This is an archive of the discontinued LLVM Phabricator instance.

[lld-macho] Properly handle & validate relocation r_length
ClosedPublic

Authored by int3 on May 29 2020, 9:16 PM.

Download Raw Diff

Details

Reviewers

ruiu
pcc
MaskRay
christylee
smeenai
alexander-shaposhnikov
Ktwu
gkm

Commits

rG53c796b948f0: [lld-macho] Properly handle & validate relocation r_length

Summary

We should be reading / writing our addends / relocated addresses based on
r_length, and not just based on the type of the relocation. But since only
some r_length values are valid for a given reloc type, I've also added some
validation.

ld64 has code to allow for r_length = 0 in X86_64_RELOC_BRANCH relocs, but I'm
not sure how to create such a relocation...

Depends on D80414.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

int3 created this revision.May 29 2020, 9:16 PM

Herald added a project: Restricted Project. · View Herald TranscriptMay 29 2020, 9:16 PM

Herald added a subscriber: llvm-commits. · View Herald Transcript

int3 added a child revision: D80855: [lld-macho] Support non-pcrel section relocs.May 29 2020, 9:17 PM

int3 added reviewers: ruiu, pcc, MaskRay, christylee, smeenai, alexander-shaposhnikov, Ktwu, gkm.May 29 2020, 9:18 PM

Harbormaster failed remote builds in B58524: Diff 267429!May 29 2020, 10:18 PM

update

Harbormaster failed remote builds in B58532: Diff 267440!May 29 2020, 11:58 PM

This is great!

lld/MachO/Arch/X86_64.cpp
58	It's an error path so efficiency doesn't matter, but in general, Twine is a better choice for concatenations like this.
76	It might be better to disallow the 0 case for now, and comment that we're diverging from ld64's behavior there. That way we'll get a loud error if we do end up seeing that case in the wild, and we can figure out what's going on with it then :) Short jumps are a thing (where the offset is a single byte), but I can't imagine when we'd emit a relocation for one :/
124–126	In particular, this is incorrect if we're allowing the r_length for an X86_64_RELOC_BRANCH to be 0.

This revision is now accepted and ready to land.Jun 9 2020, 6:27 PM

int3 removed a parent revision: D80414: [lld-macho] Ensure reads from nlist_64 structs are aligned when necessary.Jun 13 2020, 7:48 PM

int3 marked 4 inline comments as done.Jun 13 2020, 10:31 PM

int3 added inline comments.

lld/MachO/Arch/X86_64.cpp
58	hm I spent some time trying to use Twine but ended up with all sorts of corrupted strings. I even put all the intermediate temp values into local variables, but still no dice...
124–126	Good catch! Added to the comment.

address comments

Harbormaster failed remote builds in B60226: Diff 270602!Jun 13 2020, 10:58 PM

Closed by commit rG53c796b948f0: [lld-macho] Properly handle & validate relocation r_length (authored by int3). · Explain WhyJun 14 2020, 6:39 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lld/

MachO/

Arch/

71 lines

1 line

1 line

2 lines

2 lines

test/

MachO/

invalid/

	invalid-relocation-length.yaml
	invalid-relocation.yaml

8 lines

	invalid-relocation-pcrel.yaml
	invalid-relocation.yaml

invalid-relocation.yaml

x86-64-reloc-unsigned.s

11 lines

Diff 270647

lld/MachO/Arch/X86_64.cpp

	Show All 21 Lines

	namespace {			namespace {

	struct X86_64 : TargetInfo {			struct X86_64 : TargetInfo {
	X86_64();			X86_64();

	uint64_t getImplicitAddend(MemoryBufferRef, const section_64 &,			uint64_t getImplicitAddend(MemoryBufferRef, const section_64 &,
	const relocation_info &) const override;			const relocation_info &) const override;
	void relocateOne(uint8_t *loc, uint8_t type, uint64_t val) const override;			void relocateOne(uint8_t *loc, const Reloc &, uint64_t val) const override;

	void writeStub(uint8_t *buf, const DylibSymbol &) const override;			void writeStub(uint8_t *buf, const DylibSymbol &) const override;
	void writeStubHelperHeader(uint8_t *buf) const override;			void writeStubHelperHeader(uint8_t *buf) const override;
	void writeStubHelperEntry(uint8_t *buf, const DylibSymbol &,			void writeStubHelperEntry(uint8_t *buf, const DylibSymbol &,
	uint64_t entryAddr) const override;			uint64_t entryAddr) const override;

	void prepareDylibSymbolRelocation(DylibSymbol &, uint8_t type) override;			void prepareDylibSymbolRelocation(DylibSymbol &, uint8_t type) override;
	uint64_t getDylibSymbolVA(const DylibSymbol &, uint8_t type) const override;			uint64_t getDylibSymbolVA(const DylibSymbol &, uint8_t type) const override;
	};			};

	} // namespace			} // namespace

	static std::string getErrorLocation(MemoryBufferRef mb, const section_64 &sec,			static std::string getErrorLocation(MemoryBufferRef mb, const section_64 &sec,
	const relocation_info &rel) {			const relocation_info &rel) {
	return ("invalid relocation at offset " + std::to_string(rel.r_address) +			return ("invalid relocation at offset " + std::to_string(rel.r_address) +
	" of " + sec.segname + "," + sec.sectname + " in " +			" of " + sec.segname + "," + sec.sectname + " in " +
	mb.getBufferIdentifier())			mb.getBufferIdentifier())
	.str();			.str();
	}			}

				static void validateLength(MemoryBufferRef mb, const section_64 &sec,
				const relocation_info &rel,
				const std::vector<uint8_t> &validLengths) {
				if (std::find(validLengths.begin(), validLengths.end(), rel.r_length) !=
				validLengths.end())
				return;

				std::string msg = getErrorLocation(mb, sec, rel) + ": relocations of type " +
				smeenaiUnsubmitted Not Done Reply Inline Actions It's an error path so efficiency doesn't matter, but in general, Twine is a better choice for concatenations like this. smeenai: It's an error path so efficiency doesn't matter, but in general, Twine is a better choice for…
				int3AuthorUnsubmitted Done Reply Inline Actions hm I spent some time trying to use Twine but ended up with all sorts of corrupted strings. I even put all the intermediate temp values into local variables, but still no dice... int3: hm I spent some time trying to use Twine but ended up with all sorts of corrupted strings. I…
				std::to_string(rel.r_type) + " must have r_length of ";
				bool first = true;
				for (uint8_t length : validLengths) {
				if (!first)
				msg += " or ";
				first = false;
				msg += std::to_string(length);
				}
				fatal(msg);
				}

	uint64_t X86_64::getImplicitAddend(MemoryBufferRef mb, const section_64 &sec,			uint64_t X86_64::getImplicitAddend(MemoryBufferRef mb, const section_64 &sec,
	const relocation_info &rel) const {			const relocation_info &rel) const {
	auto buf = reinterpret_cast<const uint8_t >(mb.getBufferStart());			auto buf = reinterpret_cast<const uint8_t >(mb.getBufferStart());
	const uint8_t *loc = buf + sec.offset + rel.r_address;			const uint8_t *loc = buf + sec.offset + rel.r_address;
	switch (rel.r_type) {			switch (rel.r_type) {
	case X86_64_RELOC_BRANCH:			case X86_64_RELOC_BRANCH:
				// XXX: ld64 also supports r_length = 0 here but I'm not sure when such a
				smeenaiUnsubmitted Done Reply Inline Actions It might be better to disallow the 0 case for now, and comment that we're diverging from ld64's behavior there. That way we'll get a loud error if we do end up seeing that case in the wild, and we can figure out what's going on with it then :) Short jumps are a thing (where the offset is a single byte), but I can't imagine when we'd emit a relocation for one :/ smeenai: It might be better to disallow the 0 case for now, and comment that we're diverging from ld64's…
				// relocation will actually be generated.
				validateLength(mb, sec, rel, {2});
				break;
	case X86_64_RELOC_SIGNED:			case X86_64_RELOC_SIGNED:
	case X86_64_RELOC_SIGNED_1:			case X86_64_RELOC_SIGNED_1:
	case X86_64_RELOC_SIGNED_2:			case X86_64_RELOC_SIGNED_2:
	case X86_64_RELOC_SIGNED_4:			case X86_64_RELOC_SIGNED_4:
	case X86_64_RELOC_GOT_LOAD:			case X86_64_RELOC_GOT_LOAD:
	if (!rel.r_pcrel)			if (!rel.r_pcrel)
	fatal(getErrorLocation(mb, sec, rel) + ": relocations of type " +			fatal(getErrorLocation(mb, sec, rel) + ": relocations of type " +
	std::to_string(rel.r_type) + " must be pcrel");			std::to_string(rel.r_type) + " must be pcrel");
	return read32le(loc);			validateLength(mb, sec, rel, {2});
				break;
	case X86_64_RELOC_UNSIGNED:			case X86_64_RELOC_UNSIGNED:
	if (rel.r_pcrel)			if (rel.r_pcrel)
	fatal(getErrorLocation(mb, sec, rel) + ": relocations of type " +			fatal(getErrorLocation(mb, sec, rel) + ": relocations of type " +
	std::to_string(rel.r_type) + " must not be pcrel");			std::to_string(rel.r_type) + " must not be pcrel");
	return read64le(loc);			validateLength(mb, sec, rel, {2, 3});
				break;
	default:			default:
	error("TODO: Unhandled relocation type " + std::to_string(rel.r_type));			error("TODO: Unhandled relocation type " + std::to_string(rel.r_type));
	return 0;			return 0;
	}			}

				switch (rel.r_length) {
				case 0:
				return *loc;
				case 1:
				return read16le(loc);
				case 2:
				return read32le(loc);
				case 3:
				return read64le(loc);
				default:
				llvm_unreachable("invalid r_length");
				}
	}			}

	void X86_64::relocateOne(uint8_t *loc, uint8_t type, uint64_t val) const {			void X86_64::relocateOne(uint8_t *loc, const Reloc &r, uint64_t val) const {
	switch (type) {			switch (r.type) {
	case X86_64_RELOC_BRANCH:			case X86_64_RELOC_BRANCH:
	case X86_64_RELOC_SIGNED:			case X86_64_RELOC_SIGNED:
	case X86_64_RELOC_SIGNED_1:			case X86_64_RELOC_SIGNED_1:
	case X86_64_RELOC_SIGNED_2:			case X86_64_RELOC_SIGNED_2:
	case X86_64_RELOC_SIGNED_4:			case X86_64_RELOC_SIGNED_4:
	case X86_64_RELOC_GOT_LOAD:			case X86_64_RELOC_GOT_LOAD:
	// These types are only used for pc-relative relocations, so offset by 4			// These types are only used for pc-relative relocations, so offset by 4
	// since the RIP has advanced by 4 at this point.			// since the RIP has advanced by 4 at this point. This is only valid when
	write32le(loc, val - 4);			// r_length = 0, which is enforced by validateLength().
				val -= 4;
				smeenaiUnsubmitted Done Reply Inline Actions In particular, this is incorrect if we're allowing the r_length for an X86_64_RELOC_BRANCH to be 0. smeenai: In particular, this is incorrect if we're allowing the r_length for an X86_64_RELOC_BRANCH to…
				int3AuthorUnsubmitted Done Reply Inline Actions Good catch! Added to the comment. int3: Good catch! Added to the comment.
	break;			break;
	case X86_64_RELOC_UNSIGNED:			case X86_64_RELOC_UNSIGNED:
	write64le(loc, val);
	break;			break;
	default:			default:
	llvm_unreachable(			llvm_unreachable(
	"getImplicitAddend should have flagged all unhandled relocation types");			"getImplicitAddend should have flagged all unhandled relocation types");
	}			}

				switch (r.length) {
				case 0:
				*loc = val;
				break;
				case 1:
				write16le(loc, val);
				break;
				case 2:
				write32le(loc, val);
				break;
				case 3:
				write64le(loc, val);
				break;
				default:
				llvm_unreachable("invalid r_length");
				}
	}			}

	// The following methods emit a number of assembly sequences with RIP-relative			// The following methods emit a number of assembly sequences with RIP-relative
	// addressing. Note that RIP-relative addressing on X86-64 has the RIP pointing			// addressing. Note that RIP-relative addressing on X86-64 has the RIP pointing
	// to the next instruction, not the current instruction, so we always have to			// to the next instruction, not the current instruction, so we always have to
	// account for the current instruction's size when calculating offsets.			// account for the current instruction's size when calculating offsets.
	// writeRipRelative helps with that.			// writeRipRelative helps with that.
	//			//
	▲ Show 20 Lines • Show All 91 Lines • Show Last 20 Lines

lld/MachO/InputFiles.cpp

Show First 20 Lines • Show All 172 Lines • ▼ Show 20 Lines	for (const any_relocation_info &anyRel : relInfos) {
if (anyRel.r_word0 & R_SCATTERED)		if (anyRel.r_word0 & R_SCATTERED)
fatal("TODO: Scattered relocations not supported");		fatal("TODO: Scattered relocations not supported");

auto rel = reinterpret_cast<const relocation_info &>(anyRel);		auto rel = reinterpret_cast<const relocation_info &>(anyRel);

Reloc r;		Reloc r;
r.type = rel.r_type;		r.type = rel.r_type;
r.pcrel = rel.r_pcrel;		r.pcrel = rel.r_pcrel;
		r.length = rel.r_length;
uint64_t rawAddend = target->getImplicitAddend(mb, sec, rel);		uint64_t rawAddend = target->getImplicitAddend(mb, sec, rel);

if (rel.r_extern) {		if (rel.r_extern) {
r.target = symbols[rel.r_symbolnum];		r.target = symbols[rel.r_symbolnum];
r.addend = rawAddend;		r.addend = rawAddend;
} else {		} else {
if (!rel.r_pcrel)		if (!rel.r_pcrel)
fatal("TODO: Only pcrel section relocations are supported");		fatal("TODO: Only pcrel section relocations are supported");
▲ Show 20 Lines • Show All 251 Lines • Show Last 20 Lines

lld/MachO/InputSection.h

	Show All 19 Lines
	class InputFile;			class InputFile;
	class InputSection;			class InputSection;
	class OutputSection;			class OutputSection;
	class Symbol;			class Symbol;

	struct Reloc {			struct Reloc {
	uint8_t type;			uint8_t type;
	bool pcrel;			bool pcrel;
				uint8_t length;
	// The offset from the start of the subsection that this relocation belongs			// The offset from the start of the subsection that this relocation belongs
	// to.			// to.
	uint32_t offset;			uint32_t offset;
	// Adding this offset to the address of the target symbol or subsection gives			// Adding this offset to the address of the target symbol or subsection gives
	// the destination that this relocation refers to.			// the destination that this relocation refers to.
	uint64_t addend;			uint64_t addend;
	llvm::PointerUnion<Symbol , InputSection > target;			llvm::PointerUnion<Symbol , InputSection > target;
	};			};
	Show All 32 Lines

lld/MachO/InputSection.cpp

Show All 40 Lines	if (auto s = r.target.dyn_cast<Symbol >()) {
}		}
} else if (auto isec = r.target.dyn_cast<InputSection >()) {		} else if (auto isec = r.target.dyn_cast<InputSection >()) {
va = isec->getVA();		va = isec->getVA();
}		}

uint64_t val = va + r.addend;		uint64_t val = va + r.addend;
if (r.pcrel)		if (r.pcrel)
val -= getVA() + r.offset;		val -= getVA() + r.offset;
target->relocateOne(buf + r.offset, r.type, val);		target->relocateOne(buf + r.offset, r, val);
}		}
}		}

lld/MachO/Target.h

	Show All 33 Lines
	class TargetInfo {			class TargetInfo {
	public:			public:
	virtual ~TargetInfo() = default;			virtual ~TargetInfo() = default;

	// Validate the relocation structure and get its addend.			// Validate the relocation structure and get its addend.
	virtual uint64_t			virtual uint64_t
	getImplicitAddend(llvm::MemoryBufferRef, const llvm::MachO::section_64 &,			getImplicitAddend(llvm::MemoryBufferRef, const llvm::MachO::section_64 &,
	const llvm::MachO::relocation_info &) const = 0;			const llvm::MachO::relocation_info &) const = 0;
	virtual void relocateOne(uint8_t *loc, uint8_t type, uint64_t val) const = 0;			virtual void relocateOne(uint8_t *loc, const Reloc &, uint64_t val) const = 0;

	// Write code for lazy binding. See the comments on StubsSection for more			// Write code for lazy binding. See the comments on StubsSection for more
	// details.			// details.
	virtual void writeStub(uint8_t *buf, const DylibSymbol &) const = 0;			virtual void writeStub(uint8_t *buf, const DylibSymbol &) const = 0;
	virtual void writeStubHelperHeader(uint8_t *buf) const = 0;			virtual void writeStubHelperHeader(uint8_t *buf) const = 0;
	virtual void writeStubHelperEntry(uint8_t *buf, const DylibSymbol &,			virtual void writeStubHelperEntry(uint8_t *buf, const DylibSymbol &,
	uint64_t entryAddr) const = 0;			uint64_t entryAddr) const = 0;

	Show All 24 Lines

lld/test/MachO/invalid/invalid-relocation-length.yaml

This file was copied from lld/test/MachO/invalid/invalid-relocation.yaml.

# REQUIRES: x86		# REQUIRES: x86
# RUN: yaml2obj %s -o %t.o		# RUN: yaml2obj %s -o %t.o
# RUN: not lld -flavor darwinnew -o %t %t.o 2>&1 \| FileCheck %s -DFILE=%t.o		# RUN: not lld -flavor darwinnew -arch x86_64 -o %t %t.o 2>&1 \| FileCheck %s -DFILE=%t.o
#		#
# CHECK: error: invalid relocation at offset 1 of __TEXT,__text in [[FILE]]: relocations of type 0 must not be pcrel		# CHECK: error: invalid relocation at offset 1 of __TEXT,__text in [[FILE]]: relocations of type 0 must have r_length of 2 or 3

!mach-o		!mach-o
FileHeader:		FileHeader:
magic: 0xFEEDFACF		magic: 0xFEEDFACF
cputype: 0x01000007		cputype: 0x01000007
cpusubtype: 0x00000003		cpusubtype: 0x00000003
filetype: 0x00000001		filetype: 0x00000001
ncmds: 4		ncmds: 4
Show All 24 Lines	Sections:
flags: 0x80000000		flags: 0x80000000
reserved1: 0x00000000		reserved1: 0x00000000
reserved2: 0x00000000		reserved2: 0x00000000
reserved3: 0x00000000		reserved3: 0x00000000
content: '000000000000000000'		content: '000000000000000000'
relocations:		relocations:
- address: 0x00000001		- address: 0x00000001
symbolnum: 1		symbolnum: 1
pcrel: true		pcrel: false
length: 3		length: 1
extern: true		extern: true
type: 0		type: 0
scattered: false		scattered: false
value: 0		value: 0
- cmd: LC_BUILD_VERSION		- cmd: LC_BUILD_VERSION
cmdsize: 24		cmdsize: 24
platform: 1		platform: 1
minos: 659200		minos: 659200
▲ Show 20 Lines • Show All 44 Lines • Show Last 20 Lines

lld/test/MachO/invalid/invalid-relocation-pcrel.yaml

This file was moved from lld/test/MachO/invalid/invalid-relocation.yaml.

The contents of this file were not changed.

lld/test/MachO/invalid/invalid-relocation.yaml

This file was deleted after being copied to lld/test/MachO/invalid/invalid-relocation-length.yaml, lld/test/MachO/invalid/invalid-relocation-pcrel.yaml.