The idea here is the stop tools from allocating up to 32G per section
for the arelent pointer array, only to find a little later that the
section reloc count was fuzzed. This usually doesn't hurt much (on
systems that allow malloc overcommit) except when compiled with asan.
We already do this for ELF targets, and while fixing the logic
recently I decided other targets ought to do the same.
* elf64-sparc.c (elf64_sparc_get_reloc_upper_bound): Sanity check
section reloc count against file size.
* mach-o.c (bfd_mach_o_get_reloc_upper_bound): Likewise.
* aoutx.h (get_reloc_upper_bound): Likewise, and don't duplicate
check done in bfd_get_reloc_upper_bound.
* pdp11.c (get_reloc_upper_bound): Likewise.
* coffgen.c (coff_get_reloc_upper_bound): Likewise.
bfd_malloc_and_get_section performs some sanity checks on the section
size before allocating memory. This patch avails the stab
nearest_line code of that sanity checking, and tidies up memory
afterward.
* coffgen.c (_bfd_coff_close_and_cleanup): Call _bfd_stab_cleanup.
* elf.c (_bfd_elf_close_and_cleanup): Likewise.
* syms.c (_bfd_stab_section_find_nearest_line): Set *pinfo earlier.
Use bfd_malloc_and_get_section. Free malloc'd buffers on failure.
Malloc indextable.
(_bfd_stab_cleanup): New function.
* libbfd-in.h (_bfd_stab_cleanup): Declare.
* libbfd.h: Regnerate.
It doesn't make sense to try to compress a section without contents
since those sections take no space on disk. Compression can only
increase the disk image size.
* coffgen.c (make_a_section_from_file): Exclude !SEC_HAS_CONTENTS
sections from compression and decompression.
* elf.c (_bfd_elf_make_section_from_shdr): Likewise.
On coff_slurp_symbol_table printing "unrecognized storage class"
for a symbol error. If the symbol name is the last string in its
section and not terminated, we run off the end of the buffer.
* coffgen.c (build_debug_section): Terminate the section with
an extra 0.
bfd_hostptr_t is defined as a type large enough to hold either a long
or a pointer. It mostly appears in the coff backend code in casts.
include/coff/internal.h struct internal_syment and union
internal_auxent have the only uses in data structures, where
comparison with include/coff/external.h and other code reveals that
the type only needs to be large enough for a 32-bit integer or a
pointer. That should mean replacing with uintptr_t is OK.
Otherwise the string table may grow and hence e.g. change a final binary
(observed with PE/COFF ones) even if really there's no change. Doing so
in fact reduces the overall amount of code, and in particular the number
of places which need to remain in sync.
Afaics there's no real equivalent to the "traditional_format" field used
when linking, so hashing is always enabled when copying / stripping.
XCOFF assembly defines the visibility using an additional argument
on several pseudo-ops: .globl, .weak, .extern and .comm.
This implies that .globl and .weak syntax is different than the
usual GNU syntax. But we want to provide compatibility with AIX
assembler, especially because GCC is generating the visibility
using this XCOFF syntax.
PR 22085
bfd/ChangeLog:
* coffcode.h (coff_write_object_contents): Change XCOFF header
vstamp field to 2.
* coffgen.c (coff_print_symbol): Increase the size for n_type.
gas/ChangeLog:
* config/tc-ppc.c (ppc_xcoff_get_visibility): New function.
(ppc_globl): New function.
(ppc_weak): New function.
(ppc_comm): Add visibility field support.
(ppc_extern): Likewise.
* testsuite/gas/all/cofftag.d: Adjust to new n_type size
providing by objdump.
* testsuite/gas/ppc/test1xcoff32.d: Likewise.
* testsuite/gas/ppc/aix.exp: Add new tests.
* testsuite/gas/ppc/xcoff-visibility-1-32.d: New test.
* testsuite/gas/ppc/xcoff-visibility-1-64.d: New test.
* testsuite/gas/ppc/xcoff-visibility-1.s: New test.
include/ChangeLog:
* coff/internal.h (SYM_V_INTERNAL, SYM_V_HIDDEN,
SYM_V_PROTECTED, SYM_V_EXPORTED, SYM_V_MASK): New defines.
* coff/xcoff.h (struct xcoff_link_hash_entry): Add visibility
field.
ld/ChangeLog:
* testsuite/ld-pe/pr19803.d: Adjust to new n_type size
providing by objdump.
The result of running etc/update-copyright.py --this-year, fixing all
the files whose mode is changed by the script, plus a build with
--enable-maintainer-mode --enable-cgen-maint=yes, then checking
out */po/*.pot which we don't update frequently.
The copy of cgen was with commit d1dd5fcc38ead reverted as that commit
breaks building of bfp opcodes files.
This test was failing here and on another similar symbol:
[ 4](sec 1)(fl 0x00)(ty 0)(scl 143) (nx 0) 0x05d1745d11745d21 .bs
where correct output is
[ 4](sec 1)(fl 0x00)(ty 0)(scl 143) (nx 0) 0x000000000000000a .bs
The problem is caused by a 32-bit host pointer being sign-extended
when stored into a 64-bit bfd_vma, and then that value not being
trimmed back to 32 bits when used. The following belt-and-braces
patch fixes both the store and subsequent reads.
* coffcode.h (coff_slurp_symbol_table): Do not sign extend
when storing a host pointer to syment.n_value.
* coffgen.c (coff_get_symbol_info): Cast syment.n_value to a
bfd_hostptr_t before using in arithmetic.
(coff_print_symbol): Likewise.
Commit e86fc4a5bc ("PR 28447: implement multiple parameters for .file
on XCOFF") introduces C_FILE entries which can store additional
information.
However, some modifications are needed by them but not by the original
C_FILE entries, usually representing the filename.
This patch ensures that filename entries are kept as is, in order to
protect targets not supporting the additional entries.
* coffgen.c (coff_write_symbol): Protect filename entries
(coff_write_symbols): Likewise.
(coff_print_symbol): Likewise.
Sometimes the investigation of a fuzzing bug report leads into areas
you'd rather not go. In this instance by the time I'd figured out the
real cause was a target variant that had never been properly supported
in binutils, the time needed to fix it was less than the time needed
to rip it out.
* coffcode.h (coff_set_alignment_hook): Call bfd_coff_swap_reloc_in
not coff_swap_reloc_in.
(coff_slurp_reloc_table): Likewise. Don't use RELOC type.
(ticoff0_swap_table): Use coff_swap_reloc_v0_out and
coff_swap_reloc_v0_in.
* coffswap.h (coff_swap_reloc_v0_in, coff_swap_reloc_v0_out): New.
* coff-tic54x.c (tic54x_lookup_howto): Don't abort.
* coffgen.c (coff_get_normalized_symtab): Use PTR_ADD.
* bfd-in.h (PTR_ADD, NPTR_ADD): Avoid warnings when passing an
expression.
* bfd-in2.h: Regenerate.
Section reloc_count is an unsigned int. Adding one for a NULL
terminator to an array of arelent pointers can wrap the count to
zero. Avoid that by doing the addition as longs.
* coffgen.c (coff_get_reloc_upper_bound): Don't overflow unsigned
int expression.
* elf.c (_bfd_elf_get_reloc_upper_bound): Likewise.
* elf64-sparc.c (elf64_sparc_get_reloc_upper_bound): Likewise.
* mach-o.c (bfd_mach_o_get_reloc_upper_bound): Likewise.
* vms-alpha.c (alpha_vms_get_reloc_upper_bound): Likewise.
A C_BSTAT debug symbol specifies the beginning of a static block.
Its n_value is the index of the csect containing static symbols.
A C_STSYM debug symbol represents the stabstring of a statically
allocated symbol. Its n_value is the offset in the csect pointed
by the containing C_BSTAT.
These two special n_value were not correctly handled both when
generating object files with gas or when reading them with objdump.
This patch tries to improve that and, above all, to allow gas-generated
object files with such symbols to be accepted by AIX ld.
bfd/
* coff-bfd.c (bfd_coff_get_syment): Adjust n_value of symbols
having fix_value = 1 in order to be an index and not a memory
offset.
* coffgen.c (coff_get_symbol_info): Likewize.
(coff_print_symbol): Likewize.
gas/
* config/tc-ppc.c (ppc_frob_label): Don't change within if
already set.
(ppc_stabx): Remove workaround changing exp.X_add_symbol's
within.
* config/tc-ppc.h (struct ppc_tc_sy): Update comments.
* symbols.c (resolve_symbol_value): Remove symbol update
when final_val is 0 and it's an AIX debug symbol.
* testsuite/gas/ppc/aix.exp: Add new tests.
* testsuite/gas/ppc/xcoff-stsym-32.d: New test.
* testsuite/gas/ppc/xcoff-stsym-64.d: New test.
* testsuite/gas/ppc/xcoff-stsym.s: New test.
PR 26198
* coffgen.c (_bfd_coff_section_already_linked): Allow for plugin
objects both before and after normal object files.
* elflink.c (_bfd_elf_section_already_linked): Likewise.
PR 25961
* coffgen.c (coff_get_normalized_symtab): Check that buffer
contains required number of auxents before processing any auxent.
* coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended
file name from auxents for PE.
The object_p (and archive_p, core_file_p) functions are not supposed
to have any target specific malloc'd memory attached to the bfd on
their return. This should be obvious on a failure return, but it's
also true for a successful return. The reason is that even though the
object_p recognises the file, that particular target may not be used
and thus the bfd won't be closed calling close_and_cleanup for the
target that allocated the memory.
It turns out that the object_p bfd_target* return value isn't needed.
In all cases except ld/plugin.c the target is abfd->xvec and with
ld/plugin.c the target isn't used. So this patch returns a cleanup
function from object_p instead, called in bfd_check_format_matches to
tidy the bfd before trying a different target match. The only cleanup
that does anything at this stage is the alpha-vms one.
bfd/
* targets.c (bfd_cleanup): New typedef.
(struct bfd <_bfd_check_format>): Return a bfd_cleanup.
* libbfd-in.h (_bfd_no_cleanup): Define.
* format.c (bfd_reinit): Add cleanup parameter, call it.
(bfd_check_format_matches): Set cleanup from _bfd_check_format
call and pass to bfd_reinit. Delete temp, use abfd->xvec instead.
* aout-target.h (callback, object_p): Return bfd_cleanup.
* aout-tic30.c (tic30_aout_callback, tic30_aout_object_p): Likewise.
* archive.c (bfd_generic_archive_p): Likewise.
* binary.c (binary_object_p): Likewise.
* coff-alpha.c (alpha_ecoff_object_p): Likewise.
* coff-ia64.c (ia64coff_object_p): Likewise.
* coff-rs6000.c (_bfd_xcoff_archive_p, rs6000coff_core_p): Likewise.
* coff-sh.c (coff_small_object_p): Likewise.
* coff-stgo32.c (go32_check_format): Likewise.
* coff64-rs6000.c (xcoff64_archive_p, rs6000coff_core_p),
(xcoff64_core_p): Likewise.
* coffgen.c (coff_real_object_p, coff_object_p): Likewise.
* elf-bfd.h (bfd_elf32_object_p, bfd_elf32_core_file_p),
(bfd_elf64_object_p, bfd_elf64_core_file_p): Likewise.
* elfcode.h (elf_object_p): Likewise.
* elfcore.h (elf_core_file_p): Likewise.
* i386msdos.c (msdos_object_p): Likewise.
* ihex.c (ihex_object_p): Likewise.
* libaout.h (some_aout_object_p): Likewise.
* libbfd-in.h (bfd_generic_archive_p, _bfd_dummy_target),
(_bfd_vms_lib_alpha_archive_p, _bfd_vms_lib_ia64_archive_p): Likewise.
* libbfd.c (_bfd_dummy_target): Likewise.
* libcoff-in.h (coff_object_p): Likewise.
* mach-o-aarch64.c (bfd_mach_o_arm64_object_p),
(bfd_mach_o_arm64_core_p): Likewise.
* mach-o-arm.c (bfd_mach_o_arm_object_p),
(bfd_mach_o_arm_core_p): Likewise.
* mach-o-i386.c (bfd_mach_o_i386_object_p),
(bfd_mach_o_i386_core_p): Likewise.
* mach-o-x86-64.c (bfd_mach_o_x86_64_object_p),
(bfd_mach_o_x86_64_core_p): Likewise.
* mach-o.c (bfd_mach_o_header_p, bfd_mach_o_gen_object_p),
(bfd_mach_o_gen_core_p, bfd_mach_o_fat_archive_p): Likewise.
* mach-o.h (bfd_mach_o_object_p, bfd_mach_o_core_p),
(bfd_mach_o_fat_archive_p, bfd_mach_o_header_p): Likewise.
* mmo.c (mmo_object_p): Likewise.
* pef.c (bfd_pef_object_p, bfd_pef_xlib_object_p): Likewise.
* peicode.h (coff_real_object_p, pe_ILF_object_p),
(pe_bfd_object_p): Likewise.
* plugin.c (ld_plugin_object_p, bfd_plugin_object_p): Likewise.
* ppcboot.c (ppcboot_object_p): Likewise.
* rs6000-core.c (rs6000coff_core_p): Likewise.
* som.c (som_object_setup, som_object_p): Likewise.
* srec.c (srec_object_p, symbolsrec_object_p): Likewise.
* tekhex.c (tekhex_object_p): Likewise.
* vms-alpha.c (alpha_vms_object_p): Likewise.
* vms-lib.c (_bfd_vms_lib_archive_p, _bfd_vms_lib_alpha_archive_p),
(_bfd_vms_lib_ia64_archive_p, _bfd_vms_lib_txt_archive_p): Likewise.
* wasm-module.c (wasm_object_p): Likewise.
* xsym.c (bfd_sym_object_p): Likewise.
* xsym.h (bfd_sym_object_p): Likewise.
* aoutx.h (some_aout_object_p): Likewise, and callback parameter
return type.
* pdp11.c (some_aout_object_p): Likewise.
* plugin.c (register_ld_plugin_object_p): Update object_p
parameter type.
* plugin.h (register_ld_plugin_object_p): Likewise.
* bfd-in2.h: Regenerate.
* libbfd.h: Regenerate.
* libcoff.h: Regenerate.
ld/
* plugin.c (plugin_object_p): Return a bfd_cleanup.
(plugin_cleanup): New function.
PR 25447
* coffgen.c (_bfd_coff_close_and_cleanup): Do not clear the keep
syms and keep strings flags as these may have been set in order to
prevent a bogus call to free.
object_p functions cannot allocate memory by malloc and not free it
before returning. Even a successful target match may not be the best
match. If a match isn't used then those malloc'd blocks won't be
freed.
* coffgen.c (coff_real_object_p): Free malloc'd memory on target
match too.
The testcase in this PR triggered "BFD_ASSERT (p2->is_sym)" by
sneakily generating a C_FILE sym whose value pointed into auxents.
The fix then is in the last changed line of this patch, to check
p->is_sym as well as p->u.syment.n_sclass. The other changes fix
various overflow checks that weren't as solid as they could be.
PR 25197
* coffgen.c (coff_find_nearest_line_with_names): Check that C_FILE
u.syment.n_value does point at another C_FILE sym and not into
some auxent that happens to look like a C_FILE. Properly check
for integer overflow and avoid possible pointer wrap-around.
Simplify pr17512 checks.
This parameter might appear to be used to set up offset_size, but
since git commit 024b2372f5 offset_size is either set from the
debug_info data or is set to 4.
* dwarf2.c (_bfd_dwarf2_find_nearest_line): Remove addr_size parameter.
* libbfd-in.h (_bfd_dwarf2_find_nearest_line): Update prototype.
* coffgen.c (coff_find_nearest_line_with_names): Adjust
_bfd_dwarf2_find_nearest_line calls.
* elf.c (_bfd_elf_find_nearest_line, _bfd_elf_find_line): Likewise.
* elf32-arm.c (elf32_arm_find_nearest_line): Likewise.
* elf64-alpha.c (elf64_alpha_find_nearest_line): Likewise.
* elfnn-aarch64.c (elfNN_aarch64_find_nearest_line): Likewise.
* elfxx-mips.c (_bfd_mips_elf_find_nearest_line): Likewise.
* mach-o.c (bfd_mach_o_find_nearest_line): Likewise.
* libbfd.h: Regenerate.
For LTO, a symbol may defined in discarded section. We should mark it
as undefined so that LTO plugin will make IR definition available.
PR ld/24267
* coffgen.c (_bfd_coff_section_already_linked): Skip discarded
section.
* cofflink.c (coff_link_add_symbols): Check for symbols defined
in discarded section.
Compressed debug sections can have uncompressed sizes that exceed the
original file size, so we can't use bfd_get_file_size. objdump also
used bfd_get_file_size to limit reloc section size, but I believe the
underlying bug causing the PR22508 out of bounds buffer access was
that we had an integer overflow when calculating the reloc buffer
size. I've fixed that instead in most of the backends, som and
vms-alpha being the exceptions. SOM and vmd-alpha have rather more
serious bugs in their slurp_relocs routines that would need fixing
first if we want to fuss about making them safe against fuzzed object
files.
The patch also fixes a number of other potential overflows by using
the bfd_alloc2/malloc2/zalloc2 memory allocation functions.
bfd/
* coffcode.h (buy_and_read): Delete unnecessary forward decl. Add
nmemb parameter. Use bfd_alloc2.
(coff_slurp_line_table): Use bfd_alloc2. Update buy_and_read calls.
Delete assertion.
(coff_slurp_symbol_table): Use bfd_alloc2 and bfd_zalloc2.
(coff_slurp_reloc_table): Use bfd_alloc2. Update buy_and_read calls.
* coffgen.c (coff_get_reloc_upper_bound): Ensure size calculation
doesn't overflow.
* elf.c (bfd_section_from_shdr): Use bfd_zalloc2. Style fix.
(assign_section_numbers): Style fix.
(swap_out_syms): Use bfd_malloc2.
(_bfd_elf_get_reloc_upper_bound): Ensure size calculation doesn't
overflow.
(_bfd_elf_make_empty_symbol): Style fix.
(elfobj_grok_stapsdt_note_1): Formatting.
* elfcode.h (elf_object_p): Use bfd_alloc2.
(elf_write_relocs, elf_write_shdrs_and_ehdr): Likewise.
(elf_slurp_symbol_table): Use bfd_zalloc2.
(elf_slurp_reloc_table): Use bfd_alloc2.
(_bfd_elf_bfd_from_remote_memory): Use bfd_malloc2.
* elf64-sparc (elf64_sparc_get_reloc_upper_bound): Ensure
size calculation doesn't overflow.
(elf64_sparc_get_dynamic_reloc_upper_bound): Likewise.
* mach-o.c (bfd_mach_o_get_reloc_upper_bound): Likewise.
* pdp11.c (get_reloc_upper_bound): Copy aoutx.h version.
binutils/
* objdump.c (load_specific_debug_section): Don't compare section
size against file size.
(dump_relocs_in_section): Don't compare reloc size against file size.
Print "failed to read relocs" on bfd_get_reloc_upper_bound error.
