This is an archive of the discontinued LLVM Phabricator instance.

Differential D128377

[lldb] Fix off-by-one error in the AppleObjCRuntimeV2 utility function
ClosedPublic

Authored by JDevlieghere on Jun 22 2022, 1:44 PM.

Details

Reviewers
aprantl
Commits
rGd95c406c20ef: [lldb] Fix off-by-one error in the AppleObjCRuntimeV2 utility function
Summary

Fix an off-by-one error in the utility function used to extract the dynamic class info. This resulted in a buffer overflow in the inferior which interrupted our utility function.

Diff Detail

Event Timeline

JDevlieghere created this revision.Jun 22 2022, 1:44 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 22 2022, 1:44 PM
JDevlieghere requested review of this revision.Jun 22 2022, 1:44 PM
aprantl accepted this revision.Jun 22 2022, 1:47 PM

I'm curious now why there is both count and max_class_infos and if the second is workaround for this bug? Anyway, this *looks* plausible!

This revision is now accepted and ready to land.Jun 22 2022, 1:47 PM
Harbormaster completed remote builds in B171413: Diff 439144.Jun 22 2022, 1:47 PM
JDevlieghere added a comment.Jun 22 2022, 1:48 PM
In D128377#3602856, @aprantl wrote:

I'm curious now why there is both count and max_class_infos and if the second is workaround for this bug? Anyway, this *looks* plausible!

count is the actual value reported by the runtime. max_class_infos is a monotonically increasing number that allows us to detect that new classes have been instantiated. The latter is also used to allocate enough space. The guarantee from the runtime is that count < max_class_infos.

Closed by commit rGd95c406c20ef: [lldb] Fix off-by-one error in the AppleObjCRuntimeV2 utility function (authored by JDevlieghere). · Explain WhyJun 22 2022, 1:57 PM
This revision was automatically updated to reflect the committed changes.
JDevlieghere added a commit: rGd95c406c20ef: [lldb] Fix off-by-one error in the AppleObjCRuntimeV2 utility function.
Herald added a project: Restricted Project. · View Herald TranscriptJun 22 2022, 1:57 PM

Revision Contents

PathSize
lldb/
source/
Plugins/
LanguageRuntime/
ObjC/
AppleObjCRuntime/
4 lines

Diff 439151

lldb/source/Plugins/LanguageRuntime/ObjC/AppleObjCRuntime/AppleObjCRuntimeV2.cpp

Show First 20 LinesShow All 193 Lines▼ Show 20 Lines__lldb_apple_objc_v2_get_dynamic_class_info2(void *gdb_objc_realized_classes_ptr,
ClassInfo *class_infos = (ClassInfo *)class_infos_ptr; ClassInfo *class_infos = (ClassInfo *)class_infos_ptr;
uint32_t count = 0; uint32_t count = 0;
Class* realized_class_list = objc_copyRealizedClassList_nolock(&count); Class* realized_class_list = objc_copyRealizedClassList_nolock(&count);
DEBUG_PRINTF ("count = %u\n", count); DEBUG_PRINTF ("count = %u\n", count);
uint32_t idx = 0; uint32_t idx = 0;
for (uint32_t i=0; i<=count; ++i) for (uint32_t i=0; i<count; ++i)
{ {
if (idx < max_class_infos) if (idx < max_class_infos)
{ {
Class isa = realized_class_list[i]; Class isa = realized_class_list[i];
const char *name_ptr = objc_debug_class_getNameRaw(isa); const char *name_ptr = objc_debug_class_getNameRaw(isa);
if (!name_ptr) if (!name_ptr)
continue; continue;
const char *s = name_ptr; const char *s = name_ptr;
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Lines__lldb_apple_objc_v2_get_dynamic_class_info3(void *gdb_objc_realized_classes_ptr,
Class *realized_class_list = (Class*)class_buffer; Class *realized_class_list = (Class*)class_buffer;
uint32_t count = objc_getRealizedClassList_trylock(realized_class_list, uint32_t count = objc_getRealizedClassList_trylock(realized_class_list,
class_buffer_len); class_buffer_len);
DEBUG_PRINTF ("count = %u\n", count); DEBUG_PRINTF ("count = %u\n", count);
uint32_t idx = 0; uint32_t idx = 0;
for (uint32_t i=0; i<=count; ++i) for (uint32_t i=0; i<count; ++i)
{ {
if (idx < max_class_infos) if (idx < max_class_infos)
{ {
Class isa = realized_class_list[i]; Class isa = realized_class_list[i];
const char *name_ptr = objc_debug_class_getNameRaw(isa); const char *name_ptr = objc_debug_class_getNameRaw(isa);
if (!name_ptr) { if (!name_ptr) {
class_getName(isa); // Realize name of lazy classes. class_getName(isa); // Realize name of lazy classes.
name_ptr = objc_debug_class_getNameRaw(isa); name_ptr = objc_debug_class_getNameRaw(isa);
▲ Show 20 LinesShow All 3,004 LinesShow Last 20 Lines