This is an archive of the discontinued LLVM Phabricator instance.

Differential D107328

[JITLink] Add fixup value range check
ClosedPublic

Authored by StephenFan on Aug 3 2021, 12:54 AM.

Details

Reviewers
lhames
jrtc27
Commits
rG0ef5aa69e77f: [JITLink] Add fixup value range check
rG17af06ba8005: [JITLink] Add fixup value range check
Summary

This patch makes jitlink to report an out of range error when the fixup value out of range

Diff Detail

Event Timeline

StephenFan created this revision.Aug 3 2021, 12:54 AM
Herald added subscribers: frasercrmck, luismarques, apazos and 18 others. · View Herald TranscriptAug 3 2021, 12:54 AM
StephenFan requested review of this revision.Aug 3 2021, 12:54 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 3 2021, 12:54 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B117572: Diff 363643.Aug 3 2021, 1:21 AM
lhames accepted this revision.Aug 14 2021, 6:34 PM

LGTM. Thanks Stephen!

This revision is now accepted and ready to land.Aug 14 2021, 6:34 PM
Closed by commit rG17af06ba8005: [JITLink] Add fixup value range check (authored by StephenFan). · Explain WhyJan 4 2022, 6:56 AM
This revision was automatically updated to reflect the committed changes.
StephenFan added a commit: rG17af06ba8005: [JITLink] Add fixup value range check.
Herald added a subscriber: MaskRay. · View Herald TranscriptJan 4 2022, 6:56 AM
jrtc27 added a comment.Jan 4 2022, 7:41 AM

This was clearly not done whilst referencing LLD's implementation as it's buggy. Please fix.

llvm/lib/ExecutionEngine/JITLink/ELF_riscv.cpp
199–201

You need to check that Value + 0x800 is a 32-bit signed integer, not that Value is a 32-bit unsigned integer. LUI sign-extends, hence checking it as a signed integer, and the + 0x800 needs to be added to account for the slight asymmetry resulting from the ADDI/etc's sign-extension of the LO12.

212

LO12 should never be range checked, it's a waste of time as the HI20 half will also range check.

233

As with HI20, this needs to check Value + 0x800, not Value. But this at least already checks it as a signed integer rather than an unsigned integer.

251

As with LO12, these are a waste of time

StephenFan added a reverting change: rG43c5fffcef5c: Revert "[JITLink] Add fixup value range check".Jan 4 2022, 8:04 AM
lhames added inline comments.Jan 4 2022, 4:20 PM
llvm/lib/ExecutionEngine/JITLink/ELF_riscv.cpp
212

If LO12/HI20 relocations are always paired then it seems reasonable to elide the range check here, but we'd need a check that both elements of the pair are present in the input object: JITLink's policy is to assume that objects may be malformed / maliciously crafted and always check.

That needn't be addressed straight away, but we should at least add a FIXME for it.

StephenFan reopened this revision.Jan 9 2022, 5:04 PM
This revision is now accepted and ready to land.Jan 9 2022, 5:04 PM
StephenFan updated this revision to Diff 398511.Jan 9 2022, 10:10 PM

Address @jrtc27's comments

Herald added a subscriber: luke957. · View Herald TranscriptJan 9 2022, 10:10 PM
StephenFan marked 5 inline comments as done.Jan 9 2022, 10:11 PM
Harbormaster completed remote builds in B142358: Diff 398511.Jan 9 2022, 10:41 PM
lhames accepted this revision.Jan 9 2022, 11:58 PM

The code should be clang-formatted. Otherwise LGTM.

StephenFan updated this revision to Diff 399532.Jan 12 2022, 7:23 PM

Clang-format and delete unused function

StephenFan updated this revision to Diff 399533.Jan 12 2022, 7:24 PM

clang-format

Harbormaster completed remote builds in B143064: Diff 399533.Jan 12 2022, 8:20 PM
StephenFan updated this revision to Diff 399552.Jan 12 2022, 11:11 PM

rebase

This revision was landed with ongoing or failed builds.Jan 13 2022, 12:33 AM
Closed by commit rG0ef5aa69e77f: [JITLink] Add fixup value range check (authored by StephenFan). · Explain Why
This revision was automatically updated to reflect the committed changes.
StephenFan added a commit: rG0ef5aa69e77f: [JITLink] Add fixup value range check.
Harbormaster completed remote builds in B143081: Diff 399552.Jan 13 2022, 12:47 AM

Revision Contents

PathSize
llvm/
lib/
ExecutionEngine/
JITLink/
34 lines
test/
ExecutionEngine/
JITLink/
RISCV/
8 lines
4 lines

Diff 399568

llvm/lib/ExecutionEngine/JITLink/ELF_riscv.cpp

Show First 20 LinesShow All 156 Lines▼ Show 20 Linesstatic Expected<const Edge &> getRISCVPCRelHi20(const Edge &E) {
return make_error<JITLinkError>( return make_error<JITLinkError>(
"No HI20 PCREL relocation type be found for LO12 PCREL relocation type"); "No HI20 PCREL relocation type be found for LO12 PCREL relocation type");
} }
static uint32_t extractBits(uint32_t Num, unsigned Low, unsigned Size) { static uint32_t extractBits(uint32_t Num, unsigned Low, unsigned Size) {
return (Num & (((1ULL << (Size + 1)) - 1) << Low)) >> Low; return (Num & (((1ULL << (Size + 1)) - 1) << Low)) >> Low;
} }
static inline bool isInRangeForImmS32(int64_t Value) {
return (Value >= std::numeric_limits<int32_t>::min() &&
Value <= std::numeric_limits<int32_t>::max());
}
class ELFJITLinker_riscv : public JITLinker<ELFJITLinker_riscv> { class ELFJITLinker_riscv : public JITLinker<ELFJITLinker_riscv> {
friend class JITLinker<ELFJITLinker_riscv>; friend class JITLinker<ELFJITLinker_riscv>;
public: public:
ELFJITLinker_riscv(std::unique_ptr<JITLinkContext> Ctx, ELFJITLinker_riscv(std::unique_ptr<JITLinkContext> Ctx,
std::unique_ptr<LinkGraph> G, PassConfiguration PassConfig) std::unique_ptr<LinkGraph> G, PassConfiguration PassConfig)
: JITLinker(std::move(Ctx), std::move(G), std::move(PassConfig)) {} : JITLinker(std::move(Ctx), std::move(G), std::move(PassConfig)) {}
Show All 13 Lines Error applyFixup(LinkGraph &G, Block &B, const Edge &E) const {
} }
case R_RISCV_64: { case R_RISCV_64: {
int64_t Value = (E.getTarget().getAddress() + E.getAddend()).getValue(); int64_t Value = (E.getTarget().getAddress() + E.getAddend()).getValue();
*(little64_t *)FixupPtr = static_cast<uint64_t>(Value); *(little64_t *)FixupPtr = static_cast<uint64_t>(Value);
break; break;
} }
case R_RISCV_HI20: { case R_RISCV_HI20: {
int64_t Value = (E.getTarget().getAddress() + E.getAddend()).getValue(); int64_t Value = (E.getTarget().getAddress() + E.getAddend()).getValue();
int32_t Hi = (Value + 0x800) & 0xFFFFF000; int64_t Hi = Value + 0x800;
if (LLVM_UNLIKELY(!isInRangeForImmS32(Hi)))
return makeTargetOutOfRangeError(G, B, E);
jrtc27Unsubmitted
Done
ReplyInline Actions

You need to check that Value + 0x800 is a 32-bit signed integer, not that Value is a 32-bit unsigned integer. LUI sign-extends, hence checking it as a signed integer, and the + 0x800 needs to be added to account for the slight asymmetry resulting from the ADDI/etc's sign-extension of the LO12.

jrtc27: You need to check that `Value + 0x800` is a 32-bit signed integer, not that `Value` is a 32-bit…
uint32_t RawInstr = *(little32_t *)FixupPtr; uint32_t RawInstr = *(little32_t *)FixupPtr;
*(little32_t *)FixupPtr = (RawInstr & 0xFFF) | static_cast<uint32_t>(Hi); *(little32_t *)FixupPtr =
(RawInstr & 0xFFF) | (static_cast<uint32_t>(Hi & 0xFFFFF000));
break; break;
} }
case R_RISCV_LO12_I: { case R_RISCV_LO12_I: {
// FIXME: We assume that R_RISCV_HI20 is present in object code and pairs
// with current relocation R_RISCV_LO12_I. So here may need a check.
int64_t Value = (E.getTarget().getAddress() + E.getAddend()).getValue(); int64_t Value = (E.getTarget().getAddress() + E.getAddend()).getValue();
int32_t Lo = Value & 0xFFF; int32_t Lo = Value & 0xFFF;
uint32_t RawInstr = *(little32_t *)FixupPtr; uint32_t RawInstr = *(little32_t *)FixupPtr;
jrtc27Unsubmitted
Done
ReplyInline Actions

LO12 should never be range checked, it's a waste of time as the HI20 half will also range check.

jrtc27: LO12 should never be range checked, it's a waste of time as the HI20 half will also range check.
lhamesUnsubmitted
Done
ReplyInline Actions

If LO12/HI20 relocations are always paired then it seems reasonable to elide the range check here, but we'd need a check that both elements of the pair are present in the input object: JITLink's policy is to assume that objects may be malformed / maliciously crafted and always check.

That needn't be addressed straight away, but we should at least add a FIXME for it.

lhames: If LO12/HI20 relocations are always paired then it seems reasonable to elide the range check…
*(little32_t *)FixupPtr = *(little32_t *)FixupPtr =
(RawInstr & 0xFFFFF) | (static_cast<uint32_t>(Lo & 0xFFF) << 20); (RawInstr & 0xFFFFF) | (static_cast<uint32_t>(Lo & 0xFFF) << 20);
break; break;
} }
case R_RISCV_CALL: { case R_RISCV_CALL: {
int64_t Value = E.getTarget().getAddress() + E.getAddend() - FixupAddress; int64_t Value = E.getTarget().getAddress() + E.getAddend() - FixupAddress;
int32_t Hi = (Value + 0x800) & 0xFFFFF000; int64_t Hi = Value + 0x800;
if (LLVM_UNLIKELY(!isInRangeForImmS32(Hi)))
return makeTargetOutOfRangeError(G, B, E);
int32_t Lo = Value & 0xFFF; int32_t Lo = Value & 0xFFF;
uint32_t RawInstrAuipc = *(little32_t *)FixupPtr; uint32_t RawInstrAuipc = *(little32_t *)FixupPtr;
uint32_t RawInstrJalr = *(little32_t *)(FixupPtr + 4); uint32_t RawInstrJalr = *(little32_t *)(FixupPtr + 4);
*(little32_t *)FixupPtr = RawInstrAuipc | static_cast<uint32_t>(Hi); *(little32_t *)FixupPtr =
RawInstrAuipc | (static_cast<uint32_t>(Hi & 0xFFFFF000));
*(little32_t *)(FixupPtr + 4) = *(little32_t *)(FixupPtr + 4) =
RawInstrJalr | (static_cast<uint32_t>(Lo) << 20); RawInstrJalr | (static_cast<uint32_t>(Lo) << 20);
break; break;
} }
case R_RISCV_PCREL_HI20: { case R_RISCV_PCREL_HI20: {
int64_t Value = E.getTarget().getAddress() + E.getAddend() - FixupAddress; int64_t Value = E.getTarget().getAddress() + E.getAddend() - FixupAddress;
int32_t Hi = (Value + 0x800) & 0xFFFFF000; int64_t Hi = Value + 0x800;
jrtc27Unsubmitted
Done
ReplyInline Actions

As with HI20, this needs to check Value + 0x800, not Value. But this at least already checks it as a signed integer rather than an unsigned integer.

jrtc27: As with HI20, this needs to check Value + 0x800, not Value. But this at least already checks it…
if (LLVM_UNLIKELY(!isInRangeForImmS32(Hi)))
return makeTargetOutOfRangeError(G, B, E);
uint32_t RawInstr = *(little32_t *)FixupPtr; uint32_t RawInstr = *(little32_t *)FixupPtr;
*(little32_t *)FixupPtr = (RawInstr & 0xFFF) | static_cast<uint32_t>(Hi); *(little32_t *)FixupPtr =
(RawInstr & 0xFFF) | (static_cast<uint32_t>(Hi & 0xFFFFF000));
break; break;
} }
case R_RISCV_PCREL_LO12_I: { case R_RISCV_PCREL_LO12_I: {
// FIXME: We assume that R_RISCV_PCREL_HI20 is present in object code and
// pairs with current relocation R_RISCV_PCREL_LO12_I. So here may need a
// check.
auto RelHI20 = getRISCVPCRelHi20(E); auto RelHI20 = getRISCVPCRelHi20(E);
if (!RelHI20) if (!RelHI20)
return RelHI20.takeError(); return RelHI20.takeError();
int64_t Value = RelHI20->getTarget().getAddress() + int64_t Value = RelHI20->getTarget().getAddress() +
RelHI20->getAddend() - E.getTarget().getAddress(); RelHI20->getAddend() - E.getTarget().getAddress();
int64_t Lo = Value & 0xFFF; int64_t Lo = Value & 0xFFF;
uint32_t RawInstr = *(little32_t *)FixupPtr; uint32_t RawInstr = *(little32_t *)FixupPtr;
jrtc27Unsubmitted
Done
ReplyInline Actions

As with LO12, these are a waste of time

jrtc27: As with LO12, these are a waste of time
*(little32_t *)FixupPtr = *(little32_t *)FixupPtr =
(RawInstr & 0xFFFFF) | (static_cast<uint32_t>(Lo & 0xFFF) << 20); (RawInstr & 0xFFFFF) | (static_cast<uint32_t>(Lo & 0xFFF) << 20);
break; break;
} }
case R_RISCV_PCREL_LO12_S: { case R_RISCV_PCREL_LO12_S: {
// FIXME: We assume that R_RISCV_PCREL_HI20 is present in object code and
// pairs with current relocation R_RISCV_PCREL_LO12_S. So here may need a
// check.
auto RelHI20 = getRISCVPCRelHi20(E); auto RelHI20 = getRISCVPCRelHi20(E);
int64_t Value = RelHI20->getTarget().getAddress() + int64_t Value = RelHI20->getTarget().getAddress() +
RelHI20->getAddend() - E.getTarget().getAddress(); RelHI20->getAddend() - E.getTarget().getAddress();
int64_t Lo = Value & 0xFFF; int64_t Lo = Value & 0xFFF;
uint32_t Imm31_25 = extractBits(Lo, 5, 7) << 25; uint32_t Imm31_25 = extractBits(Lo, 5, 7) << 25;
uint32_t Imm11_7 = extractBits(Lo, 0, 5) << 7; uint32_t Imm11_7 = extractBits(Lo, 0, 5) << 7;
uint32_t RawInstr = *(little32_t *)FixupPtr; uint32_t RawInstr = *(little32_t *)FixupPtr;
▲ Show 20 LinesShow All 148 LinesShow Last 20 Lines

llvm/test/ExecutionEngine/JITLink/RISCV/ELF_abs_reloc.s

# RUN: rm -rf %t && mkdir -p %t # RUN: rm -rf %t && mkdir -p %t
# RUN: llvm-mc -triple=riscv64 -filetype=obj \ # RUN: llvm-mc -triple=riscv64 -filetype=obj \
# RUN: -o %t/elf_riscv64_non_pc_indirect_reloc.o %s # RUN: -o %t/elf_riscv64_non_pc_indirect_reloc.o %s
# RUN: llvm-mc -triple=riscv32 -filetype=obj \ # RUN: llvm-mc -triple=riscv32 -filetype=obj \
# RUN: -o %t/elf_riscv32_non_pc_indirect_reloc.o %s # RUN: -o %t/elf_riscv32_non_pc_indirect_reloc.o %s
# RUN: llvm-jitlink -noexec \ # RUN: llvm-jitlink -noexec \
# RUN: -slab-allocate 100Kb -slab-address 0xfff00000 -slab-page-size 4096 \ # RUN: -slab-allocate 100Kb -slab-address 0x1ff00000 -slab-page-size 4096 \
# RUN: -define-abs external_data=0xfff10000 \ # RUN: -define-abs external_data=0x1ff10000 \
# RUN: -check %s %t/elf_riscv64_non_pc_indirect_reloc.o # RUN: -check %s %t/elf_riscv64_non_pc_indirect_reloc.o
# RUN: llvm-jitlink -noexec \ # RUN: llvm-jitlink -noexec \
# RUN: -slab-allocate 100Kb -slab-address 0xfff00000 -slab-page-size 4096 \ # RUN: -slab-allocate 100Kb -slab-address 0x1ff00000 -slab-page-size 4096 \
# RUN: -define-abs external_data=0xfff10000 \ # RUN: -define-abs external_data=0x1ff10000 \
# RUN: -check %s %t/elf_riscv32_non_pc_indirect_reloc.o # RUN: -check %s %t/elf_riscv32_non_pc_indirect_reloc.o
# #
.text .text
.file "testcase.c" .file "testcase.c"
# Empty main entry point. # Empty main entry point.
.globl main .globl main
Show All 19 Lines

llvm/test/ExecutionEngine/JITLink/RISCV/ELF_pc_indirect.s

# RUN: rm -rf %t && mkdir -p %t # RUN: rm -rf %t && mkdir -p %t
# RUN: llvm-mc -triple=riscv64 -position-independent -filetype=obj \ # RUN: llvm-mc -triple=riscv64 -position-independent -filetype=obj \
# RUN: -o %t/elf_riscv64_sm_pic_reloc.o %s # RUN: -o %t/elf_riscv64_sm_pic_reloc.o %s
# RUN: llvm-mc -triple=riscv32 -position-independent -filetype=obj \ # RUN: llvm-mc -triple=riscv32 -position-independent -filetype=obj \
# RUN: -o %t/elf_riscv32_sm_pic_reloc.o %s # RUN: -o %t/elf_riscv32_sm_pic_reloc.o %s
# RUN: llvm-jitlink -noexec \ # RUN: llvm-jitlink -noexec \
# RUN: -slab-allocate 100Kb -slab-address 0xfff00000 -slab-page-size 4096 \ # RUN: -slab-allocate 100Kb -slab-address 0x1ff00000 -slab-page-size 4096 \
# RUN: -define-abs external_func=0x1 -define-abs external_data=0x2 \ # RUN: -define-abs external_func=0x1 -define-abs external_data=0x2 \
# RUN: -check %s %t/elf_riscv64_sm_pic_reloc.o # RUN: -check %s %t/elf_riscv64_sm_pic_reloc.o
# RUN: llvm-jitlink -noexec \ # RUN: llvm-jitlink -noexec \
# RUN: -slab-allocate 100Kb -slab-address 0xfff00000 -slab-page-size 4096 \ # RUN: -slab-allocate 100Kb -slab-address 0x1ff00000 -slab-page-size 4096 \
# RUN: -define-abs external_func=0x1 -define-abs external_data=0x2 \ # RUN: -define-abs external_func=0x1 -define-abs external_data=0x2 \
# RUN: -check %s %t/elf_riscv32_sm_pic_reloc.o # RUN: -check %s %t/elf_riscv32_sm_pic_reloc.o
# #
# Test ELF small/PIC relocations # Test ELF small/PIC relocations
.text .text
.file "testcase.c" .file "testcase.c"
Show All 31 Lines