From d4d66eb19fd5ace50e1d40f53f14e76fe8b8963d Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Sun, 9 Feb 2025 15:13:38 +0800
Subject: [PATCH] x86: Return error for invalid relocation offset

Return error if relocation offset + relocation size > section size.

bfd/

	PR ld/32665
	* elf32-i386.c (elf_i386_scan_relocs): Return error for invalid
	relocation offset.
	* elf64-x86-64.c (elf_x86_64_scan_relocs): Likewise.

ld/

	PR ld/32665
	* testsuite/ld-x86-64/pr32665.err: New file.
	* testsuite/ld-x86-64/pr32665.o.bz2: Likewise.
	* testsuite/ld-x86-64/x86-64.exp: Run PR ld/32665 test.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
---
 bfd/elf32-i386.c                     |  12 ++++++++++++
 bfd/elf64-x86-64.c                   |  12 ++++++++++++
 ld/testsuite/ld-x86-64/pr32665.err   |   3 +++
 ld/testsuite/ld-x86-64/pr32665.o.bz2 | Bin 0 -> 2827 bytes
 ld/testsuite/ld-x86-64/x86-64.exp    |   5 +++++
 5 files changed, 32 insertions(+)
 create mode 100644 ld/testsuite/ld-x86-64/pr32665.err
 create mode 100644 ld/testsuite/ld-x86-64/pr32665.o.bz2

diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
index 81301bf3a57..701cb6d5473 100644
--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
@@ -1531,6 +1531,7 @@ elf_i386_scan_relocs (bfd *abfd,
       const char *name;
       bool size_reloc;
       bool no_dynreloc;
+      reloc_howto_type *howto;
 
       r_symndx = ELF32_R_SYM (rel->r_info);
       r_type = ELF32_R_TYPE (rel->r_info);
@@ -1547,6 +1548,17 @@ elf_i386_scan_relocs (bfd *abfd,
 	  goto error_return;
 	}
 
+      howto = elf_i386_rtype_to_howto (r_type);
+      if (rel->r_offset + bfd_get_reloc_size (howto) > sec->size)
+	{
+	  /* xgettext:c-format */
+	  _bfd_error_handler
+	    (_("%pB: bad reloc offset (%#" PRIx32 " > %#" PRIx32 ") for"
+	       " section `%pA'"), abfd, (uint32_t) rel->r_offset,
+	     (uint32_t) sec->size, sec);
+	  goto error_return;
+	}
+
       if (r_symndx < symtab_hdr->sh_info)
 	{
 	  /* A local symbol.  */
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index bb42ed5bd63..feb8827b3c1 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -2441,6 +2441,7 @@ elf_x86_64_scan_relocs (bfd *abfd, struct bfd_link_info *info,
       bool size_reloc;
       bool converted_reloc;
       bool no_dynreloc;
+      reloc_howto_type *howto;
 
       r_symndx = htab->r_sym (rel->r_info);
       r_type = ELF32_R_TYPE (rel->r_info);
@@ -2457,6 +2458,17 @@ elf_x86_64_scan_relocs (bfd *abfd, struct bfd_link_info *info,
 	  goto error_return;
 	}
 
+      howto = elf_x86_64_rtype_to_howto (abfd, r_type);
+      if (rel->r_offset + bfd_get_reloc_size (howto) > sec->size)
+	{
+	  /* xgettext:c-format */
+	  _bfd_error_handler
+	    (_("%pB: bad reloc offset (%#" PRIx64 " > %#" PRIx64 ") for"
+	       " section `%pA'"), abfd, (uint64_t) rel->r_offset,
+	     (uint64_t) sec->size, sec);
+	  goto error_return;
+	}
+
       if (r_symndx < symtab_hdr->sh_info)
 	{
 	  /* A local symbol.  */
diff --git a/ld/testsuite/ld-x86-64/pr32665.err b/ld/testsuite/ld-x86-64/pr32665.err
new file mode 100644
index 00000000000..f539eb07433
--- /dev/null
+++ b/ld/testsuite/ld-x86-64/pr32665.err
@@ -0,0 +1,3 @@
+#...
+.*tmpdir/pr32665.o: bad reloc offset \(0xf2ffffff01bc > 0x574\) for section `.text'
+#...
diff --git a/ld/testsuite/ld-x86-64/pr32665.o.bz2 b/ld/testsuite/ld-x86-64/pr32665.o.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..42695cb85778379d0b9d468361666d63e3aa9e2c
GIT binary patch
literal 2827
zc-jFA3-t6tT4*^jL0KkKSueJL82}2wfB*mg|Ly<(|NsC0|26;r|M%X%|Ml$T{#O03
zbMtg;`TyVvm&|JxzzkF<8*QX)kw6<_pwm$SG{lqApQ)OfW}{QeFl|j9r2P{~pk(zA
z(M>#&v;s8pjj7}#)byGI$r~sErkV$-`ldr_0s4TSsUD_iLFqQ286Js-NJdQ)6F|`n
zqa#f<Jxw;6Y8qggX_G;aXa<3ykZ5QC8W|b@0001F00w{tKxhp#AkmO%pfqS`GBgba
zfB+h3(V)=NKn(x}O*8`t(9i$?&=`ONKmZK@8351_Xvj3s8Z<N+8U}+v01Y%~&}eC(
z27m)5ngN7pXaE3c3_t;(00w{zfM^IbWEyA<8X63Z13{nw2AVWzG&IlyKmn6Y0Kzmh
z001-wAOO$+13(5qGyx()B5A3Hrc*skr>c3hjTH4WL>MO2+MZL>De5+vN2Wm2CQ#a%
zJcK<X0X(BJLjnyRr-`PgsP!}kjEoZ+6VwLO)6*g~v#2U17=j|v(C(()6KKPe?Xhbr
zNEW_nG-%v)K7YHs%I@`FlWFK_ybdpikIw6G1LopkicB$;ZAEO8CP6SKF-?sy$fYTx
zDRgv|SElo@LrBSMCnhU(<;B)<`R^*vBi-0n%{gX*q+r4f6oZM4`RYBn*j{}%k6G7P
zT;t(ve9flzkHKZ1;O{OfBoM<@Au<@vuElh#t5s^|HpQiNo3#g+#CHme>~&!B=F5UK
zyF)C+h*V)}#nBLEURbgJ)e*>mSr80Xbir3vv}*b8>GrvWzac@gf%!<x3`kiDPwZFK
z){*LaSPKv$6p;%OyA-<e*tsT74MB17&Ni`;5jdE2``is4HP)v0Lqco!cs)*L`H&Kc
zPavXc>A<WYWH5jP?-&A=>)GjoK{kYCD*&`UM&pI((O9sA%+`iRiKJs&tDmJ#<zy~g
z7FtTVzyX4y9NG~Gt%l8lC=8=Qf^eCp`B{Qnz1?a|O{+wI7bIDULI6k>SQFOJ45*Yw
zfd)&;#o^KJx!<Nw`EiQ#&yXO2OCdiFEFuL7#Nu%{oK7bbin}a*ZMAk-FyHlXY~asq
z_KsD8K^fL0gLK4!YT5vkLR||Msim@WaL|gFp`hy;K@A{U#vmvOrqDKo+Drd5lr!b9
zP&78$7{RnA&@?g`l;qMIA%?FfLEU%tl?WO`LLsfQU0VZfnNWc5dk7B&p!`flOaWiC
zm8OIeVP%LG^5h{3lYm46NQQ>ci>)YVY+Klbh1TW>5>jY1jR=M|E?WVy6}2WL*<fia
z>A<xy04sbw&q*zhZI3PQA9b(XD3wuuj2-z1EH%Dq8)gBZln9emB+fS%^xAI&F4UdQ
z9f{XENV$D8762Q+BwDU;*z3c$bAwJcV#V_&s*G2Eb(9;qqmd@i*nm!BRzfHM63<4>
zERUS1+<o^r_uUFLv>d4<o)@8}*X5(K-p{q6L#&W|m=a#X3Usx=YiZm~N~ux!(=RuA
z{f^rvEa(b?iC2F30r)^uN(x;nld&mzI)1z4wA9#f;pF<<tGjziJUid(Lp_1nWybRV
z3%8-i(gwp}va+)u&#4cd>@u}tl^BSGh;(X6o1YFTtU6r1pQllTKxmzUxF0HRiU*hx
zn}v>pIa~iy_V@e9fy5mWAbkJ|PfVg}Ub`*?f{n2(+etU@->T%&Tvja$H6Cn#F4xl2
zYjSRF_q!h}UH-q#e4PdgJ`67MkSLfbF>V-ZSR~1sNgyYhgyI`O*`{cQFk)@CHpbZW
z`j3%)G~Wx^ge<Gc5RE`EAYB|P<p(wQBhY@+qU$DFu@O+_kav5QkMhPgp_Hc~@zH*f
zgc?!;p<uRQXA}2jcZ6(;5);?Ap1b#HonqEtsIMr3Qo^@5M)Eg^PZw9l_jhzHFvwvI
zfL{$Uq5{(e{kC}$GCjOG3w~+fRBLpK5E2>#4Xj3xt(sU~r<so=QJcf`b1d2M>lJv7
za+n(+#}gRFF^ppv$mVCSa3^5b!t-Avt&M9A__mvEw%c&9IvcV_M$odfOZ-ZjDWPM}
zxxR+UUdEGRHXm97M^6W}BJ{IyIhJBKH5f(sLDHi65H%8$Gpg~l*S<IU8km~rg@gkm
zZn3appl0O|ay@X#uH>@eoMQmd2aap;Z#0%2%>PG9zJ4Yi<YLz2<k`TUxDOImpbTWC
zBf?C&`A8F7w%sBa(e5iM7b#S=>twuDzemPRA8B6}Q$>Y<t)-A7FD*Z@-I_A>lv5La
zS)}%vh2FNKiKtew>I?6cvFRd=9Wc%drH%z+R`6hl%5@_C$|;_VJ;TC6lhA`7eQdx2
z*_BsUhUPX2C=#X%1g%Tgg9cFTMP%SYSOJEeT%ALjG#(}pvr-_5iSl6us$%lw{mAy3
ze_HSQr!fZY!vdg$Vw)waNsmugPDP4POQs$6+s%triA=b$1xki}YCu=<M@-pCowZd#
zI;=Ocho!ClI$bQ~-qqaft<}t*18@KnKow{%f)SN4H!GJXi*2jfM_h>jdr=v5%9x>i
za-`qi>Zt^qw<`!u*+-lxH}jBa0yw6mm(I)<5Jgu^g<32Op(K4qZ9c3jk;%lciJV5T
zSgx8}=fvyiV`YmhltGDzGIu$wJTNl*jXw{(ngIZSKs5tK@gD!g4Be~85L&wV(0Lk+
zrZuQS?MNMeeiqssAv?iJ!oucm+WHY3Vldt-3+I=O5_vqk_jPC9T*Mois{oC<f^#Gt
zRdG`OyF*>sQ|LXZ5Gv^s)L>`PpR<~+76~jNkpLQ=0olzhp>b8`Gir$XP$`6lD!EqT
zWHwo^=G8BDbu)v|YnKuPFUXx_;8oAii6~1_nB}IRZEjy8hJ)4^qO4R6Hra11$&zMP
z7Nd33+nWn)Pq`Dp3<ekhRIDQj(8_JCd1$1nCu`9_DxwBBL$cdQvN1C-1#s?wMY+u#
zF&pfPNSOl7i#zuvOA{TDR%a<Uux3MMBvNJw*3XCqHU-<_;9#{GRUNJwD;MJrVCsp5
z8OYLCg%I3NSW~2yq=-qjMP*o3+ZY1diKT($p}S6rK}&UFD@_YCP_jH4lHw{0Ij6B{
z#E1<*BA^wn0%L+#93_JbP?ZM-1>ahxb7X^hI`$qH00Mc2l}d1oi_Z;?Eqqp}!#TW+
ze5^2=_Z-dI66+L*!6khAMfKGL4#PCAxd_QrA|j!@M55kirgh|8jze;HN<>Ej`Q{MH
z=~;9|F>Z3G5DFzy0ETke>sNp{F9Io&hetjtmVzWAzE=NIAsRgxiZ?(nNGhO$$d-A;
zM=aK*B?_n!xEx_|fixFQz+z=fm2pZ!AOWe2UNN$gtt{VJj5*haI>U^VgG9GveibIG
zF5L~!STvRQ+Shju0037d-uFP1?J%w^A;D@ZiY2|cbrE1Pr6zVEBTmHAI&F+1M&7!v
zeTtA34JIZQtrbZinwY37l7WgHH^Qe2iBh0M7h^4GkPT8Pz(VH)K=_}o*JyM)#jSM=
zh=MrA!~&%SMrcMbA_=9h1VuGZogN<Wh#a;f(F2;sv?2vJ)p@M_h81M_r_Jpa5dfP@
zd0<w+wRrQTi^;6&F>TUd^T`k<D<un#j@}}bRa`L+(+L2r9x9@cS&*@HBsFGm2!K$U
z_Bmv4P=$>2W^RXj4=BY?l>zV>ur>y$kcFH5+05298Y;}_`xzt{6CnL~eB(kmJV*dI
dd`K5HwuF4)Tk>)*R3P`o+>uTcBn$1J20#q+1t<Uj

literal 0
Hc-jL100001

diff --git a/ld/testsuite/ld-x86-64/x86-64.exp b/ld/testsuite/ld-x86-64/x86-64.exp
index bcec5c1926a..e4b9ebb033c 100644
--- a/ld/testsuite/ld-x86-64/x86-64.exp
+++ b/ld/testsuite/ld-x86-64/x86-64.exp
@@ -216,6 +216,11 @@ set x86_64tests {
     {"Build textrel-1" "-no-pie -melf_x86_64 -z nocopyreloc --warn-textrel"
      "tmpdir/textrel-1.so"
      "--64" { textrel-1b.s } {{ld "textrel-1.err"}} "textrel-1"}
+    {"Build pr32665"
+     "-melf_x86_64"
+     "" ""
+     { pr32665.o.bz2 }
+     {{ld "pr32665.err"}} "pr32665"}
 }
 
 run_ld_link_tests $x86_64tests
-- 
2.39.5