6535688 elfdump could be more robust in the face of Purify

10 files changed, 226 insertions, 80 deletions

diff --git a/usr/src/cmd/sgs/elfdump/common/_elfdump.h b/usr/src/cmd/sgs/elfdump/common/_elfdump.h
index 4b47f4e5f0..1d80ec1c51 100644
--- a/usr/src/cmd/sgs/elfdump/common/_elfdump.h
+++ b/usr/src/cmd/sgs/elfdump/common/_elfdump.h
@@ -64,6 +64,7 @@ extern "C" {
 #define	MAXNDXSIZE	10
 
 typedef struct cache {
+	Elf_Scn		*c_scn;
 	Shdr		*c_shdr;
 	Elf_Data	*c_data;
 	char		*c_name;
diff --git a/usr/src/cmd/sgs/elfdump/common/elfdump.c b/usr/src/cmd/sgs/elfdump/common/elfdump.c
index d5b024acf4..8c232a315e 100644
--- a/usr/src/cmd/sgs/elfdump/common/elfdump.c
+++ b/usr/src/cmd/sgs/elfdump/common/elfdump.c
@@ -271,27 +271,17 @@ sections(const char *file, Cache *cache, Word shnum, Ehdr *ehdr,
 		Shdr		*shdr = _cache->c_shdr;
 		const char	*secname = _cache->c_name;
 
-		if (name && strcmp(name, secname))
-			continue;
-
 		/*
 		 * Although numerous section header entries can be zero, it's
-		 * usually a sign of trouble if the name or type are zero.
+		 * usually a sign of trouble if the type is zero.
 		 */
 		if (shdr->sh_type == 0) {
 			(void) fprintf(stderr, MSG_INTL(MSG_ERR_BADSHTYPE),
 			    file, secname, EC_WORD(shdr->sh_type));
 		}
-		if (shdr->sh_name == 0) {
-			(void) fprintf(stderr, MSG_INTL(MSG_ERR_BADSHNAME),
-			    file, secname, EC_XWORD(shdr->sh_name));
 
-			/*
-			 * Use the empty string, rather than the fabricated
-			 * name for the section output.
-			 */
-			secname = MSG_ORIG(MSG_STR_EMPTY);
-		}
+		if (name && strcmp(name, secname))
+			continue;
 
 		/*
 		 * Identify any sections that are suspicious.  A .got section
@@ -2564,6 +2554,19 @@ checksum(Elf *elf)
 void
 regular(const char *file, Elf *elf, uint_t flags, char *Nname, int wfd)
 {
+	/*
+	 * Program header names that we can test for.
+	 */
+	static const char *pnames[PT_NUM] = {
+		MSG_ORIG(MSG_PT_NULL),		MSG_ORIG(MSG_PT_LOAD),
+		MSG_ORIG(MSG_PT_DYNAMIC),	MSG_ORIG(MSG_PT_INTERP),
+		MSG_ORIG(MSG_PT_NOTE),		MSG_ORIG(MSG_PT_SHLIB),
+		MSG_ORIG(MSG_PT_PHDR),		MSG_ORIG(MSG_PT_TLS)
+	};
+#if PT_NUM != (PT_TLS + 1)
+#error "P_NUM has grown. Update addr_symtype[]"
+#endif
+
 	Elf_Scn		*scn;
 	Ehdr		*ehdr;
 	Elf_Data	*data;
@@ -2620,13 +2623,17 @@ regular(const char *file, Elf *elf, uint_t flags, char *Nname, int wfd)
 		}
 
 		for (cnt = 0; cnt < phnum; phdr++, cnt++) {
+
+			if (Nname && ((phdr->p_type >= PT_NUM) ||
+			    (strcmp(Nname, pnames[phdr->p_type]) != 0)))
+				continue;
+
 			dbg_print(0, MSG_ORIG(MSG_STR_EMPTY));
 			dbg_print(0, MSG_INTL(MSG_ELF_PHDR), EC_WORD(cnt));
 			Elf_phdr(0, ehdr->e_machine, phdr);
 		}
 	}
 
-
 	/*
 	 * Return now if there are no section, if there's just one section to
 	 * act as an extension of the ELF header, or if on section information
@@ -2638,7 +2645,6 @@ regular(const char *file, Elf *elf, uint_t flags, char *Nname, int wfd)
 		return;
 	}
 
-
 	/*
 	 * Obtain the .shstrtab data buffer to provide the required section
 	 * name strings.
@@ -2656,14 +2662,13 @@ regular(const char *file, Elf *elf, uint_t flags, char *Nname, int wfd)
 	} else if ((nameshdr = elf_getshdr(scn)) == NULL) {
 		failure(file, MSG_ORIG(MSG_ELF_GETSHDR));
 		(void) fprintf(stderr, MSG_INTL(MSG_ELF_ERR_SCN),
-		    /* LINTED */
-		    (int)elf_ndxscn(scn));
+		    EC_WORD(elf_ndxscn(scn)));
 
 	} else if ((names = data->d_buf) == 0)
 		(void) fprintf(stderr, MSG_INTL(MSG_ERR_SHSTRNULL), file);
 
 	/*
-	 * Fill in the cache descriptor with information for each section.
+	 * Allocate a cache to maintain a descriptor for each section.
 	 */
 	if ((cache = malloc(shnum * sizeof (Cache))) == 0) {
 		int err = errno;
@@ -2676,59 +2681,155 @@ regular(const char *file, Elf *elf, uint_t flags, char *Nname, int wfd)
 	_cache = cache;
 	_cache++;
 
+	/*
+	 * Traverse the sections of the file.  This gathering of data is
+	 * carried out in two passes.  First, the section headers are captured
+	 * and the section header names are evaluated.  A verification pass is
+	 * then carried out over the section information.  Files have been
+	 * known to exhibit overlapping (and hence erroneous) section header
+	 * information.
+	 *
+	 * Finally, the data for each section is obtained.  This processing is
+	 * carried out after section verification because should any section
+	 * header overlap occur, and a file needs translating (ie. xlate'ing
+	 * information from a non-native architecture file), then the process
+	 * of translation can corrupt the section header information.  Of
+	 * course, if there is any section overlap, the data related to the
+	 * sections is going to be compromised.  However, it is the translation
+	 * of this data that has caused problems with elfdump()'s ability to
+	 * extract the data.
+	 */
 	for (cnt = 1, scn = NULL; scn = elf_nextscn(elf, scn);
 	    cnt++, _cache++) {
+		char	scnndxnm[100];
+
+		_cache->c_scn = scn;
+
 		if ((_cache->c_shdr = elf_getshdr(scn)) == NULL) {
 			failure(file, MSG_ORIG(MSG_ELF_GETSHDR));
 			(void) fprintf(stderr, MSG_INTL(MSG_ELF_ERR_SCN),
-			    /* LINTED */
-			    (int)elf_ndxscn(scn));
+			    EC_WORD(elf_ndxscn(scn)));
 		}
 
-		if (names && _cache->c_shdr->sh_name &&
-		    /* LINTED */
-		    (nameshdr->sh_size > _cache->c_shdr->sh_name))
-			_cache->c_name = names + _cache->c_shdr->sh_name;
-		else {
-			/*
-			 * If there exists no shstrtab data, or a section header
-			 * has no name (an invalid index of 0), then compose a
-			 * name for each section.
-			 */
-			char	scnndxnm[100];
-
-			(void) snprintf(scnndxnm, 100, MSG_INTL(MSG_FMT_SCNNDX),
-			    cnt);
+		/*
+		 * If a shstrtab exists, assign the section name.
+		 */
+		if (names && _cache->c_shdr) {
+			if (_cache->c_shdr->sh_name &&
+			    /* LINTED */
+			    (nameshdr->sh_size > _cache->c_shdr->sh_name)) {
+				_cache->c_name =
+				    names + _cache->c_shdr->sh_name;
+				continue;
+			}
 
 			/*
-			 * Although we have a valid shstrtab section inform the
-			 * user if this section name index exceeds the shstrtab
-			 * data.
+			 * Generate an error if the section name index is zero
+			 * or exceeds the shstrtab data.  Fall through to
+			 * fabricate a section name.
 			 */
-			if (names &&
+			if ((_cache->c_shdr->sh_name == 0) ||
 			    /* LINTED */
 			    (nameshdr->sh_size <= _cache->c_shdr->sh_name)) {
 				(void) fprintf(stderr,
 				    MSG_INTL(MSG_ERR_BADSHNAME), file,
-				    _cache->c_name,
+				    EC_WORD(cnt),
 				    EC_XWORD(_cache->c_shdr->sh_name));
 			}
+		}
 
-			if ((_cache->c_name =
-			    malloc(strlen(scnndxnm) + 1)) == 0) {
-				int err = errno;
-				(void) fprintf(stderr, MSG_INTL(MSG_ERR_MALLOC),
-				    file, strerror(err));
-				return;
+		/*
+		 * If there exists no shstrtab data, or a section header has no
+		 * name (an invalid index of 0), then compose a name for the
+		 * section.
+		 */
+		(void) snprintf(scnndxnm, sizeof (scnndxnm),
+		    MSG_INTL(MSG_FMT_SCNNDX), cnt);
+
+		if ((_cache->c_name = malloc(strlen(scnndxnm) + 1)) == 0) {
+			int err = errno;
+			(void) fprintf(stderr, MSG_INTL(MSG_ERR_MALLOC),
+			    file, strerror(err));
+			return;
+		}
+		(void) strcpy(_cache->c_name, scnndxnm);
+	}
+
+	/*
+	 * Having collected all the sections, validate their address range.
+	 * Cases have existed where the section information has been invalid.
+	 * This can lead to all sorts of other, hard to diagnose errors, as
+	 * each section is processed individually (ie. with elf_getdata()).
+	 * Here, we carry out some address comparisons to catch a family of
+	 * overlapping memory issues we have observed (likely, there are others
+	 * that we have yet to discover).
+	 *
+	 * Note, should any memory overlap occur, obtaining any additional
+	 * data from the file is questionable.  However, it might still be
+	 * possible to inspect the ELF header, Programs headers, or individual
+	 * sections, so rather than bailing on an error condition, continue
+	 * processing to see if any data can be salvaged.
+	 */
+	for (cnt = 1; cnt < shnum; cnt++) {
+		Cache	*_cache = &cache[cnt];
+		Shdr	*shdr = _cache->c_shdr;
+		Off	bgn1, bgn = shdr->sh_offset;
+		Off	end1, end = shdr->sh_offset + shdr->sh_size;
+		int	cnt1;
+
+		if ((shdr->sh_size == 0) || (shdr->sh_type == SHT_NOBITS))
+			continue;
+
+		for (cnt1 = 1; cnt1 < shnum; cnt1++) {
+			Cache	*_cache1 = &cache[cnt1];
+			Shdr	*shdr1 = _cache1->c_shdr;
+
+			bgn1 = shdr1->sh_offset;
+			end1 = shdr1->sh_offset + shdr1->sh_size;
+
+			if ((cnt1 == cnt) || (shdr->sh_size == 0) ||
+			    (shdr1->sh_type == SHT_NOBITS))
+				continue;
+
+			if (((bgn1 <= bgn) && (end1 > bgn)) ||
+			    ((bgn1 < end) && (end1 >= end))) {
+				(void) fprintf(stderr,
+				    MSG_INTL(MSG_ERR_SECMEMOVER), file,
+				    EC_WORD(elf_ndxscn(_cache1->c_scn)),
+				    _cache1->c_name, EC_OFF(bgn1), EC_OFF(end1),
+				    EC_WORD(elf_ndxscn(_cache->c_scn)),
+				    _cache->c_name, EC_OFF(bgn), EC_OFF(end));
 			}
-			(void) strcpy(_cache->c_name, scnndxnm);
 		}
 
+		/*
+		 * And finally, make sure this section doesn't overlap the
+		 * section header itself.
+		 */
+		bgn1 = ehdr->e_shoff;
+		end1 = ehdr->e_shoff + (ehdr->e_shentsize * ehdr->e_shnum);
+
+		if (((bgn1 <= bgn) && (end1 > bgn)) ||
+		    ((bgn1 < end) && (end1 >= end))) {
+			(void) fprintf(stderr,
+			    MSG_INTL(MSG_ERR_SHDRMEMOVER), file, EC_OFF(bgn1),
+			    EC_OFF(end1),
+			    EC_WORD(elf_ndxscn(_cache->c_scn)),
+			    _cache->c_name, EC_OFF(bgn), EC_OFF(end));
+		}
+	}
+
+	/*
+	 * Finally, obtain the data for each section.
+	 */
+	for (cnt = 1; cnt < shnum; cnt++) {
+		Cache	*_cache = &cache[cnt];
+		Elf_Scn	*scn = _cache->c_scn;
+
 		if ((_cache->c_data = elf_getdata(scn, NULL)) == NULL) {
 			failure(file, MSG_ORIG(MSG_ELF_GETDATA));
 			(void) fprintf(stderr, MSG_INTL(MSG_ELF_ERR_SCNDATA),
-			    /* LINTED */
-			    (int)elf_ndxscn(scn));
+			    EC_WORD(elf_ndxscn(scn)));
 		}
 
 		/*
diff --git a/usr/src/cmd/sgs/elfdump/common/elfdump.msg b/usr/src/cmd/sgs/elfdump/common/elfdump.msg
index ba9a449547..e931bc4032 100644
--- a/usr/src/cmd/sgs/elfdump/common/elfdump.msg
+++ b/usr/src/cmd/sgs/elfdump/common/elfdump.msg
@@ -73,7 +73,7 @@
 @ MSG_ERR_BADREL1       "%s: bad relocation entry: %s: relocation requires symbol\n"
 @ MSG_ERR_SHSTRNULL	"%s: zero size section header string table (shstrtab)\n"
 @ MSG_ERR_FAILURE	"%s: %s failed: %s\n"
-@ MSG_ERR_BADSHNAME	"%s: %s: invalid sh_name: %lld\n"
+@ MSG_ERR_BADSHNAME	"%s: section[%d]: invalid sh_name: %lld\n"
 @ MSG_ERR_BADSHLINK	"%s: %s: invalid sh_link: %d\n"
 @ MSG_ERR_BADSHINFO	"%s: %s: invalid sh_info: %d\n"
 @ MSG_ERR_BADSHTYPE	"%s: %s: invalid sh_type: %d\n"
@@ -107,9 +107,14 @@
 			 %d, should be bucket %ld\n"
 @ MSG_ERR_NODYNSYM	"%s: %s: associated SHT_DYNSYM section not found\n"
 @ MSG_ERR_BADNDXSEC	"%s: %s: unexpected section type associated with index section: %s\n"
+@ MSG_ERR_BADSORTNDX	"%s: %s: sort section has bad symbol index: %d\n"
+
 @ MSG_ERR_LDYNNOTADJ	"%s: bad dynamic symbol table layout: %s and %s \
 			 sections are not adjacent\n"
-@ MSG_ERR_BADSORTNDX	"%s: %s: sort section has bad symbol index: %d\n"
+@ MSG_ERR_SECMEMOVER	"%s: memory overlap between section[%d]: %s: %llx:%llx \
+			 and section[%d]: %s: %llx:%llx\n"
+@ MSG_ERR_SHDRMEMOVER	"%s: memory overlap between section header table: \
+			 %llx:%llx and section[%d]: %s: %llx:%llx\n"
 
 @ MSG_WARN_INVINTERP1	"%s: PT_INTERP header has no associated section\n"
 @ MSG_WARN_INVINTERP2	"%s: interp section: %s: and PT_INTERP program \
@@ -228,6 +233,15 @@
 
 @ MSG_GOT_SYM		"_GLOBAL_OFFSET_TABLE_"
 
+@ MSG_PT_NULL		"PT_NULL"
+@ MSG_PT_LOAD		"PT_LOAD"
+@ MSG_PT_DYNAMIC	"PT_DYNAMIC"
+@ MSG_PT_INTERP		"PT_INTERP"
+@ MSG_PT_NOTE		"PT_NOTE"
+@ MSG_PT_SHLIB		"PT_SHLIB"
+@ MSG_PT_PHDR		"PT_PHDR"
+@ MSG_PT_TLS		"PT_TLS"
+
 @ MSG_STR_OPTIONS	"CcdeGgHhiklmN:nprSsuvw:y"
 
 @ MSG_STR_EMPTY		""
diff --git a/usr/src/cmd/sgs/libld/common/_libld.h b/usr/src/cmd/sgs/libld/common/_libld.h
index 1c6db677ab..fedceb9bc0 100644
--- a/usr/src/cmd/sgs/libld/common/_libld.h
+++ b/usr/src/cmd/sgs/libld/common/_libld.h
@@ -617,7 +617,7 @@ extern void		ld_sup_section(Ofl_desc *, const char *, Shdr *, Word,
 extern uintptr_t	ld_sup_input_section(Ofl_desc*, Ifl_desc *,
 			    const char *, Shdr **, Word, Elf_Scn *, Elf *);
 extern void		ld_sup_start(Ofl_desc *, const Half, const char *);
-extern Sym_desc		*ld_sym_add_u(const char *, Ofl_desc *);
+extern Sym_desc		*ld_sym_add_u(const char *, Ofl_desc *, Msg);
 extern void		ld_sym_adjust_vis(Sym_desc *, Ofl_desc *);
 extern int		ld_sym_avl_comp(const void *, const void *);
 extern uintptr_t	ld_sym_copy(Sym_desc *);
diff --git a/usr/src/cmd/sgs/libld/common/args.c b/usr/src/cmd/sgs/libld/common/args.c
index 333d089085..66b74779e6 100644
--- a/usr/src/cmd/sgs/libld/common/args.c
+++ b/usr/src/cmd/sgs/libld/common/args.c
@@ -1339,8 +1339,8 @@ parseopt_pass2(Ofl_desc *ofl, int argc, char **argv)
 				    &ofl->ofl_name, 2);
 				break;
 			case 'u':
-				if (ld_sym_add_u(optarg, ofl) ==
-				    (Sym_desc *)S_ERROR)
+				if (ld_sym_add_u(optarg, ofl,
+				    MSG_STR_COMMAND) == (Sym_desc *)S_ERROR)
 					return (S_ERROR);
 				break;
 			case 'z':
@@ -1391,7 +1391,8 @@ parseopt_pass2(Ofl_desc *ofl, int argc, char **argv)
 				    MSG_ORIG(MSG_ARG_INITARRAY),
 				    MSG_ARG_INITARRAY_SIZE) == 0) {
 					if (((sdp = ld_sym_add_u(optarg +
-					    MSG_ARG_INITARRAY_SIZE, ofl)) ==
+					    MSG_ARG_INITARRAY_SIZE, ofl,
+					    MSG_STR_COMMAND)) ==
 					    (Sym_desc *)S_ERROR) ||
 					    (list_appendc(&ofl->ofl_initarray,
 					    sdp) == 0))
@@ -1400,7 +1401,8 @@ parseopt_pass2(Ofl_desc *ofl, int argc, char **argv)
 				    MSG_ORIG(MSG_ARG_FINIARRAY),
 				    MSG_ARG_FINIARRAY_SIZE) == 0) {
 					if (((sdp = ld_sym_add_u(optarg +
-					    MSG_ARG_FINIARRAY_SIZE, ofl)) ==
+					    MSG_ARG_FINIARRAY_SIZE, ofl,
+					    MSG_STR_COMMAND)) ==
 					    (Sym_desc *)S_ERROR) ||
 					    (list_appendc(&ofl->ofl_finiarray,
 					    sdp) == 0))
@@ -1409,7 +1411,8 @@ parseopt_pass2(Ofl_desc *ofl, int argc, char **argv)
 				    MSG_ORIG(MSG_ARG_PREINITARRAY),
 				    MSG_ARG_PREINITARRAY_SIZE) == 0) {
 					if (((sdp = ld_sym_add_u(optarg +
-					    MSG_ARG_PREINITARRAY_SIZE, ofl)) ==
+					    MSG_ARG_PREINITARRAY_SIZE, ofl,
+					    MSG_STR_COMMAND)) ==
 					    (Sym_desc *)S_ERROR) ||
 					    (list_appendc(&ofl->ofl_preiarray,
 					    sdp) == 0))
@@ -1418,7 +1421,8 @@ parseopt_pass2(Ofl_desc *ofl, int argc, char **argv)
 				    MSG_ORIG(MSG_ARG_RTLDINFO),
 				    MSG_ARG_RTLDINFO_SIZE) == 0) {
 					if (((sdp = ld_sym_add_u(optarg +
-					    MSG_ARG_RTLDINFO_SIZE, ofl)) ==
+					    MSG_ARG_RTLDINFO_SIZE, ofl,
+					    MSG_STR_COMMAND)) ==
 					    (Sym_desc *)S_ERROR) ||
 					    (list_appendc(&ofl->ofl_rtldinfo,
 					    sdp) == 0))
@@ -1427,7 +1431,8 @@ parseopt_pass2(Ofl_desc *ofl, int argc, char **argv)
 				    MSG_ORIG(MSG_ARG_DTRACE),
 				    MSG_ARG_DTRACE_SIZE) == 0) {
 					if ((sdp = ld_sym_add_u(optarg +
-					    MSG_ARG_DTRACE_SIZE, ofl)) ==
+					    MSG_ARG_DTRACE_SIZE, ofl,
+					    MSG_STR_COMMAND)) ==
 					    (Sym_desc *)S_ERROR)
 						return (S_ERROR);
 					ofl->ofl_dtracesym = sdp;
diff --git a/usr/src/cmd/sgs/libld/common/libld.msg b/usr/src/cmd/sgs/libld/common/libld.msg
index c6658cf4f5..2b51f4fe86 100644
--- a/usr/src/cmd/sgs/libld/common/libld.msg
+++ b/usr/src/cmd/sgs/libld/common/libld.msg
@@ -546,6 +546,7 @@
 
 @ MSG_STR_ALIGNMENTS	"alignments"
 @ MSG_STR_COMMAND	"(command line)"
+@ MSG_STR_TLSREL	"(internal TLS relocation requirement)"
 @ MSG_STR_SIZES		"sizes"
 @ MSG_STR_UNKNOWN       "<unknown>"
 
diff --git a/usr/src/cmd/sgs/libld/common/machrel.intel.c b/usr/src/cmd/sgs/libld/common/machrel.intel.c
index a7dd355081..508d6d3b9a 100644
--- a/usr/src/cmd/sgs/libld/common/machrel.intel.c
+++ b/usr/src/cmd/sgs/libld/common/machrel.intel.c
@@ -24,7 +24,7 @@
  *	Copyright (c) 1988 AT&T
  *	  All Rights Reserved
  *
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -1315,10 +1315,10 @@ ld_reloc_TLS(Boolean local, Rel_desc * rsp, Ofl_desc * ofl)
 	 * symbol now, and prepare for the PLT magic.
 	 */
 	if ((rtype == R_386_TLS_GD_PLT) || (rtype == R_386_TLS_LDM_PLT)) {
-		Sym_desc *	tlsgetsym;
+		Sym_desc	*tlsgetsym;
 
 		if ((tlsgetsym = ld_sym_add_u(MSG_ORIG(MSG_SYM_TLSGETADDR_UU),
-		    ofl)) == (Sym_desc *)S_ERROR)
+		    ofl, MSG_STR_TLSREL)) == (Sym_desc *)S_ERROR)
 			return (S_ERROR);
 
 		rsp->rel_sym = tlsgetsym;
diff --git a/usr/src/cmd/sgs/libld/common/machrel.sparc.c b/usr/src/cmd/sgs/libld/common/machrel.sparc.c
index e6d1dafdcc..122516e2f4 100644
--- a/usr/src/cmd/sgs/libld/common/machrel.sparc.c
+++ b/usr/src/cmd/sgs/libld/common/machrel.sparc.c
@@ -23,7 +23,7 @@
  *	Copyright (c) 1988 AT&T
  *	  All Rights Reserved
  *
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -1744,10 +1744,10 @@ ld_reloc_TLS(Boolean local, Rel_desc *rsp, Ofl_desc *ofl)
 	 * symbol now, and prepare for the PLT magic.
 	 */
 	if ((rtype == R_SPARC_TLS_GD_CALL) || (rtype == R_SPARC_TLS_LDM_CALL)) {
-		Sym_desc *	tlsgetsym;
+		Sym_desc	*tlsgetsym;
 
 		if ((tlsgetsym = ld_sym_add_u(MSG_ORIG(MSG_SYM_TLSGETADDR_U),
-		    ofl)) == (Sym_desc *)S_ERROR)
+		    ofl, MSG_STR_TLSREL)) == (Sym_desc *)S_ERROR)
 			return (S_ERROR);
 
 		rsp->rel_sym = tlsgetsym;
diff --git a/usr/src/cmd/sgs/libld/common/syms.c b/usr/src/cmd/sgs/libld/common/syms.c
index 9f14f6a94b..d89f2246ab 100644
--- a/usr/src/cmd/sgs/libld/common/syms.c
+++ b/usr/src/cmd/sgs/libld/common/syms.c
@@ -2289,10 +2289,14 @@ ld_sym_process(Is_desc *isc, Ifl_desc *ifl, Ofl_desc *ofl)
 }
 
 /*
- * Add an undefined symbol to the symbol table (ie. from -u name option)
+ * Add an undefined symbol to the symbol table.  The reference originates from
+ * the location identifed by the message id (mid).  These references can
+ * originate from command line options such as -e, -u, -initarray, etc.
+ * (identified with MSG_INTL(MSG_STR_COMMAND)), or from internally generated
+ * TLS relocation references (identified with MSG_INTL(MSG_STR_TLSREL)).
  */
 Sym_desc *
-ld_sym_add_u(const char *name, Ofl_desc *ofl)
+ld_sym_add_u(const char *name, Ofl_desc *ofl, Msg mid)
 {
 	Sym		*sym;
 	Ifl_desc	*ifl = 0, *_ifl;
@@ -2300,7 +2304,7 @@ ld_sym_add_u(const char *name, Ofl_desc *ofl)
 	Word		hash;
 	Listnode	*lnp;
 	avl_index_t	where;
-	const char	*cmdline = MSG_INTL(MSG_STR_COMMAND);
+	const char	*reference = MSG_INTL(mid);
 
 	/*
 	 * If the symbol reference already exists indicate that a reference
@@ -2321,7 +2325,7 @@ ld_sym_add_u(const char *name, Ofl_desc *ofl)
 	 * similar method for adding symbols from mapfiles).
 	 */
 	for (LIST_TRAVERSE(&ofl->ofl_objs, lnp, _ifl))
-		if (strcmp(_ifl->ifl_name, cmdline) == 0) {
+		if (strcmp(_ifl->ifl_name, reference) == 0) {
 			ifl = _ifl;
 			break;
 		}
@@ -2333,7 +2337,7 @@ ld_sym_add_u(const char *name, Ofl_desc *ofl)
 		if ((ifl = libld_calloc(sizeof (Ifl_desc), 1)) ==
 		    (Ifl_desc *)0)
 			return ((Sym_desc *)S_ERROR);
-		ifl->ifl_name = cmdline;
+		ifl->ifl_name = reference;
 		ifl->ifl_flags = FLG_IF_NEEDED | FLG_IF_FILEREF;
 		if ((ifl->ifl_ehdr = libld_calloc(sizeof (Ehdr),
 		    1)) == 0)
diff --git a/usr/src/cmd/sgs/packages/common/SUNWonld-README b/usr/src/cmd/sgs/packages/common/SUNWonld-README
index 4102e93902..0e579e69e6 100644
--- a/usr/src/cmd/sgs/packages/common/SUNWonld-README
+++ b/usr/src/cmd/sgs/packages/common/SUNWonld-README
@@ -1029,6 +1029,8 @@ All the above changes are incorporated in the following patches:
 6301218 Matlab dumps core on startup when running on 112963-22  (D)
 --------------------------------------------------------------------------------
 All the above changes are incorporated in the following patches:
+    Solaris/SunOS 5.10_sparc	patch T117461-06
+    Solaris/SunOS 5.10_x86	patch T118345-08
     Solaris/SunOS 5.9_sparc	patch T112963-23
     Solaris/SunOS 5.9_x86	patch T113986-19
     Solaris/SunOS 5.8_sparc	patch T109147-38
@@ -1054,7 +1056,7 @@ PSARC 2005/514 - AMD64 - large section support
 --------------------------------------------------------------------------------
 All the above changes are incorporated in the following patches:
     Solaris/SunOS 5.10_sparc	patch T117461-07
-    Solaris/SunOS 5.10_x86	patch T118345-11
+    Solaris/SunOS 5.10_x86	patch T118345-12
 --------------------------------------------------------------------------------
 6309061 link_audit should use __asm__ with gcc
 6310736 gcc and sgs/libld don't get along on SPARC
@@ -1070,6 +1072,13 @@ All the above changes are incorporated in the following patches:
     Solaris/SunOS 5.8_sparc	patch T109147-40
     Solaris/SunOS 5.8_x86	patch T109148-40
 --------------------------------------------------------------------------------
+6445311 The sparc S8/S9/S10 linker patches which include the fix for the
+	CR6222525 are hit by the CR6439613.
+--------------------------------------------------------------------------------
+All the above changes are incorporated in the following patches:
+    Solaris/SunOS 5.9_sparc	patch T112963-26
+    Solaris/SunOS 5.8_sparc	patch T109147-41
+--------------------------------------------------------------------------------
 
 -------------------------------------
 Solaris 10 607 (4th Q-update - s10u4)
@@ -1080,7 +1089,7 @@ Bugid   Risk Synopsis
 	from locale environment vars
 6487284 ld.so.1: buffer overflow in doprf() function
 --------------------------------------------------------------------------------
-All the above change is incorporated in the following patches:
+All the above changes are incorporated in the following patches:
     Solaris/SunOS 5.10_sparc	patch T124922-01
     Solaris/SunOS 5.10_x86	patch T124923-01
     Solaris/SunOS 5.9_sparc	patch T112963-27
@@ -1090,18 +1099,12 @@ All the above change is incorporated in the following patches:
 --------------------------------------------------------------------------------
 6477132 ld.so.1: memory leak when running set*id application
 --------------------------------------------------------------------------------
-All the above change is incorporated in the following patches:
+All the above changes are incorporated in the following patches:
     Solaris/SunOS 5.10_sparc	patch T124922-02
     Solaris/SunOS 5.10_x86	patch T124923-02
     Solaris/SunOS 5.9_sparc	patch T112963-30
     Solaris/SunOS 5.9_x86	patch T113986-24
 --------------------------------------------------------------------------------
-
---------------
-Solaris Nevada
---------------
-Bugid   Risk Synopsis
-================================================================================
 6340814 ld.so.1 core dump with HWCAP relocatable object + updated statistics
 6307274 crle bug with LD_LIBRARY_PATH
 6317969 elfheader limited to 65535 segments (link-editor components only)
@@ -1130,13 +1133,11 @@ Bugid   Risk Synopsis
 6382945 AMD64-GCC: dbx: internal error: dwarf reference attribute out of bounds
 6262333 init section of .so dlopened from audit interface not being called
 6409613 elf_outsync() should fsync()
-6174390 crle configuration files are inconsistent across platforms (D, P)
 6426048 C++ exceptions broken in Nevada for amd64
 6429418 ld.so.1: need work-around for Nvidia drivers use of static TLS
 6429504 crle(1) shows wrong defaults for non-existent 64-bit config file
 6431835 data corruption on x64 in 64-bit mode while LD_PROFILE is in effect
 6423051 static TLS support within the link-editors needs a major face lift (D)
-6432984 ld(1) output file removal - change default behavior (PSARC 2006/353) (D)
 6388946 attempting to dlopen a .o file mislabeled as .so fails
 6446740 allow mapfile symbol definitions to create backing storage (D)
 4986360 linker crash on exec of .so (as opposed to a.out) -- error preferred
@@ -1151,6 +1152,24 @@ Bugid   Risk Synopsis
 6465623 need a way of building unix without an interpreter
 6467925 ld: section deletion (-z ignore) requires improvement
 6357230 specfiles should be nuked (link-editor components only)
+--------------------------------------------------------------------------------
+All the above changes are incorporated in the following patches:
+    Solaris/SunOS 5.10_sparc	patch T124922-03
+    Solaris/SunOS 5.10_x86	patch T124923-03
+
+These patches also include the framework changes for the following bug fixes.
+However, the associated feature has not been enabled in Solaris 10 or earlier
+releases:
+
+6174390 crle configuration files are inconsistent across platforms (D, P)
+6432984 ld(1) output file removal - change default behavior (PSARC 2006/353) (D)
+--------------------------------------------------------------------------------
+
+--------------
+Solaris Nevada
+--------------
+Bugid   Risk Synopsis
+================================================================================
 6409350 BrandZ project integration into Solaris (link-editor components only)
 6459189 UNIX03: *VSC* c99 compiler overwrites non-writable file
 6423746 add an option to relax the resolution of COMDAT relocs (D)
@@ -1203,3 +1222,4 @@ Bugid   Risk Synopsis
 	expectations
 6516118 Reserved space needed in ELF dynamic section and string table (D)
 	PSARC/2007/127 Reserved space for editing ELF dynamic sections
+6535688 elfdump could be more robust in the face of Purify (D)