https://sourceware.org/bugzilla/show_bug.cgi?id=32552
Bug ID: 32552
Summary: Potential access beyond size of generated .eh_frame
sections for PLTs on x86
Product: binutils
Version: 2.44 (HEAD)
Status: UNCONFIRMED
Severity: minor
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: jremus at linux dot ibm.com
Target Milestone: ---
Created attachment 15880
--> https://sourceware.org/bugzilla/attachment.cgi?id=15880&action=edit
Patch that demonstrates the access beyond section size
The .eh_frame sections for the PLT sections are generated by the linker
as follows:
1. _bfd_x86_elf_late_size_sections sets the sections' initial sizes,
allocates their contents buffers, initializes their contents (CIE and
FDE) from a template, and fills in their FDE length field (PC Range).
2. _bfd_x86_elf_finish_dynamic_sections later fills in their FDE start
field (PC Start).
The size of the generated .eh_frame sections may change during linking:
- The linker may add a padding to the last FDE of an .eh_frame section
(e.g. in _bfd_elf_discard_section_eh_frame and bfd_elf_discard_info).
- The linker may discard the FDE and even "minimize" the CIE (i.e.
discard the initial Call Frame Instructions from the CIE while
updating the CIE length field).
The attached patch demonstrates that _bfd_x86_elf_finish_dynamic_sections
sometimes accesses the generated .eh_frame section beyond its size when
filling in the FDE start field. That is the added assertion fails for a
bunch of ld tests, because the linker has discarded the FDE (and optionally
"minimized" the CIE).
How shall we deal with this?
A) Add an .eh_frame section size test to the if-condition, so that the
FDE start field is not filled in when the FDE got discarded.
B) Test rawsize instead of size in the assertion (assuming rawsize
corresponds to the contents buffer size). Note that rawsize
sometimes is zero, although size is set and the contents buffer is
initialized. Therefore rawsize would need to be initialized as well.
C) Ignore and do not add any assertion(s), as the subject .eh_frame
sections are linker generated and thus the contents buffer should
always have enough room (assuming the linker never reallocates the
contents buffer when discarding the FDE).
I stumbled over this while porting the generation of .eh_frame for PLT
from x86 to s390.
Regards,
Jens
--
You are receiving this mail because:
You are on the CC list for the bug.
