributes): Check for an empty
header. Add range checks to avoid running off the end of the
section.
* elf.c (bfd_elf_get_str_section): Seek before allocating so that
if the seek fails, no memory is allocated.
(bfd_elf_string_from_elf_section): Do not allocate a string from a
non string section. It only leads to trouble later on.
(_bfd_elf_print_private_bfd_data): Check for there being too
little external dynamic data.
(bfd_section_from_shdr): Replace assertion with a failure mode.
(bfd_section_from_shdr): When walking a loaded group section use
the internal structure size, not the external size. Check for the
group section being empty.
* elf32-i386.c (elf_i386_rtype_to_howto): Replace assertion with a
failure mode.
* elfcode.h (elf_slurp_reloc_table): Likewise.
* reloc.c (bfd_perform_relocation): Avoid seg-fault if the howto
parameter is NULL.
PR 16452, 16457
* elflink.c (_bfd_elf_link_find_version_dependencies): Exclude
symbols from libraries that won't be listed in DT_NEEDED.
(elf_link_output_extsym): Don't output verdefs for such symbols.
PR binutils/17512
* ecoff.c (_bfd_ecoff_slurp_symbol_table): Warn about and correct
a discrepancy between the isymMax and ifdMax values in the
symbolic header.
* elf.c (_bfd_elf_print_private_bfd_data): Fix the range check
scanning the external dynamic entries.
PR binutils/17512
* dwarf.c (display_block): Do nothing if the block starts after
the end of the buffer.
(read_and_display_attr_value): Add range checks.
(struct Frame_Chunk): Make the ncols and ra fields unsigned.
(frame_need_space): Test for an ncols of zero.
(read_cie): Fail if the augmentation data extends off the end of
the buffer.
(display_debug_frames): Add checks for read_cie failing. Add
range checks.
* coff-h8300.c (rtype2howto): Replace abort with returning a NULL
value.
* coff-h8500.c (rtype2howto): Likewise.
* coff-tic30.c (rtype2howto): Likewise.
* coff-z80.c (rtype2howto): Likewise.
* coff-z8k.c (rtype2howto): Likewise.
* coff-ia64.c (RTYPE2HOWTO): Always return a valid howto.
* coff-m68k.c (m68k_rtype2howto): Return a NULL howto if none
could be found.
* coff-mcore.c (RTYPE2HOWTO): Add range checking.
* coff-w65.c (rtype2howto): Likewise.
* coff-we32k.c (RTYPE2HOWTO): Likewise.
* pe-mips.c (RTYPE2HOWTO): Likewise.
* coff-x86_64.c (coff_amd64_reloc): Likewise. Replace abort with
an error return.
* coffcode.h (coff_slurp_reloc_table): Allow the rel parameter to
be unused.
* coffgen.c (make_a_section_from_file): Check the length of a
section name before testing to see if it is a debug section name.
(coff_object_p): Zero out any uninitialised bytes in the opt
header.
* ecoff.c (_bfd_ecoff_slurp_symbolic_info): Test for the raw
source being empty when there are values to be processed.
(_bfd_ecoff_slurp_symbol_table): Add range check.
* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Likewise.
(bfd_mach_o_mangle_sections): Move test for too many sections to
before the allocation of the section table.
(bfd_mach_o_read_symtab_strtab): If the read fails, free the
memory and nullify the symbol pointer.
* reloc.c (bfd_generic_get_relocated_section_contents): Add
handling of a bfd_reloc_notsupported return value.
* versados.c (EDATA): Add range checking.
(get_record): Likewise.
(process_otr): Check for contents being available before updating
them.
(versados_canonicalize_reloc): Add range check.
The internal verref buffer is allocated with bfd_zalloc, based on a
count given in headers. If the headers are broken/fuzzed and contain
an enormous count the alloc can result in OOM. If we first read the
external verrefs (into a buffer that isn't zeroed on allocation) then
the read provides a sanity check on the headers.
Also prints an error for version info that fails other sanity checks.
* elf.c (_bfd_elf_slurp_version_tables): Delay allocation of
internal verref buffer. Error for zero sh_info. Print errors.
Check for zero vd_ndx. Use bfd_zalloc for vd_auxptr buffer.
Both readelf/objdump know how to get symbol version string for dynamic
symbols. This patch extracts this functionality into a separate
function and uses it to add symbol version string to versioned symbol
names when dumping dynamic relocations.
bfd/
PR binutils/16496
* elf-bfd.h (bfd_elf_get_symbol_version_string): New.
* elf.c (bfd_elf_get_symbol_version_string): New. Extracted
from bfd_elf_print_symbol.
(bfd_elf_print_symbol): Use it.
binutils/
PR binutils/16496
* objdump.c (objdump_print_symname): Call
bfd_elf_get_symbol_version_string to get ELF symbol version
string. Append version string if needed.
* readelf.c (versioned_symbol_info): New enum.
(get_symbol_version_string): New. Extracted from
process_symbol_table.
(dump_relocations): Add a new argument to indicate if dynamic
symbol table is used. Use get_symbol_version_string to get
symbol version string for dynamic symbol. Append version string
if needed.
(process_relocs): Updated dump_relocations call.
(process_symbol_table): Use get_symbol_version_string.
ld/testsuite/
PR binutils/16496
* ld-cris/weakref3.d: Add symbol version string to versioned
symbol names in dynamic relocation.
* ld-cris/weakref4.d: Likewise.
* ld-elfvers/vers24.rd: Likewise.
* ld-elf/pr16496a.c: New file.
* ld-elf/pr16496a.map: Likewise.
* ld-elf/pr16496b.c: Likewise.
* ld-elf/pr16496b.od: Likewise.
* ld-elf/shared.exp (build_tests): Add libpr16496a.so and
libpr16496b.so tests.
When there are both PLT and GOT references to the same function symbol,
linker will create a GOTPLT slot for PLT entry and a GOT slot for GOT
reference. A run-time JUMP_SLOT relocation is created to update the
GOTPLT slot and a run-time GLOB_DAT relocation is created to update the
GOT slot. Both JUMP_SLOT and GLOB_DAT relocations will apply the same
symbol value to GOTPLT and GOT slots, respectively, at run-time.
This optimization combines GOTPLT and GOT slots into a single GOT slot
and removes the run-time JUMP_SLOT relocation. It replaces the regular
PLT entry:
indirect jump [GOTPLT slot]
push relocation index
jump PLT0
with an GOT PLT entry with an indirect jump via the GOT slot:
indirect jump [GOT slot]
nop
and resolves PLT reference to the GOT PLT entry.
We must avoid this optimization if pointer equality is needed since
we don't clear symbol value in this case and the dynamic linker won't
update the GOT slot. Otherwise, the resulting binary will get into an
infinite loop at run-time.
bfd/
* elf32-i386.c (elf_i386_got_plt_entry): New.
(elf_i386_pic_got_plt_entry): Likewise.
(elf_i386_link_hash_entry): Add plt_got.
(elf_i386_link_hash_table): Likewise.
(elf_i386_link_hash_newfunc): Initialize plt_got.offset to -1.
(elf_i386_get_local_sym_hash): Likewise.
(elf_i386_check_relocs): Create the GOT PLT if there are both
PLT and GOT references when the regular PLT is used.
(elf_i386_allocate_dynrelocs): Use the GOT PLT if there are
both PLT and GOT references unless pointer equality is needed.
(elf_i386_relocate_section): Also check the GOT PLT when
resolving R_386_PLT32.
(elf_i386_finish_dynamic_symbol): Use the GOT PLT if it is
available.
* elf64-x86-64.c (elf_x86_64_link_hash_entry): Add plt_got.
(elf_x86_64_link_hash_table): Likewise.
(elf_x86_64_link_hash_newfunc): Initialize plt_got.offset to -1.
(elf_x86_64_get_local_sym_hash): Likewise.
(elf_x86_64_check_relocs): Create the GOT PLT if there are both
PLT and GOT references when the regular PLT is used.
(elf_x86_64_allocate_dynrelocs): Use the GOT PLT if there are
both PLT and GOT references unless pointer equality is needed.
(elf_x86_64_relocate_section): Also check the GOT PLT when
resolving R_X86_64_PLT32.
(elf_x86_64_finish_dynamic_symbol): Use the GOT PLT if it is
available.
ld/
* emulparams/elf_i386.sh (TINY_READONLY_SECTION): New.
* emulparams/elf_x86_64.sh (TINY_READONLY_SECTION): Add .plt.got.
ld/testsuite/
* ld-i386/i386.exp: Add run-time relocation tests for plt-main.
* ld-i386/plt-main.rd: New file.
* ld-x86-64/plt-main-bnd.dd: Likewise.
* ld-x86-64/plt-main.rd: Likewise.
* ld-x86-64/x86-64.exp: Add run-time relocation tests for
plt-main.
Alignment of plt stubs was broken, firstly because the option was
being dropped due to the alignment value not being set in the "params"
struct used in elf64-ppc.c, and secondly due to not calculating the
number of alignment boundary crossings correctly.
bfd/
* elf64-ppc.c (plt_stub_pad): Correct.
ld/
* ld.texinfo: Correct --plt-align documentation.
* emultempl/ppc64elf.em (plt_stub_align): Delete. Use and set
params.plt_stub_align instead.
Assert size of elf_x86_64_bnd_plt2_entry and elf_x86_64_legacy_plt2_entry
only in elf_x86_64_check_relocs.
* elf64-x86-64.c (elf_x86_64_check_relocs): Assert size of
elf_x86_64_bnd_plt2_entry and elf_x86_64_legacy_plt2_entry.
(elf_x86_64_allocate_dynrelocs): Don't assert size of
elf_x86_64_bnd_plt2_entry and elf_x86_64_legacy_plt2_entry.
Displacement of branch to PLT0 in x86-64 PLT entry is signed 32-bit.
This patch adds a sanity check. We will only see the failure when PLT
size is > 2GB.
* elf64-x86-64.c (elf_x86_64_finish_dynamic_symbol): Check
branch displacement overflow in PLT entry.
PR binutils/17512
* dwarf.c (get_encoded_value): Check for an encoded size of 0.
(display_debug_lines_raw): Check for an invalid line range value.
(display_debug_frames): Check for corrupt augmentation data.
* coffgen.c (coff_get_normalized_symtab): Check for an excessive
number of auxillary entries.
* ieee.c (next_byte): Convert to a function. Return FALSE if the
next byte is beyond the end of the buffer.
(parse_int): Test the return value of next_byte.
(parse_expression): Convert to boolean. Return FALSE if the
parsing failed. Test the return value of next_byte.
(ieee_seek): Convert to a function. Return FALSE if the seek goes
beyond the end of the buffer.
(ieee_slurp_external_symbols): Test the return value of ieee_seek
and next_byte.
(ieee_slurp_sections): Convert to boolean. Return FALSE if the
operation failed. Test the return value of ieee_seek and
next_byte.
(ieee_archive_p): Test the return value of ieee_seek and
next_byte.
(do_one): Likewise.
(ieee_slurp_section_data): Likewise.
(ieee_object_p): Likewise. Store the size of the buffer in the
total_amt field in the header.
* libieee.h (common_header_type): Add amt field.
* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the
reloc's value is within range.
(bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the
operation fails.
* pei-x86_64.c (pex64_xdata_print_uwd_codes): Replace abort with
an error message.
(pex64_dump_xdata): Check for buffer overflows.
* versados.c (process_otr): Check that the section exists before
taking its size.
(versados_object_p): Make sure that enough data was read for the
header to be checked.
* vms-alpha.c (vms_get_remaining_object_record): Change
read_so_far parameter to an unsigned int. Check that the amount
read is in range.
Corrects overflow test for rel14, addr14, rel24, addr24 branch relocs,
and prints an information message to give a hint as to how a branch
that can't reach a stub might be cured.
bfd/
* elf64-ppc.c (group_sections): Init stub14_group_size from
--stub-group-size parameter divided by 1024.
gold/
* powerpc.cc (Stub_control::Stub_control): Init stub14_group_size_
from --stub-group-size parameter divided by 1024.
(Powerpc_relocate_functions::rela, rela_ua): Add fieldsize
template parameter. Update all uses.
(Target_powerpc::Relocate::relocate): Rename has_plt_value to
has_stub_value. Set for long branches. Don't report overflow for
branch to undefined weak symbols. Print info message on
overflowing branch to stub.
Go is multi-threaded, so use thread-safe plt stubs. __go_go doesn't
actually start threads, but is a convenient libgo function with a
reasonably unique name that is called by all Go executables. (Threads
are started by a static function of libgo, runtime_newosproc, called
by a whole lot of global functions, including runtime_starttheworld
and runtime_main.)
bfd/
* elf64-ppc.c (ppc64_elf_size_stubs): Add __go_go to thread_starters.
gold/
* powerpc.cc (Target_powerpc::do_relax): Add __go_go to thread_starters.
PR binutils/17512
* peXXIgen.c (pe_print_pdata): Fail if the section's virtual size
is larger than its real size.
(rsrc_print_section): Fix off-by-one error checking for overflow.
* pei-x86_64.c (pex64_bfd_print_pdata): Handle empty unwind
sections.
* dwarf.c (get_encoded_value): Warn and return if the encoded
value is more than 64-bits long.
(SAFE_BYTE_GET): Do not attempt to read more than 64-bits.
(process_extended_line_op): Add more range checks.
(decode_location_expression): Use the return value from
display_block. Add more range checks.
(read_debug_line_header): Add range check.
(display_debug_lines_raw): Add range checks.
(display_debug_frames): Silently skip multiple zero terminators.
Add range checks.
(process_cu_tu_index): Check for non-existant or empty sections.
Use SAFE_BYTE_GET instead of byte_get.
PR binutils/17512
* dwarf.c (get_encoded_value): Add an 'end' parameter. Change the
'data' parameter to a double pointer and return the updated value.
(decode_location_expression): Update call to get_encoded_value.
(frame_need_space): Handle the case where one or both of the
mallocs fails.
(read_cie): Initialise the cie pointer, even if the read fails.
(display_debug_frames): Warn if the calculated block_end is before
the start of the block. Break the loop if the CIE could not be
read. Update call to get_encoded_value. Warn if the read CFA
expressions are too big.
* ieee.c (ieee_archive_p) Skip processing if no bytes are read at
all.
(ieee_object_p): Likewise.
PR binutils/17512
* dwarf.c (read_and_display_attr_value): Check that we do not read
past end.
(display_debug_pubnames_worker): Add range checks.
(process_debug_info): Check for invalid pointer sizes.
(display_loc_list): Likewise.
(display_loc_list_dwo): Likewise.
(display_debug_ranges): Likewise.
(display_debug_aranges): Check for invalid address size.
(read_cie): Add range checks. Replace call strchr with while loop.
* objdump.c (dump_dwarf): Replace abort with a warning message.
(print_section_stabs): Improve range checks.
* rdcoff.c (coff_get_slot): Use long for indx parameter type.
Add check for an excesively large index.
* rddbg.c (read_section_stabs_debugging_info): Zero terminate the
string table. Avoid walking off the end of the stabs data.
* stabs.c (parse_stab_string): Add check for a NULL name.
PR binutils/17512
* coffcode.h (coff_slurp_line_table): Set the line number of
corrupt entries to -1.
(coff_slurp_symbol_table): Alway initialise the value of the
symbol.
* coffgen.c (coff_print_symbol): Check that the combined pointer
is valid.
(coff_print_symbol): Do not print negative line numbers.
* peXXigen.c (pe_print_idata): Add range checking displaying
member names.
PR binutils/17512
* coffcode.h (coff_slurp_line_table): Initialise the parts of the
line number cache that would not be initialised by the copy from
the new line number table.
(coff_classify_symbol): Allow for _bfd_coff_internal_syment_name
returning NULL.
* coffgen.c (coff_get_normalized_symbols): Get the external
symbols before allocating space for the internal symbols, in case
the get fails.
* elf.c (_bfd_elf_slurp_version_tables): Only allocate a verref
array if one is needed. Likewise with the verdef array.
* peXXigen.c (_bfd_XXi_swap_sym_in): Replace abort()'s with error
messages.
(_bfd_XXi_swap_aux_in): Make sure that all fields of the aux
structure are initialised.
(pe_print_edata): Avoid reading off the end of the data buffer.
I missed this use of the loop induction variable outside the loop.
PR binutils/17512
* coffcode.h (coff_slurp_line_table): Use updated lineno_count
when building func_table.
bfd_zalloc/bfd_zmalloc to fix uninitialized memory reads is too big a
hammer, when the size allocated depends on user input. A typical
bfd_alloc, bfd_seek, bfd_bread sequence will give an error or warning
at the point the file read fails when some enormous item as described
by headers is not actually present in the file. Nice operating system
allow memory overcommit. But not if you write to the memory. So
bfd_zalloc can cause an OOM, thrashing, or system hangs.
The patch also fixes a recently introduced endless loop on bad input.
PR binutils/17512
* coffcode.h (coff_slurp_line_table): Don't bfd_zalloc, just
memset the particular bits we need. Update src after hitting loop
"continue". Don't count lineno omitted due to invalid symbols in
nbr_func, and update lineno_count. Init entire terminating
lineno. Don't both allocating terminator in n_lineno_cache.
Redirect sym->lineno pointer to where n_lineno_cache will be
copied, and free n_lineno_cache.
* pe-mips.c (NUM_HOWTOS): Typo fix.
Turning on .eh_frame processing for ld -r resulted in systemtap
tickling a ld bug. Triggered by the zero terminator not being added
to .eh_frame in a separate file as it usually is (crtend.o), but
instead being present in the last .eh_frame section along with CIEs
and FDEs. The 4-byte terminator makes the section size check fail
on 64-bit targets.
* elf-eh-frame (_bfd_elf_write_section_eh_frame): Adjust section
size check to account for possible zero terminator.
when displaying the contents of corrupt files.
PR binutils/17521
* coff-i386.c (NUM_HOWTOS): New define.
(RTYPE2HOWTO): Use it.
(coff_i386_rtype_to_howto): Likewise.
(coff_i386_reloc_name_lookup): Likewise.
(CALC_ADDEND): Check that reloc r_type field is valid.
* coff-x86_64.c (NUM_HOWTOS): New define.
(RTYPE2HOWTO): Use it.
(coff_amd64_rtype_to_howto): Likewise.
(coff_amd64_reloc_name_lookup): Likewise.
(CALC_ADDEND): Check that reloc r_type field is valid.
* coffcode.h (coff_slurp_line_table): Check for symbol table
indexing underflow.
(coff_slurp_symbol_table): Use zalloc to ensure that all table
entries are initialised.
* coffgen.c (_bfd_coff_read_string_table): Initialise unused bits
in the string table. Also ensure that the table is 0 terminated.
(coff_get_normalized_symtab): Check for symbol table indexing
underflow.
* opncls.c (bfd_alloc): Catch the case where a small negative size
can result in only 1 byte being allocated.
(bfd_alloc2): Use bfd_alloc.
* pe-mips.c (NUM_HOWTOS): New define.
(coff_mips_reloc_name_lookup): Use it.
(CALC_ADDEND): Check that reloc r_type field is valid.
* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Initialise unused entries
in the DataDirectory.
(pe_print_idata): Avoid reading beyond the end of the data block
wen printing strings.
(pe_print_edata): Likewise.
Check for table indexing underflow.
* peicode.h (pe_mkobject): Initialise the pe_opthdr field.
(pe_bfd_object_p): Allocate and initialize enough space to hold a
PEAOUTHDR, even if the opt_hdr field specified less.
Structions with R_X86_64_GOTTPOFF relocation must be encoded with REX
prefix even if it isn't required by destination register. Otherwise
linker can't safely perform IE -> LE optimization.
bfd/
PR ld/17482
* elf64-x86-64.c (elf_x86_64_relocate_section): Update comments
for IE->LE transition.
gas/
PR ld/17482
* config/tc-i386.c (output_insn): Add a dummy REX_OPCODE prefix
for structions with R_X86_64_GOTTPOFF relocation for x32 if needed.
gas/testsuite/
PR ld/17482
* gas/i386/ilp32/x32-tls.d: New file.
* gas/i386/ilp32/x32-tls.s: Likewise.
ld/testsuite/
PR ld/17482
* ld-x86-64/tlsie4.dd: Updated.
Dramatically reduces memory consumption and processing time for large
all-zero data segments. Allows multiple symbol types attached to a
given segment to survive objcopy.
* tekhex.c (CHUNK_SPAN): Define.
(struct data_struct <chunk_init>): Use one byte per span, update
all code accessing this field.
(find_chunk): Add create param, don't create new entry unless set.
(insert_byte): Don't save zeros.
(first_phase): Set section SEC_CODE or SEC_DATA flag depending
on symbol type. Create an alternate section if both types of
symbol are given. Attach type '2' and '6' symbols to absolute
section.
(move_section_contents): Fix caching of chunk. Don't create chunk
when reading, or for writing zeros.
(tekhex_set_section_contents): Don't create initial chunks.
(tekhex_write_object_contents): Use CHUNK_SPAN.
Save a multiplication, and any concern that the buffer allocation
might be smaller than the amount read (as it could be if the header
size isn't a multiple of EXTERNAL_NLIST_SIZE).
* aoutx.h (aout_get_external_symbols): Tidy allocation of symbol buffer.
Handle the case of a zero length section or sub-section in
_bfd_elf_parse_attributes and in doing so prevent an infinite loop
in the parser.
bfd/ChangeLog:
2014-11-06 Will Newton <will.newton@linaro.org>
* elf-attrs.c (_bfd_elf_parse_attributes): Handle zero
length sections and sub-sections.