git.ipfire.org Git - thirdparty/binutils-gdb.git/commit

author	Alan Modra <amodra@gmail.com>
	Wed, 14 Jan 2026 22:28:44 +0000 (22:28 +0000)
committer	Maciej W. Rozycki <macro@orcam.me.uk>
	Wed, 14 Jan 2026 22:28:44 +0000 (22:28 +0000)
commit	c2cb1bfb901e781e5c9dd42f32193c99da3d8d73
tree	cde3c1e27b2eb8ef931bce11b8cd1c201d17918e	tree \| snapshot
parent	42b413786de8e8e9ba2d8b1bf8319582efcfa613	commit \| diff

Move mips_hi16_list to mips_elf_section_data

This patch is in response to fuzzing testcases that manage to cause
segfaults due to stale references to freed memory via mips_hi16.data.

A number of the error/warning handlers in ldmain.c use %C.  This can
cause debug info to be parsed for the first time in order to print
file/function/line.  If one of those warnings is triggered after some
hi16 relocs have been processed but before the matching lo16 reloc is
handled, *and* the debug info is corrupted with a lo16 reloc, then the
mips_hi16_list will be flushed with the result that printing a warning
changes linker output.  It is also possible that corrupted debug info
adds to the hi16 list, with the result that when the linker handles a
later lo16 reloc in a text section, ld will segfault accessing
mips_hi16.data after the debug buffers have be freed.  Both of these
problems are fixed by keeping a per-section mips_hi16_list rather than
a per-file list.

* elfxx-mips.c (struct mips_hi16): Move earlier, deleting
input_section field.
(struct _mips_elf_section_data): Add mips_hi16_list.
(struct mips_elf_obj_tdata): Delete mips_hi16_list.
(_bfd_mips_elf_free_cached_info): Adjust to suit new location
of mips_hi16_list.
(_bfd_mips_elf_hi16_reloc, _bfd_mips_elf_lo16_reloc): Likewise.
(_bfd_mips_elf_orphan_shr16_reloc): Likewise.
(mips_elf_free_hi16_list): Likewise.
(_bfd_mips_elf_finalize_section_relocs): Likewise.
(_bfd_elf_mips_get_relocated_section_contents): Likewise.