[ELF][AArch64] Fix potentially corrupted section content for PAC

MaskRay · MaskRay · commit d7cbfcf36ace · 2022-08-05T18:24:54.000-07:00
D74537 introduced a bug: if `(config-&gt;andFeatures &amp; GNU_PROPERTY_AARCH64_FEATURE_1_PAC) != 0`
with -z pac-plt unspecified, we incorrectly use AArch64BtiPac, whose writePlt will make
out-of-bounds write after the .plt section. This is often benign because the
output section after .plt will usually overwrite the content.

This is very difficult to test without D131247 (Parallelize writes of different OutputSections).
diff --git a/lld/ELF/Arch/AArch64.cpp b/lld/ELF/Arch/AArch64.cpp
@@ -884,8 +884,8 @@ void AArch64BtiPac::writePlt(uint8_t *buf, const Symbol &sym,
 }
 
 static TargetInfo *getTargetInfo() {
-  if (config->andFeatures & (GNU_PROPERTY_AARCH64_FEATURE_1_BTI |
-                             GNU_PROPERTY_AARCH64_FEATURE_1_PAC)) {
+  if ((config->andFeatures & GNU_PROPERTY_AARCH64_FEATURE_1_BTI) ||
+      config->zPacPlt) {
     static AArch64BtiPac t;
     return &t;
   }

Original file line number	Diff line number	Diff line change
`@@ -884,8 +884,8 @@ void AArch64BtiPac::writePlt(uint8_t *buf, const Symbol &sym,`
`884`	`884`	`}`
`885`	`885`
`886`	`886`	`static TargetInfo *getTargetInfo() {`
`887`		`- if (config->andFeatures & (GNU_PROPERTY_AARCH64_FEATURE_1_BTI \|`
`888`		`- GNU_PROPERTY_AARCH64_FEATURE_1_PAC)) {`
	`887`	`+ if ((config->andFeatures & GNU_PROPERTY_AARCH64_FEATURE_1_BTI) \|\|`
	`888`	`+ config->zPacPlt) {`
`889`	`889`	`static AArch64BtiPac t;`
`890`	`890`	`return &t;`
`891`	`891`	`}`