[Bug ld/32552] New: Potential access beyond size of generated .eh_frame sections for PLTs on x86

[jremus at linux dot ibm.com]

https://sourceware.org/bugzilla/show_bug.cgi?id=32552

            Bug ID: 32552
           Summary: Potential access beyond size of generated .eh_frame
                    sections for PLTs on x86
           Product: binutils
           Version: 2.44 (HEAD)
            Status: UNCONFIRMED
          Severity: minor
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: jremus at linux dot ibm.com
  Target Milestone: ---

Created attachment 15880
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15880&action=edit
Patch that demonstrates the access beyond section size

The .eh_frame sections for the PLT sections are generated by the linker
as follows:
1. _bfd_x86_elf_late_size_sections sets the sections' initial sizes,
   allocates their contents buffers, initializes their contents (CIE and
   FDE) from a template, and fills in their FDE length field (PC Range).
2. _bfd_x86_elf_finish_dynamic_sections later fills in their FDE start
   field (PC Start).

The size of the generated .eh_frame sections may change during linking:
- The linker may add a padding to the last FDE of an .eh_frame section
  (e.g. in _bfd_elf_discard_section_eh_frame and bfd_elf_discard_info).
- The linker may discard the FDE and even "minimize" the CIE (i.e.
  discard the initial Call Frame Instructions from the CIE while
  updating the CIE length field).

The attached patch demonstrates that _bfd_x86_elf_finish_dynamic_sections
sometimes accesses the generated .eh_frame section beyond its size when
filling in the FDE start field. That is the added assertion fails for a
bunch of ld tests, because the linker has discarded the FDE (and optionally
"minimized" the CIE).

How shall we deal with this?

A) Add an .eh_frame section size test to the if-condition, so that the
   FDE start field is not filled in when the FDE got discarded.
B) Test rawsize instead of size in the assertion (assuming rawsize
   corresponds to the contents buffer size).  Note that rawsize
   sometimes is zero, although size is set and the contents buffer is
   initialized.  Therefore rawsize would need to be initialized as well.
C) Ignore and do not add any assertion(s), as the subject .eh_frame
   sections are linker generated and thus the contents buffer should
   always have enough room (assuming the linker never reallocates the
   contents buffer when discarding the FDE).

I stumbled over this while porting the generation of .eh_frame for PLT
from x86 to s390.

Regards,
Jens

-- 
You are receiving this mail because:
You are on the CC list for the bug.