Investigating the PR28530 testcase, which has a fuzzed compression
header with an enormous size, I noticed that decompress_contents is
broken when the size doesn't fit in strm.avail_out. It wouldn't be
too hard to support larger sizes (patches welcome!) but for now just
stop decompress_contents from returning rubbish.
PR 28530
* compress.c (decompress_contents): Fail when uncompressed_size
is too big.
(bfd_init_section_decompress_status): Likewise.
Always check sections with the corrupt size for non-MMO files. Skip MMO
files for compress_status == COMPRESS_SECTION_NONE since MMO has special
handling for COMPRESS_SECTION_NONE.
PR binutils/28530
* compress.c (bfd_get_full_section_contents): Always check
sections with the corrupt size.
Add/Remove the rvc extension to/from the riscv_subsets once the
.option rvc/norvc is set. So that we don't need to always check
the riscv_opts.rvc in the riscv_subset_supports, just call the
riscv_lookup_subset to search the subset list is enough.
Besides, we will need to dump the instructions according to the
elf architecture attributes. That means the dis-assembler needs
to parse the architecture string from the elf attribute before
dumping any instructions, and also needs to recognized the
INSN_CLASS* classes from riscv_opcodes. Therefore, I suppose
some functions will need to be moved from gas/config/tc-riscv.c
to bfd/elfxx-riscv.c, including riscv_multi_subset_supports and
riscv_subset_supports. This is one of the reasons why we need
this patch.
This patch passes the gcc/binutils regressions of rv32emc-elf,
rv32i-elf, rv64gc-elf and rv64gc-linux toolchains.
bfd/
* elfxx-riscv.c (riscv_remove_subset): Remove the extension
from the subset list.
(riscv_update_subset): Add/Remove an extension to/from the
subset list. This is used for the .option rvc or norvc.
* elfxx-riscv.h: Added the extern bool riscv_update_subset.
gas/
* config/tc-riscv.c (riscv_set_options): Removed the unused
rve flag.
(riscv_opts): Likewise.
(riscv_set_rve): Removed.
(riscv_subset_supports): Removed the riscv_opts.rvc check.
(riscv_set_arch): Don't need to call riscv_set_rve.
(reg_lookup_internal): Call riscv_subset_supports to check
whether the rve is supported.
(s_riscv_option): Add/Remove the rvc extension to/from the
subset list once the .option rvc/norvc is set.
This patch removes any fake (linker created) function descriptor
symbol if its code entry symbol isn't dynamic, to ensure bogus dynamic
symbols are not created. The change to func_desc_adjust requires that
it be run only once, which means ppc64_elf_tls_setup can't call it for
just a few selected symbols.
PR 28523
* elf64-ppc.c (func_desc_adjust): If a function entry sym is
not dynamic and has no plt entry, hide any associated fake
function descriptor symbol.
(ppc64_elf_edit): Move func_desc_adjust iteration over syms to..
(ppc64_elf_tls_setup): ..here.
This (and other) code from coffcode.h is broken for x86_64_coff_vec,
and has been ever since support was added in 2006 commit 99ad839030
Here, bfd_coff_aoutsz must match coff_swap_aouthdr_out otherwise we
end up writing garbage.
/* Note that peicode.h fills in a PEAOUTHDR, not an AOUTHDR.
include/coff/pe.h sets AOUTSZ == sizeof (PEAOUTHDR)). */
char * buff;
bfd_size_type amount = bfd_coff_aoutsz (abfd);
buff = (char *) bfd_malloc (amount);
if (buff == NULL)
return false;
coff_swap_aouthdr_out (abfd, & internal_a, buff);
amount = bfd_bwrite (buff, amount, abfd);
We have removed support for --target=x86_64-coff, likely because it
never worked properly, but still produce coff-x86_64.o with
--enable-targets=all. This means objcopy can recognize x86_64 COFF
files but will write garbage to the output file, a fact found by
fuzzers. I suspect x86_64 COFF is still broken after this fix, and
mention of coff-x86_64.* should be removed from bfd/Makefile.am.
* coff-x86_64.c: Don't include coff/pe.h.
(COFF_WITH_pex64): Don't define here.
* pe-x86_64.c: Include coff/pe.h and other headers.
(PEI_HEADERS): Define.
mmo_get_loc can return NULL. It's commented even, and that the caller
then must handle a split field. mmo_xore_* don't handle split fields,
instead just segfault. Stop that happening, and refuse to recognise
fuzzed mmo files that trigger this problem.
* mmo.c (mmo_get_loc): Don't declare inline.
(mmo_xore_64, mmo_xore_32, mmo_xore_16): Remove forward decls.
Return pointer, don't dereference NULL.
(mmo_scan): Return error on mmo_get_loc returning NULL.
No need to use anything fancy, plain inline works just as well.
* bfd-in.h (INLINE): Don't define.
* bfd-in2.h: Regenerate.
* aoutx.h: Replace use of INLINE with inline.
* elf-eh-frame.c: Likewise.
* elf32-score7.c: Likewise.
* elfxx-mips.c: Likewise.
* ihex.c: Likewise.
* mach-o.c: Likewise.
* mmo.c: Likewise.
Yet more anti-fuzzer sanity checking
* vms-alpha.c (evax_bfd_print_egsd): Sanity check record and
name lengths before access.
(evax_bfd_print_etir_stc_ir, evax_bfd_print_etir): Likewise.
Sometimes the investigation of a fuzzing bug report leads into areas
you'd rather not go. In this instance by the time I'd figured out the
real cause was a target variant that had never been properly supported
in binutils, the time needed to fix it was less than the time needed
to rip it out.
* coffcode.h (coff_set_alignment_hook): Call bfd_coff_swap_reloc_in
not coff_swap_reloc_in.
(coff_slurp_reloc_table): Likewise. Don't use RELOC type.
(ticoff0_swap_table): Use coff_swap_reloc_v0_out and
coff_swap_reloc_v0_in.
* coffswap.h (coff_swap_reloc_v0_in, coff_swap_reloc_v0_out): New.
* coff-tic54x.c (tic54x_lookup_howto): Don't abort.
* coffgen.c (coff_get_normalized_symtab): Use PTR_ADD.
* bfd-in.h (PTR_ADD, NPTR_ADD): Avoid warnings when passing an
expression.
* bfd-in2.h: Regenerate.
PR 21813
* mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Sanity
check PAIR reloc in other branch of condition as was done for
PR21813. Formatting. Delete debug printf.
Commit abd20cb637 and
ebdcad3fdd introduced additional
complexity into the paths run by the RISC-V relaxation pass in order to
resolve the issue of accurately keeping track of pcrel_hi and pcrel_lo
pairs. The first commit split up relaxation of these relocs into a pass
which occurred after other relaxations in order to prevent the situation
where bytes were deleted in between a pcrel_lo/pcrel_hi pair, inhibiting
our ability to find the corresponding pcrel_hi relocation from the
address attached to the pcrel_lo.
Since the relaxation was split into two passes the 'again' parameter
could not be used to perform the entire relaxation process again and so
the second commit added a way to restart ldelf_map_segments, thus
starting the whole process again.
Unfortunately this process could not account for the fact that we were
not finished with the relaxation process so in some cases - such as the
case where code would not fit in a memory region before the
R_RISCV_ALIGN relocation was relaxed - sanity checks in generic code
would fail.
This patch fixes all three of these concerns by reverting back to a
system of having only one target relax pass but updating entries in the
table of pcrel_hi/pcrel_lo relocs every time any bytes are deleted. Thus
we can keep track of the pairs accurately, and we can use the 'again'
parameter to restart the entire target relax pass, behaving in the way
that generic code expects. Unfortunately we must still have an
additional pass to delay deleting AUIPC bytes to avoid ambiguity between
pcrel_hi relocs stored in the table after deletion. This pass can only
be run once so we may potentially miss out on relaxation opportunities
but this is likely to be rare.
https://sourceware.org/bugzilla/show_bug.cgi?id=28410
bfd/
* elfnn-riscv.c (riscv_elf_link_hash_table): Removed restart_relax.
(riscv_elf_link_hash_table_create): Updated.
(riscv_relax_delete_bytes): Moved after the riscv_update_pcgp_relocs.
Update the pcgp_relocs table whenever bytes are deleted.
(riscv_update_pcgp_relocs): Add function to update the section
offset of pcrel_hi and pcrel_lo, and also update the symbol value
of pcrel_hi.
(_bfd_riscv_relax_call): Need to update the pcgp_relocs table
when deleting codes.
(_bfd_riscv_relax_lui): Likewise.
(_bfd_riscv_relax_tls_le): Likewise.
(_bfd_riscv_relax_align): Once we've handled an R_RISCV_ALIGN,
we can't relax anything else, so set the sec->sec_flg0 to true.
Besides, we don't need to update the pcgp_relocs table at this
stage, so just pass NULL pointer as the pcgp_relocs table for
riscv_relax_delete_bytes.
(_bfd_riscv_relax_section): Use only one pass for all target
relaxations.
(_bfd_riscv_relax_delete): Likewise, we don't need to update
the pcgp_relocs table at this stage, and don't need to set
the `again' since restart_relax mechanism is abandoned.
(bfd_elfNN_riscv_restart_relax_sections): Removed.
(_bfd_riscv_relax_section): Updated.
* elfxx-riscv.h (bfd_elf32_riscv_restart_relax_sections): Removed.
(bfd_elf64_riscv_restart_relax_sections): Likewise.
ld/
* emultempl/riscvelf.em: Revert restart_relax changes and set
relax_pass to 3.
* testsuite/ld-riscv-elf/align-small-region.d: New testcase.
* testsuite/ld-riscv-elf/align-small-region.ld: Likewise.
* testsuite/ld-riscv-elf/align-small-region.s: Likewise.
* testsuite/ld-riscv-elf/restart-relax.d: Removed sine the
restart_relax mechanism is abandoned.
* testsuite/ld-riscv-elf/restart-relax.s: Likewise.
* testsuite/ld-riscv-elf/ld-riscv-elf.exp: Updated.
bfd * linker.c (_bfd_generic_link_add_one_symbol): Test for a NULL
name before checking to see if the symbol is __gnu_lto_slim.
* archive.c (_bfd_compute_and_write_armap): Likewise.
binutils
* nm.c (filter_symbols): Test for a NULL name before checking to
see if the symbol is __gnu_lto_slim.
* objcopy.c (filter_symbols): Likewise.
