Skip to content

[lld][ELF] Improve the vulnerability in Orphan Sections initialization #156354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[lld][ELF] Improve the vulnerability in Orphan Sections initialization #156354

wants to merge 1 commit into from

Conversation

mykouHW
Copy link

@mykouHW mykouHW commented Sep 1, 2025
edited
Loading

fixes #156417

Solution:
Before processing the RelocationSection, ensure that the OutputSection for the RelocatedSection is created and registered. The creation and registration logic is protected by the add function, which prevents duplicate creation. However, it may result in duplicate establishment of the parent relationship, which does not affect correctness.

@mykouHW @Half-spring
[lld][ELF] Improve the vulnerability in Orphan Sections initialization
fb38a50 
Fix the error generated during the linking process when the relocation section is placed before the relocated section and the relocated section is not defined in the linker script.
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 1, 2025

Thank you for submitting a Pull Request (PR) to the LLVM Project!

This PR will be automatically labeled and the relevant teams will be notified.

If you wish to, you can add reviewers by using the "Reviewers" section on this page.

If this is not working for you, it is probably because you do not have write permissions for the repository. In which case you can instead tag reviewers by name in a comment by using @ followed by their GitHub username.

If you have received no comments on your PR for a week, you can request a review by "ping"ing the PR by adding a comment “Ping”. The common courtesy "ping" rate is once a week. Please remember that you are asking for valuable time from other developers.

If you have further questions, they may be answered by the LLVM GitHub User Guide.

You can also ask questions in a comment on this PR, on the LLVM Discord or on the forums.

@llvmbot
Copy link
Member

llvmbot commented Sep 1, 2025

@llvm/pr-subscribers-lld

Author: None (mykouHW)

Changes

Fix the error generated during the linking process when the relocation section is placed before the relocated section and the relocated section is not defined in the linker script.

Issue Cause:
In the judgment logic, addOrphanSections assumes that the RelocatedSection must be processed before the RelocationSection. Under this assumption, the OutputSection for the RelocatedSection has already been constructed, and the parent relationship associated with the InputSectionBase has been established.

If the RelocationSection is processed before the RelocatedSection, this assumption is violated. As a result, the condition rel->parent evaluates to null, causing add(relIS) to not execute. This skips the registration and construction process of the RelocatedSection, since its createOutputSection and recordSection methods have not yet been called at this point.

However, during the construction and registration of the RelocationSection in the addInputSec function, the RelocatedSection is accessed. Since the RelocatedSection has not been constructed yet, attempting to access it results in a null pointer error.

Solution:
Before processing the RelocationSection, ensure that the OutputSection for the RelocatedSection is created and registered. The creation and registration logic is protected by the add function, which prevents duplicate creation. However, it may result in duplicate establishment of the parent relationship, which does not affect correctness.

Full diff: https://github.com/llvm/llvm-project/pull/156354.diff

2 Files Affected:

  • (modified) lld/ELF/LinkerScript.cpp (+6-2)
  • (added) lld/test/ELF/linkerscript/orphan-sections-init.s (+30)
diff --git a/lld/ELF/LinkerScript.cpp b/lld/ELF/LinkerScript.cpp
index 921128dae2bdb..067abbc42a13d 100644
--- a/lld/ELF/LinkerScript.cpp
+++ b/lld/ELF/LinkerScript.cpp
@@ -1037,10 +1037,14 @@ void LinkerScript::addOrphanSections() {
     if (ctx.arg.relocatable && (isec->flags & SHF_LINK_ORDER))
       continue;
 
-    if (auto *sec = dyn_cast<InputSection>(isec))
-      if (InputSectionBase *rel = sec->getRelocatedSection())
+    if (auto *sec = dyn_cast<InputSection>(isec)){
+      if (InputSectionBase *rel = sec->getRelocatedSection()){
+        if (auto *relIS = dyn_cast_or_null<InputSectionBase>(rel))
+          add(relIS);
         if (auto *relIS = dyn_cast_or_null<InputSectionBase>(rel->parent))
           add(relIS);
+      }
+    }
     add(isec);
     if (ctx.arg.relocatable)
       for (InputSectionBase *depSec : isec->dependentSections)
diff --git a/lld/test/ELF/linkerscript/orphan-sections-init.s b/lld/test/ELF/linkerscript/orphan-sections-init.s
new file mode 100644
index 0000000000000..1701336f098e2
--- /dev/null
+++ b/lld/test/ELF/linkerscript/orphan-sections-init.s
@@ -0,0 +1,30 @@
+# REQUIRES: x86
+# RUN: rm -rf %t && mkdir -p %t
+# RUN: split-file %s %t && cd %t
+
+# RUN: llvm-mc -filetype=obj -triple=x86_64 foo.s -o foo.o
+
+# RUN: ld.lld -r  foo.o -T script.ld -o foo_mc.o
+
+# RUN: llvm-objcopy --rename-section .text=.com.text foo_mc.o foo_mc.o
+# RUN: llvm-objcopy --rename-section .rela.text=.rela.com.text foo_mc.o foo_mc.o
+
+# RUN: ld.lld -r foo_mc.o  -T script.ld -o foo_mc_after.o
+
+#--- foo.s
+  .text
+  .globl	foo
+  .p2align	4
+  .type	foo,@function
+foo:
+  mov $bar, %rax
+
+
+
+#--- script.ld
+SECTIONS
+{
+  .rela.text    0 : { *(.rela.text) }
+  .text         0 : { *(.text) }
+}
+

@llvmbot
Copy link
Member

llvmbot commented Sep 1, 2025

@llvm/pr-subscribers-lld-elf

Author: None (mykouHW)

Changes

Fix the error generated during the linking process when the relocation section is placed before the relocated section and the relocated section is not defined in the linker script.

Issue Cause:
In the judgment logic, addOrphanSections assumes that the RelocatedSection must be processed before the RelocationSection. Under this assumption, the OutputSection for the RelocatedSection has already been constructed, and the parent relationship associated with the InputSectionBase has been established.

If the RelocationSection is processed before the RelocatedSection, this assumption is violated. As a result, the condition rel-&gt;parent evaluates to null, causing add(relIS) to not execute. This skips the registration and construction process of the RelocatedSection, since its createOutputSection and recordSection methods have not yet been called at this point.

However, during the construction and registration of the RelocationSection in the addInputSec function, the RelocatedSection is accessed. Since the RelocatedSection has not been constructed yet, attempting to access it results in a null pointer error.

Solution:
Before processing the RelocationSection, ensure that the OutputSection for the RelocatedSection is created and registered. The creation and registration logic is protected by the add function, which prevents duplicate creation. However, it may result in duplicate establishment of the parent relationship, which does not affect correctness.

Full diff: https://github.com/llvm/llvm-project/pull/156354.diff

2 Files Affected:

  • (modified) lld/ELF/LinkerScript.cpp (+6-2)
  • (added) lld/test/ELF/linkerscript/orphan-sections-init.s (+30)
diff --git a/lld/ELF/LinkerScript.cpp b/lld/ELF/LinkerScript.cpp
index 921128dae2bdb..067abbc42a13d 100644
--- a/lld/ELF/LinkerScript.cpp
+++ b/lld/ELF/LinkerScript.cpp
@@ -1037,10 +1037,14 @@ void LinkerScript::addOrphanSections() {
     if (ctx.arg.relocatable && (isec->flags & SHF_LINK_ORDER))
       continue;
 
-    if (auto *sec = dyn_cast<InputSection>(isec))
-      if (InputSectionBase *rel = sec->getRelocatedSection())
+    if (auto *sec = dyn_cast<InputSection>(isec)){
+      if (InputSectionBase *rel = sec->getRelocatedSection()){
+        if (auto *relIS = dyn_cast_or_null<InputSectionBase>(rel))
+          add(relIS);
         if (auto *relIS = dyn_cast_or_null<InputSectionBase>(rel->parent))
           add(relIS);
+      }
+    }
     add(isec);
     if (ctx.arg.relocatable)
       for (InputSectionBase *depSec : isec->dependentSections)
diff --git a/lld/test/ELF/linkerscript/orphan-sections-init.s b/lld/test/ELF/linkerscript/orphan-sections-init.s
new file mode 100644
index 0000000000000..1701336f098e2
--- /dev/null
+++ b/lld/test/ELF/linkerscript/orphan-sections-init.s
@@ -0,0 +1,30 @@
+# REQUIRES: x86
+# RUN: rm -rf %t && mkdir -p %t
+# RUN: split-file %s %t && cd %t
+
+# RUN: llvm-mc -filetype=obj -triple=x86_64 foo.s -o foo.o
+
+# RUN: ld.lld -r  foo.o -T script.ld -o foo_mc.o
+
+# RUN: llvm-objcopy --rename-section .text=.com.text foo_mc.o foo_mc.o
+# RUN: llvm-objcopy --rename-section .rela.text=.rela.com.text foo_mc.o foo_mc.o
+
+# RUN: ld.lld -r foo_mc.o  -T script.ld -o foo_mc_after.o
+
+#--- foo.s
+  .text
+  .globl	foo
+  .p2align	4
+  .type	foo,@function
+foo:
+  mov $bar, %rax
+
+
+
+#--- script.ld
+SECTIONS
+{
+  .rela.text    0 : { *(.rela.text) }
+  .text         0 : { *(.text) }
+}
+

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
lld:ELF lld
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[LLD] Vulnerability in Orphan Sections Initialization
2 participants
@mykouHW @llvmbot