This is an archive of the discontinued LLVM Phabricator instance.

[LLDB] Fix out-of-bounds memory access in EmulationStateArm
ClosedPublic

Authored by fixathon on Aug 11 2022, 1:16 AM.

Download Raw Diff

Details

Reviewers

clayborg
JDevlieghere
DavidSpickett
jasonmolenda

Commits

rGab6a0823afc7: [LLDB] Fix out-of-bounds memory access in EmulationStateArm

Summary

Functionally broken code for reading and writing registers, likely due to typos,
and could cause out-of-bounds memory access.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

fixathon created this revision.Aug 11 2022, 1:16 AM

Herald added a project: Restricted Project. · View Herald TranscriptAug 11 2022, 1:16 AM

Herald added a subscriber: kristof.beyls. · View Herald Transcript

fixathon requested review of this revision.Aug 11 2022, 1:16 AM

Herald added a project: Restricted Project. · View Herald TranscriptAug 11 2022, 1:16 AM

Herald added a subscriber: lldb-commits. · View Herald Transcript

Harbormaster completed remote builds in B180612: Diff 451759.Aug 11 2022, 1:19 AM

LGTM and I'll add a test later that would break without this fix.

This revision is now accepted and ready to land.Aug 11 2022, 1:30 AM

Thank you. Yes, this does need a unit test

lldb/source/Plugins/Instruction/ARM/EmulationStateARM.cpp
54	Here index 'i' represents an offset starting at dwarf_d0, and index 'idx' is normalized to start at 0. "i" will always be greater than 16 causing the 'else' statement to always execute regardless of the intent.
95	Also clearly a typo as can be seen from the if condition, and the corresponding store code.

Closed by commit rGab6a0823afc7: [LLDB] Fix out-of-bounds memory access in EmulationStateArm (authored by fixathon). · Explain WhyAug 11 2022, 1:34 AM

This revision was automatically updated to reflect the committed changes.

fixathon added a commit: rGab6a0823afc7: [LLDB] Fix out-of-bounds memory access in EmulationStateArm.

DavidSpickett mentioned this in D131663: [LLDB][ARM] Extend testing for vpush emulation.Aug 11 2022, 2:51 AM

DavidSpickett mentioned this in D131664: [LLDB][ARM] Remove unused LoadPseudoRegistersFromFrame function.

DavidSpickett mentioned this in rG14913fa5d050: [LLDB][ARM] Extend testing for vpush emulation.Aug 11 2022, 3:02 AM

DavidSpickett mentioned this in rG662c1c28813b: [LLDB][ARM] Remove unused LoadPseudoRegistersFromFrame function.Aug 16 2022, 1:29 AM

Revision Contents

Path

Size

lldb/

source/

Plugins/

Instruction/

ARM/

EmulationStateARM.cpp

4 lines

Diff 451766

lldb/source/Plugins/Instruction/ARM/EmulationStateARM.cpp

Show First 20 Lines • Show All 45 Lines • ▼ Show 20 Lines	for (int i = dwarf_d0; i < dwarf_d0 + 32; ++i) {
reg_num =		reg_num =
reg_ctx->ConvertRegisterKindToRegisterNumber(eRegisterKindDWARF, i);		reg_ctx->ConvertRegisterKindToRegisterNumber(eRegisterKindDWARF, i);
RegisterValue reg_value;		RegisterValue reg_value;
const RegisterInfo *reg_info = reg_ctx->GetRegisterInfoAtIndex(reg_num);		const RegisterInfo *reg_info = reg_ctx->GetRegisterInfoAtIndex(reg_num);

if (reg_ctx->ReadRegister(reg_info, reg_value)) {		if (reg_ctx->ReadRegister(reg_info, reg_value)) {
uint64_t value = reg_value.GetAsUInt64();		uint64_t value = reg_value.GetAsUInt64();
uint32_t idx = i - dwarf_d0;		uint32_t idx = i - dwarf_d0;
if (i < 16) {		if (idx < 16) {
		fixathonAuthorUnsubmitted Done Reply Inline Actions Here index 'i' represents an offset starting at dwarf_d0, and index 'idx' is normalized to start at 0. "i" will always be greater than 16 causing the 'else' statement to always execute regardless of the intent. fixathon: Here index 'i' represents an offset starting at dwarf_d0, and index 'idx' is normalized to…
m_vfp_regs.s_regs[idx * 2] = (uint32_t)value;		m_vfp_regs.s_regs[idx * 2] = (uint32_t)value;
m_vfp_regs.s_regs[idx * 2 + 1] = (uint32_t)(value >> 32);		m_vfp_regs.s_regs[idx * 2 + 1] = (uint32_t)(value >> 32);
} else		} else
m_vfp_regs.d_regs[idx - 16] = value;		m_vfp_regs.d_regs[idx - 16] = value;
} else		} else
success = false;		success = false;
}		}

Show All 24 Lines	uint64_t EmulationStateARM::ReadPseudoRegisterValue(uint32_t reg_num,
bool &success) {		bool &success) {
uint64_t value = 0;		uint64_t value = 0;
success = true;		success = true;

if (reg_num <= dwarf_cpsr)		if (reg_num <= dwarf_cpsr)
value = m_gpr[reg_num - dwarf_r0];		value = m_gpr[reg_num - dwarf_r0];
else if ((dwarf_s0 <= reg_num) && (reg_num <= dwarf_s31)) {		else if ((dwarf_s0 <= reg_num) && (reg_num <= dwarf_s31)) {
uint32_t idx = reg_num - dwarf_s0;		uint32_t idx = reg_num - dwarf_s0;
value = m_vfp_regs.d_regs[idx];		value = m_vfp_regs.s_regs[idx];
		fixathonAuthorUnsubmitted Done Reply Inline Actions Also clearly a typo as can be seen from the if condition, and the corresponding store code. fixathon: Also clearly a typo as can be seen from the if condition, and the corresponding store code.
} else if ((dwarf_d0 <= reg_num) && (reg_num <= dwarf_d31)) {		} else if ((dwarf_d0 <= reg_num) && (reg_num <= dwarf_d31)) {
uint32_t idx = reg_num - dwarf_d0;		uint32_t idx = reg_num - dwarf_d0;
if (idx < 16)		if (idx < 16)
value = (uint64_t)m_vfp_regs.s_regs[idx * 2] \|		value = (uint64_t)m_vfp_regs.s_regs[idx * 2] \|
((uint64_t)m_vfp_regs.s_regs[idx * 2 + 1] << 32);		((uint64_t)m_vfp_regs.s_regs[idx * 2 + 1] << 32);
else		else
value = m_vfp_regs.d_regs[idx - 16];		value = m_vfp_regs.d_regs[idx - 16];
} else		} else
▲ Show 20 Lines • Show All 280 Lines • Show Last 20 Lines