From c33ea119b1a5cca79f9efc0a6d5603667954358d Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 7 Feb 2024 12:29:12 +1030 Subject: [PATCH] asan: NULL dereference in _bfd_mips_final_write_processing Fuzzed object files can easily have unexpected section names. We don't want to segfault on objcopy of any file accepted by the mips object_p functions. For objcopy, an assertion that "sec" is non-NULL followed by deferencing "sec" is wrong. So too is asserting that the section name string starts with a particular prefix, and then blithely accessing past the assumed prefix. * elfxx-mips.c (_bfd_mips_final_write_processing): Replace assertions with conditionals. Don't bother testing for name non-NULL. --- bfd/elfxx-mips.c | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/bfd/elfxx-mips.c b/bfd/elfxx-mips.c index 69dd71419ff..b888e7622b7 100644 --- a/bfd/elfxx-mips.c +++ b/bfd/elfxx-mips.c @@ -12529,22 +12529,24 @@ _bfd_mips_final_write_processing (bfd *abfd) case SHT_MIPS_GPTAB: BFD_ASSERT ((*hdrpp)->bfd_section != NULL); name = bfd_section_name ((*hdrpp)->bfd_section); - BFD_ASSERT (name != NULL - && startswith (name, ".gptab.")); - sec = bfd_get_section_by_name (abfd, name + sizeof ".gptab" - 1); - BFD_ASSERT (sec != NULL); - (*hdrpp)->sh_info = elf_section_data (sec)->this_idx; + if (startswith (name, ".gptab.")) + { + sec = bfd_get_section_by_name (abfd, name + sizeof ".gptab" - 1); + if (sec != NULL) + (*hdrpp)->sh_info = elf_section_data (sec)->this_idx; + } break; case SHT_MIPS_CONTENT: BFD_ASSERT ((*hdrpp)->bfd_section != NULL); name = bfd_section_name ((*hdrpp)->bfd_section); - BFD_ASSERT (name != NULL - && startswith (name, ".MIPS.content")); - sec = bfd_get_section_by_name (abfd, - name + sizeof ".MIPS.content" - 1); - BFD_ASSERT (sec != NULL); - (*hdrpp)->sh_link = elf_section_data (sec)->this_idx; + if (startswith (name, ".MIPS.content")) + { + sec = bfd_get_section_by_name (abfd, + name + sizeof ".MIPS.content" - 1); + if (sec != NULL) + (*hdrpp)->sh_link = elf_section_data (sec)->this_idx; + } break; case SHT_MIPS_SYMBOL_LIB: @@ -12559,19 +12561,16 @@ _bfd_mips_final_write_processing (bfd *abfd) case SHT_MIPS_EVENTS: BFD_ASSERT ((*hdrpp)->bfd_section != NULL); name = bfd_section_name ((*hdrpp)->bfd_section); - BFD_ASSERT (name != NULL); if (startswith (name, ".MIPS.events")) sec = bfd_get_section_by_name (abfd, name + sizeof ".MIPS.events" - 1); + else if (startswith (name, ".MIPS.post_rel")) + sec = bfd_get_section_by_name (abfd, + name + sizeof ".MIPS.post_rel" - 1); else - { - BFD_ASSERT (startswith (name, ".MIPS.post_rel")); - sec = bfd_get_section_by_name (abfd, - (name - + sizeof ".MIPS.post_rel" - 1)); - } - BFD_ASSERT (sec != NULL); - (*hdrpp)->sh_link = elf_section_data (sec)->this_idx; + sec = NULL; + if (sec != NULL) + (*hdrpp)->sh_link = elf_section_data (sec)->this_idx; break; case SHT_MIPS_XHASH: