From 102def4da826b3d9e169741421e5e67e8731909a Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 23 Oct 2018 18:30:22 +1030
Subject: [PATCH] PR23805, NULL pointer dereference in elf_link_input_bfd

	PR 23805
	* elflink.c (elf_link_input_bfd): Don't segfault on finding
	STT_TLS symbols without any TLS sections.  Instead, change the
	symbol type to STT_NOTYPE.

Upstream-Status: Backport
CVE: CVE-2018-18606
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 bfd/ChangeLog |  7 +++++++
 bfd/elflink.c | 20 ++++++++++++++------
 2 files changed, 21 insertions(+), 6 deletions(-)

--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -10496,8 +10496,11 @@ elf_link_input_bfd (struct elf_final_lin
 	  if (ELF_ST_TYPE (osym.st_info) == STT_TLS)
 	    {
 	      /* STT_TLS symbols are relative to PT_TLS segment base.  */
-	      BFD_ASSERT (elf_hash_table (flinfo->info)->tls_sec != NULL);
-	      osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma;
+	      if (elf_hash_table (flinfo->info)->tls_sec != NULL)
+		osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma;
+	      else
+		osym.st_info = ELF_ST_INFO (ELF_ST_BIND (osym.st_info),
+					    STT_NOTYPE);
 	    }
 	}
 
@@ -11053,12 +11056,17 @@ elf_link_input_bfd (struct elf_final_lin
 			      sym.st_value += osec->vma;
 			      if (ELF_ST_TYPE (sym.st_info) == STT_TLS)
 				{
+				  struct elf_link_hash_table *htab
+				    = elf_hash_table (flinfo->info);
+
 				  /* STT_TLS symbols are relative to PT_TLS
 				     segment base.  */
-				  BFD_ASSERT (elf_hash_table (flinfo->info)
-					      ->tls_sec != NULL);
-				  sym.st_value -= (elf_hash_table (flinfo->info)
-						   ->tls_sec->vma);
+				  if (htab->tls_sec != NULL)
+				    sym.st_value -= htab->tls_sec->vma;
+				  else
+				    sym.st_info
+				      = ELF_ST_INFO (ELF_ST_BIND (sym.st_info),
+						     STT_NOTYPE);
 				}
 			    }