This is an archive of the discontinued LLVM Phabricator instance.

Differential D9030

Verify sizes when trying to read a BitcodeAbbrevOp
ClosedPublic

Authored by filcab on Apr 15 2015, 10:10 AM.

Details

Reviewers
rafael
Commits
rGee48feadfde4: Verify sizes when trying to read a BitcodeAbbrevOp
rL235595: Verify sizes when trying to read a BitcodeAbbrevOp
Summary

Make sure we don't try to read more than we can when reading abbrev
operands.

Bug found with AFL fuzz.

Diff Detail

Repository
rL LLVM

Event Timeline

filcab updated this revision to Diff 23782.Apr 15 2015, 10:10 AM
filcab retitled this revision from to Verify sizes when trying to read a BitcodeAbbrevOp.
filcab updated this object.
filcab edited the test plan for this revision. (Show Details)
filcab added a reviewer: rafael.
filcab added a subscriber: Unknown Object (MLST).
rafael added inline comments.Apr 21 2015, 10:23 AM
include/llvm/Bitcode/BitstreamReader.h
215 ↗(On Diff #23782)

getMaxChunkSize.

Or just make this a constant. It doesn't need to be a function, right?

test/Bitcode/invalid.test
59 ↗(On Diff #23782)

If you have a testcase handy for the 4 cases, please add them.

filcab added a comment.Apr 21 2015, 10:43 AM

True. I'll change it to be a constant.

filcab added a comment.Apr 21 2015, 10:43 AM

Submitted before I wanted.
I'll also figure it out and add tests for each case.

filcab updated this revision to Diff 24280.Apr 23 2015, 3:23 AM

Changed MaxChunkSize to be a constant.
Made the check earlier, when abbrevs are read, and added asserts to
read/skipAbbreviatedField.
Replaced the test with two tests, one for Fixed field, and one for a VBR
field.

rafael accepted this revision.Apr 23 2015, 4:54 AM
rafael edited edge metadata.

LGTM

This revision is now accepted and ready to land.Apr 23 2015, 4:54 AM
Closed by commit rL235595: Verify sizes when trying to read a BitcodeAbbrevOp (authored by filcab). · Explain WhyApr 23 2015, 6:28 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
include/
llvm/
Bitcode/
4 lines
lib/
Bitcode/
Reader/
9 lines
test/
Bitcode/
Inputs/
7 lines

Diff 24297

llvm/trunk/include/llvm/Bitcode/BitstreamReader.h

Show First 20 LinesShow All 192 Lines▼ Show 20 Lines struct Block {
explicit Block(unsigned PCS) : PrevCodeSize(PCS) {} explicit Block(unsigned PCS) : PrevCodeSize(PCS) {}
}; };
/// This tracks the codesize of parent blocks. /// This tracks the codesize of parent blocks.
SmallVector<Block, 8> BlockScope; SmallVector<Block, 8> BlockScope;
public: public:
static const size_t MaxChunkSize = sizeof(word_t) * 8;
BitstreamCursor() { init(nullptr); } BitstreamCursor() { init(nullptr); }
explicit BitstreamCursor(BitstreamReader &R) { init(&R); } explicit BitstreamCursor(BitstreamReader &R) { init(&R); }
void init(BitstreamReader *R) { void init(BitstreamReader *R) {
freeState(); freeState();
BitStream = R; BitStream = R;
▲ Show 20 LinesShow All 121 Lines▼ Show 20 Lines void fillCurWord() {
CurWord = CurWord =
support::endian::read<word_t, support::little, support::unaligned>( support::endian::read<word_t, support::little, support::unaligned>(
Array); Array);
NextChar += BytesRead; NextChar += BytesRead;
BitsInCurWord = BytesRead * 8; BitsInCurWord = BytesRead * 8;
} }
word_t Read(unsigned NumBits) { word_t Read(unsigned NumBits) {
static const unsigned BitsInWord = sizeof(word_t) * 8; static const unsigned BitsInWord = MaxChunkSize;
assert(NumBits && NumBits <= BitsInWord && assert(NumBits && NumBits <= BitsInWord &&
"Cannot return zero or more than BitsInWord bits!"); "Cannot return zero or more than BitsInWord bits!");
static const unsigned Mask = sizeof(word_t) > 4 ? 0x3f : 0x1f; static const unsigned Mask = sizeof(word_t) > 4 ? 0x3f : 0x1f;
// If the field is fully contained by CurWord, return it quickly. // If the field is fully contained by CurWord, return it quickly.
if (BitsInCurWord >= NumBits) { if (BitsInCurWord >= NumBits) {
▲ Show 20 LinesShow All 169 LinesShow Last 20 Lines

llvm/trunk/lib/Bitcode/Reader/BitstreamReader.cpp

Show First 20 LinesShow All 54 Lines▼ Show 20 Linesstatic uint64_t readAbbreviatedField(BitstreamCursor &Cursor,
assert(!Op.isLiteral() && "Not to be used with literals!"); assert(!Op.isLiteral() && "Not to be used with literals!");
// Decode the value as we are commanded. // Decode the value as we are commanded.
switch (Op.getEncoding()) { switch (Op.getEncoding()) {
case BitCodeAbbrevOp::Array: case BitCodeAbbrevOp::Array:
case BitCodeAbbrevOp::Blob: case BitCodeAbbrevOp::Blob:
llvm_unreachable("Should not reach here"); llvm_unreachable("Should not reach here");
case BitCodeAbbrevOp::Fixed: case BitCodeAbbrevOp::Fixed:
assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
return Cursor.Read((unsigned)Op.getEncodingData()); return Cursor.Read((unsigned)Op.getEncodingData());
case BitCodeAbbrevOp::VBR: case BitCodeAbbrevOp::VBR:
assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
return Cursor.ReadVBR64((unsigned)Op.getEncodingData()); return Cursor.ReadVBR64((unsigned)Op.getEncodingData());
case BitCodeAbbrevOp::Char6: case BitCodeAbbrevOp::Char6:
return BitCodeAbbrevOp::DecodeChar6(Cursor.Read(6)); return BitCodeAbbrevOp::DecodeChar6(Cursor.Read(6));
} }
llvm_unreachable("invalid abbreviation encoding"); llvm_unreachable("invalid abbreviation encoding");
} }
static void skipAbbreviatedField(BitstreamCursor &Cursor, static void skipAbbreviatedField(BitstreamCursor &Cursor,
const BitCodeAbbrevOp &Op) { const BitCodeAbbrevOp &Op) {
assert(!Op.isLiteral() && "Not to be used with literals!"); assert(!Op.isLiteral() && "Not to be used with literals!");
// Decode the value as we are commanded. // Decode the value as we are commanded.
switch (Op.getEncoding()) { switch (Op.getEncoding()) {
case BitCodeAbbrevOp::Array: case BitCodeAbbrevOp::Array:
case BitCodeAbbrevOp::Blob: case BitCodeAbbrevOp::Blob:
llvm_unreachable("Should not reach here"); llvm_unreachable("Should not reach here");
case BitCodeAbbrevOp::Fixed: case BitCodeAbbrevOp::Fixed:
assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
Cursor.Read((unsigned)Op.getEncodingData()); Cursor.Read((unsigned)Op.getEncodingData());
break; break;
case BitCodeAbbrevOp::VBR: case BitCodeAbbrevOp::VBR:
assert((unsigned)Op.getEncodingData() <= Cursor.MaxChunkSize);
Cursor.ReadVBR64((unsigned)Op.getEncodingData()); Cursor.ReadVBR64((unsigned)Op.getEncodingData());
break; break;
case BitCodeAbbrevOp::Char6: case BitCodeAbbrevOp::Char6:
Cursor.Read(6); Cursor.Read(6);
break; break;
} }
} }
▲ Show 20 LinesShow All 166 Lines▼ Show 20 Lines if (BitCodeAbbrevOp::hasEncodingData(E)) {
// and vbr(0) as a literal zero. This is decoded the same way, and avoids // and vbr(0) as a literal zero. This is decoded the same way, and avoids
// a slow path in Read() to have to handle reading zero bits. // a slow path in Read() to have to handle reading zero bits.
if ((E == BitCodeAbbrevOp::Fixed || E == BitCodeAbbrevOp::VBR) && if ((E == BitCodeAbbrevOp::Fixed || E == BitCodeAbbrevOp::VBR) &&
Data == 0) { Data == 0) {
Abbv->Add(BitCodeAbbrevOp(0)); Abbv->Add(BitCodeAbbrevOp(0));
continue; continue;
} }
if ((E == BitCodeAbbrevOp::Fixed || E == BitCodeAbbrevOp::VBR) &&
Data > MaxChunkSize)
report_fatal_error(
"Fixed or VBR abbrev record with size > MaxChunkData");
Abbv->Add(BitCodeAbbrevOp(E, Data)); Abbv->Add(BitCodeAbbrevOp(E, Data));
} else } else
Abbv->Add(BitCodeAbbrevOp(E)); Abbv->Add(BitCodeAbbrevOp(E));
} }
CurAbbrevs.push_back(Abbv); CurAbbrevs.push_back(Abbv);
} }
bool BitstreamCursor::ReadBlockInfoBlock() { bool BitstreamCursor::ReadBlockInfoBlock() {
▲ Show 20 LinesShow All 67 LinesShow Last 20 Lines

llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-fixed-size-too-big.bc

  • This is a binary file.

llvm/trunk/test/Bitcode/Inputs/invalid-abbrev-vbr-size-too-big.bc

  • This is a binary file.

llvm/trunk/test/Bitcode/invalid.test

Show First 20 LinesShow All 60 Lines▼ Show 20 Lines
RUN: FileCheck --check-prefix=NO-MODULE %s RUN: FileCheck --check-prefix=NO-MODULE %s
NO-MODULE: Malformed IR file NO-MODULE: Malformed IR file
RUN: not llvm-dis -disable-output %p/Inputs/invalid-fp-shift.bc 2>&1 | \ RUN: not llvm-dis -disable-output %p/Inputs/invalid-fp-shift.bc 2>&1 | \
RUN: FileCheck --check-prefix=FP-SHIFT %s RUN: FileCheck --check-prefix=FP-SHIFT %s
FP-SHIFT: Invalid record FP-SHIFT: Invalid record
RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-vbr-size-too-big.bc 2>&1 | \
RUN: FileCheck --check-prefix=HUGE-ABBREV-OP %s
RUN: not llvm-dis -disable-output %p/Inputs/invalid-abbrev-fixed-size-too-big.bc 2>&1 | \
RUN: FileCheck --check-prefix=HUGE-ABBREV-OP %s
HUGE-ABBREV-OP: Fixed or VBR abbrev record with size > MaxChunkData