This is an archive of the discontinued LLVM Phabricator instance.

Differential D95554

[BitcodeReader] Validate Strtab before accessing.
ClosedPublic

Authored by fhahn on Jan 27 2021, 11:56 AM.

Details

Reviewers
arsenm
efriedma
t.p.northover
aprantl
Commits
rG34cccdaed7e7: [BitcodeReader] Validate Strtab before accessing.
Summary

This fixes a crash with invalid bitcode files that have records
referencing names in Strtab, but Strtab is not present or the index is
out-of-bounds.

This fixes the following clusterfuzz issue:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29895

Diff Detail

Event Timeline

fhahn created this revision.Jan 27 2021, 11:56 AM
Herald added a subscriber: hiraditya. · View Herald TranscriptJan 27 2021, 11:56 AM
fhahn requested review of this revision.Jan 27 2021, 11:56 AM
Herald added a project: Restricted Project. · View Herald TranscriptJan 27 2021, 11:57 AM
Herald added a subscriber: wdng. · View Herald Transcript
Harbormaster completed remote builds in B86890: Diff 319638.Jan 27 2021, 1:12 PM
arsenm added inline comments.Jan 29 2021, 7:47 AM
llvm/lib/Bitcode/Reader/BitcodeReader.cpp
3410–3415

I think you missed the word sure

fhahn updated this revision to Diff 320152.Jan 29 2021, 9:14 AM

Add missing sure and slightly re-word comment, thanks!

Harbormaster completed remote builds in B87183: Diff 320152.Jan 29 2021, 10:36 AM
pcc added a subscriber: pcc.Jan 29 2021, 3:40 PM

I think there are more of these, search for Strtab.data() in that file.

arsenm accepted this revision.Mar 30 2021, 3:37 PM
This revision is now accepted and ready to land.Mar 30 2021, 3:37 PM
fhahn updated this revision to Diff 353632.Jun 22 2021, 6:47 AM

rebased, I'm planning on landing this soon.

In D95554#2531446, @pcc wrote:

I think there are more of these, search for Strtab.data() in that file.

Yes, those probably should also be audited. But I am not sure how to best get test cases for those. I'll take a look at some other oss-fuzz bugs.

This revision was landed with ongoing or failed builds.Jun 22 2021, 6:53 AM
Closed by commit rG34cccdaed7e7: [BitcodeReader] Validate Strtab before accessing. (authored by fhahn). · Explain Why
This revision was automatically updated to reflect the committed changes.
fhahn added a commit: rG34cccdaed7e7: [BitcodeReader] Validate Strtab before accessing..
Harbormaster completed remote builds in B110400: Diff 353632.Jun 22 2021, 7:29 AM

Revision Contents

PathSize
llvm/
lib/
Bitcode/
Reader/
7 lines
test/
Bitcode/
5 lines

Diff 353634

llvm/lib/Bitcode/Reader/BitcodeReader.cpp

Show First 20 LinesShow All 3,401 Lines▼ Show 20 LinesError BitcodeReader::parseFunctionRecord(ArrayRef<uint64_t> Record) {
if (Record.size() > 15) { if (Record.size() > 15) {
Func->setDSOLocal(getDecodedDSOLocal(Record[15])); Func->setDSOLocal(getDecodedDSOLocal(Record[15]));
} }
inferDSOLocal(Func); inferDSOLocal(Func);
// Record[16] is the address space number. // Record[16] is the address space number.
// Check whether we have enough values to read a partition name. // Check whether we have enough values to read a partition name. Also make
if (Record.size() > 18) // sure Strtab has enough values.
if (Record.size() > 18 && Strtab.data() &&
Record[17] + Record[18] <= Strtab.size()) {
Func->setPartition(StringRef(Strtab.data() + Record[17], Record[18])); Func->setPartition(StringRef(Strtab.data() + Record[17], Record[18]));
}
arsenmUnsubmitted
Not Done
ReplyInline Actions

I think you missed the word sure

arsenm: I think you missed the word sure
ValueList.push_back(Func); ValueList.push_back(Func);
// If this is a function with a body, remember the prototype we are // If this is a function with a body, remember the prototype we are
// creating now, so that we can match up the body with them later. // creating now, so that we can match up the body with them later.
if (!isProto) { if (!isProto) {
Func->setIsMaterializable(true); Func->setIsMaterializable(true);
FunctionsWithBodies.push_back(Func); FunctionsWithBodies.push_back(Func);
▲ Show 20 LinesShow All 3,610 LinesShow Last 20 Lines

llvm/test/Bitcode/invalid-record-strtab.ll

  • This file was added.
; Bitcode with an invalid record that indexes a name outside of strtab.
; RUN: not llvm-dis %s.bc -o - 2>&1 | FileCheck %s
; CHECK: error: Invalid record

llvm/test/Bitcode/invalid-record-strtab.ll.bc

  • This binary file was added.