From: Alan Modra <amodra@gmail.com>
Date: Sun, 23 Feb 2025 10:35:00 +0000 (+1030)
Subject: gas: avoid dangling pointers into freed memory
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=70b4fd3dc795f90014b7cb2f0c82c4f81edb889e;p=thirdparty%2Fbinutils-gdb.git

gas: avoid dangling pointers into freed memory

The oss-fuzz gas fuzzer is quite broken in that it doesn't
reinitialise all gas and bfd static variables between runs.  Since gas
naughtily modifies bfd_und_section and bfd_abs_section those bfd
statics can hold pointers into freed memory between runs.
This patch fixes oss-fuzz issue 398060144.
---

diff --git a/gas/subsegs.c b/gas/subsegs.c
index e098ec4302a..bc80c850b76 100644
--- a/gas/subsegs.c
+++ b/gas/subsegs.c
@@ -50,8 +50,21 @@ subsegs_end (struct obstack **obs)
   for (; *obs; obs++)
     _obstack_free (*obs, NULL);
   _obstack_free (&frchains, NULL);
-  bfd_set_section_userdata (bfd_abs_section_ptr, NULL);
+  bfd_set_section_userdata (bfd_com_section_ptr, NULL);
   bfd_set_section_userdata (bfd_und_section_ptr, NULL);
+  bfd_set_section_userdata (bfd_abs_section_ptr, NULL);
+  bfd_set_section_userdata (bfd_ind_section_ptr, NULL);
+  /* Reverse bfd_std_section_init, so the sections look as they did
+     initially.  This, and clearing out userdata above, is so we don't
+     leave dangling pointers into freed memory for oss-fuzz to mess
+     with.  */
+  asymbol *global_syms = bfd_com_section_ptr->symbol;
+  bfd_und_section_ptr->used_by_bfd = NULL;
+  bfd_und_section_ptr->symbol = global_syms + (bfd_und_section_ptr
+					       - bfd_com_section_ptr);
+  bfd_abs_section_ptr->used_by_bfd = NULL;
+  bfd_abs_section_ptr->symbol = global_syms + (bfd_abs_section_ptr
+					       - bfd_com_section_ptr);
 }
 
 static void