<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Don't read past end of relocation section in scanRelocs"

   href="https://bugs.llvm.org/show_bug.cgi?id=48817">48817</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Don't read past end of relocation section in scanRelocs

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>lld

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Windows NT

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>ELF

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>jh7370.2008@my.bristol.ac.uk

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org, smithp352@googlemail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Given an input object that doesn't have the right relocations for a GD TLS

access, it's possible to read past the end of the relocation section, leading

to invalid reads/spurious error messages etc. This may not be the only case

either within the scanReloc code.

Example input:

.weak gd

leaq gd@tlsgd+64(%rip), %rdi

Output when linked:

ld.lld: error: unknown relocation (31) against symbol

ld.lld: error:

C:\llvm\build\tools\lld\test\ELF\Output\tls-weak-undef.s.tmpexec.o: invalid

symbol index

The problem is that a GD TLS access assumes there are two relocations. If the

second is missing, the linker doesn't notice this and the iteration termination

check doesn't fire, since it currently only terminates if the iterator equals

`end()`. In this case however, it is `end() + 1`, so the loop continues and

reads data outside the section.

The fix is to check there are actually two relocations remaining before

attempting to read or skip them.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>