<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Crash when a symbol references external version definition"

   href="https://bugs.llvm.org/show_bug.cgi?id=34705">34705</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Crash when a symbol references external version definition

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>lld

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>ELF

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>arichardson.kde@gmail.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=19187" name="attach_19187" title="libmp.so">attachment 19187</a> <a href="attachment.cgi?id=19187&action=edit" title="libmp.so">[details]</a></span>

libmp.so

template <class ELFT> void SharedFile<ELFT>::parseRest() access beyond the end

of Verdefs array when loading a file that uses external version definitions. It

seems like those are not handled by parseVerdefs().

The full reproducer is 1.3MB so I can't upload it here. I have attached the

file that causes the out-of-bounds access here.

The crash happens here when accessing one past the end of the vector:

Parsing symbol __cxa_finalize in

home/alr48/cheri/build-postmerge/cheribsd-obj-256/mips.mips64/exports/users/alr48/sources/cheribsd-postmerge/tmp/usr/lib/libmp.so

versym idx=9

There are only 8 entries in the Verdefs vector which seems to map to the local

definitions from objdump:

```

Version definitions:

1 0x01 0x0432cf87 libmp.so.7

2 0x00 0x077a28b0 FBSD_1.0

3 0x00 0x077a28b1 FBSD_1.1

4 0x00 0x077a28b2 FBSD_1.2

5 0x00 0x077a28b3 FBSD_1.3

6 0x00 0x077a28b4 FBSD_1.4

7 0x00 0x077a28b5 FBSD_1.5

8 0x00 0x0f1efaa0 FBSDprivate_1.0

Version References:

  required from libc.so.7:

    0x077a28b0 0x00 09 FBSD_1.0

    0x077a28b3 0x00 10 FBSD_1.3

private flags = 30000007: [abi=64] [mips4] [not 32bitmode] [noreorder] [PIC]

[CPIC]

```

I have pushed a workaround to our fork of lld here:

<a href="https://github.com/CTSRD-CHERI/lld/commit/deaa6ee818434e9f002702b04b719ad7e5cb4971">https://github.com/CTSRD-CHERI/lld/commit/deaa6ee818434e9f002702b04b719ad7e5cb4971</a>

If you think this is an appropriate fix/workaround for missing features, I'll

upload it to Phabricator.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>