<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Don't read past end of relocation section in scanRelocs"
   href="https://bugs.llvm.org/show_bug.cgi?id=48817">48817</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Don't read past end of relocation section in scanRelocs
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>lld
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Windows NT
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>ELF
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>jh7370.2008@my.bristol.ac.uk
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org, smithp352@googlemail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Given an input object that doesn't have the right relocations for a GD TLS
access, it's possible to read past the end of the relocation section, leading
to invalid reads/spurious error messages etc. This may not be the only case
either within the scanReloc code.

Example input:

.weak gd
leaq gd@tlsgd+64(%rip), %rdi

Output when linked:

ld.lld: error: unknown relocation (31) against symbol
ld.lld: error:
C:\llvm\build\tools\lld\test\ELF\Output\tls-weak-undef.s.tmpexec.o: invalid
symbol index

The problem is that a GD TLS access assumes there are two relocations. If the
second is missing, the linker doesn't notice this and the iteration termination
check doesn't fire, since it currently only terminates if the iterator equals
`end()`. In this case however, it is `end() + 1`, so the loop continues and
reads data outside the section.

The fix is to check there are actually two relocations remaining before
attempting to read or skip them.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>