This is an archive of the discontinued LLVM Phabricator instance.

Differential D138830

[llvm] Check for overflows when computing load-command's addresses.
Needs ReviewPublic

Authored by oontvoo on Nov 28 2022, 9:15 AM.

Details

Reviewers
jyknight
awilfox
alexander-shaposhnikov
Summary

PR/56746

Diff Detail

Event Timeline

oontvoo created this revision.Nov 28 2022, 9:15 AM
Herald added a project: Restricted Project. · View Herald TranscriptNov 28 2022, 9:15 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
oontvoo requested review of this revision.Nov 28 2022, 9:15 AM
Herald added a project: Restricted Project. · View Herald TranscriptNov 28 2022, 9:15 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
oontvoo added a reviewer: awilfox.Nov 28 2022, 9:16 AM
Harbormaster completed remote builds in B199781: Diff 478266.Nov 28 2022, 9:24 AM
alexander-shaposhnikov accepted this revision.Nov 28 2022, 9:58 AM
This revision is now accepted and ready to land.Nov 28 2022, 9:58 AM
alexander-shaposhnikov added inline comments.Nov 28 2022, 10:02 AM
llvm/lib/Object/MachOObjectFile.cpp
202

nit: I'd probably report a separate message for the overflow case (cause it'd make debugging a tiny bit easier)

tschuett added a subscriber: tschuett.Nov 28 2022, 10:19 AM
tschuett added inline comments.
llvm/lib/Object/MachOObjectFile.cpp
202

nit: could you instead use an integer with a defined bit width: uint64_t?

oontvoo marked 2 inline comments as done.Nov 28 2022, 10:27 AM
oontvoo added inline comments.
llvm/lib/Object/MachOObjectFile.cpp
202

nit: could you instead use an integer with a defined bit width: uint64_t?

How about uintptr_t ?

tschuett added a comment.Nov 28 2022, 10:28 AM

Sounds good.

oontvoo updated this revision to Diff 478279.Nov 28 2022, 10:38 AM
oontvoo marked an inline comment as done.
  • updated type
  • separate overflow case to different err msg to make debugging easier
Harbormaster completed remote builds in B199793: Diff 478279.Nov 28 2022, 10:46 AM
jyknight added inline comments.Nov 28 2022, 11:29 AM
llvm/lib/Object/MachOObjectFile.cpp
202

long unsigned int should be uintptr_t here.
And I think the comparison should be >=?

232

Probably all of the checks here can go away, except to check that L.Ptr + L.C.cmdsize doesn't overflow.

All the range checks are done by getLoadCommandInfo anyways?

tschuett added inline comments.Nov 28 2022, 11:39 AM
llvm/lib/Object/MachOObjectFile.cpp
234

I am known to be stupid. You do saturating add with uintptr_t and claim errors on uint32_t?

Would it help to make the asserts into real errors? I like to be informed about malformed files in release builds.

oontvoo updated this revision to Diff 478332.Nov 28 2022, 12:35 PM

addressed review comment:

  • refactor code so that the overflow checks can be done in place
  • remove redundant check
  • fix off-by-one
oontvoo requested review of this revision.Nov 28 2022, 12:38 PM
oontvoo marked an inline comment as done.
oontvoo added inline comments.
llvm/lib/Object/MachOObjectFile.cpp
234

oops, sorry - forgot to update the error messages when I updated the types.
yes - can make these errors instead of asserts.

Harbormaster completed remote builds in B199837: Diff 478332.Nov 28 2022, 2:01 PM
awilfox mentioned this in D138891: [MachO] Prevent overflow on 32-bit platforms when calculating load command offsets.Nov 28 2022, 8:24 PM
oontvoo updated this revision to Diff 478684.Nov 29 2022, 12:40 PM
oontvoo marked an inline comment as done.

updated err msgs and removed a few asserts

Harbormaster completed remote builds in B200092: Diff 478684.Nov 29 2022, 1:56 PM
alexander-shaposhnikov added inline comments.Nov 29 2022, 3:00 PM
llvm/lib/Object/MachOObjectFile.cpp
134

A slightly more general version:

template <class T, class... Ts>
std::enable_if_t<std::is_unsigned<T>::value, T>
SaturatingAdd(T X, T Y, T Z, Ts... args) {
  bool Overflowed = false;
  T XY = SaturatingAdd(X, Y, &Overflowed);
  if (Overflowed)
    return SaturatingAdd(std::numeric_limits<T>::max(), 1, args...);
  return SaturatingAdd(XY, Z, args...);
}

(p.s. if you like - i can send a small patch with this addition to MathExtras)

oontvoo added inline comments.Nov 30 2022, 5:51 AM
llvm/lib/Object/MachOObjectFile.cpp
134

sure! Thanks!

Revision Contents

PathSize
llvm/
lib/
Object/
38 lines

Diff 478279

llvm/lib/Object/MachOObjectFile.cpp

Show All 29 Lines
#include "llvm/Support/Debug.h" #include "llvm/Support/Debug.h"
#include "llvm/Support/Errc.h" #include "llvm/Support/Errc.h"
#include "llvm/Support/Error.h" #include "llvm/Support/Error.h"
#include "llvm/Support/ErrorHandling.h" #include "llvm/Support/ErrorHandling.h"
#include "llvm/Support/FileSystem.h" #include "llvm/Support/FileSystem.h"
#include "llvm/Support/Format.h" #include "llvm/Support/Format.h"
#include "llvm/Support/Host.h" #include "llvm/Support/Host.h"
#include "llvm/Support/LEB128.h" #include "llvm/Support/LEB128.h"
#include "llvm/Support/MathExtras.h"
#include "llvm/Support/MemoryBufferRef.h" #include "llvm/Support/MemoryBufferRef.h"
#include "llvm/Support/Path.h" #include "llvm/Support/Path.h"
#include "llvm/Support/SwapByteOrder.h" #include "llvm/Support/SwapByteOrder.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
#include <algorithm> #include <algorithm>
#include <cassert> #include <cassert>
#include <cstddef> #include <cstddef>
#include <cstdint> #include <cstdint>
Show All 33 Linesstatic T getStruct(const MachOObjectFile &O, const char *P) {
if (O.isLittleEndian() != sys::IsLittleEndianHost) if (O.isLittleEndian() != sys::IsLittleEndianHost)
MachO::swapStruct(Cmd); MachO::swapStruct(Cmd);
return Cmd; return Cmd;
} }
template <typename T> template <typename T>
static Expected<T> getStructOrErr(const MachOObjectFile &O, const char *P) { static Expected<T> getStructOrErr(const MachOObjectFile &O, const char *P) {
// Don't read before the beginning or past the end of the file // Don't read before the beginning or past the end of the file
if (P < O.getData().begin() || P + sizeof(T) > O.getData().end()) bool Overflowed = false;
uintptr_t Ret = llvm::SaturatingAdd<uintptr_t>(P, sizeof(T), &Overflowed);
if (P < O.getData().begin() || Overflowed || Ret > O.getData().end())
return malformedError("Structure read out-of-range"); return malformedError("Structure read out-of-range");
T Cmd; T Cmd;
memcpy(&Cmd, P, sizeof(T)); memcpy(&Cmd, P, sizeof(T));
if (O.isLittleEndian() != sys::IsLittleEndianHost) if (O.isLittleEndian() != sys::IsLittleEndianHost)
MachO::swapStruct(Cmd); MachO::swapStruct(Cmd);
return Cmd; return Cmd;
} }
Show All 27 Lines
static StringRef parseSegmentOrSectionName(const char *P) { static StringRef parseSegmentOrSectionName(const char *P) {
if (P[15] == 0) if (P[15] == 0)
// Null terminated. // Null terminated.
return P; return P;
// Not null terminated, so this is a 16 char string. // Not null terminated, so this is a 16 char string.
return StringRef(P, 16); return StringRef(P, 16);
} }
static unsigned getCPUType(const MachOObjectFile &O) { static unsigned getCPUType(const MachOObjectFile &O) {
alexander-shaposhnikovUnsubmitted
Not Done
ReplyInline Actions

A slightly more general version:

template <class T, class... Ts>
std::enable_if_t<std::is_unsigned<T>::value, T>
SaturatingAdd(T X, T Y, T Z, Ts... args) {
  bool Overflowed = false;
  T XY = SaturatingAdd(X, Y, &Overflowed);
  if (Overflowed)
    return SaturatingAdd(std::numeric_limits<T>::max(), 1, args...);
  return SaturatingAdd(XY, Z, args...);
}

(p.s. if you like - i can send a small patch with this addition to MathExtras)

alexander-shaposhnikov: A slightly more general version: ``` template <class T, class... Ts> std::enable_if_t<std…
oontvooAuthorUnsubmitted
Done
ReplyInline Actions

sure! Thanks!

oontvoo: sure! Thanks!
return O.getHeader().cputype; return O.getHeader().cputype;
} }
static unsigned getCPUSubType(const MachOObjectFile &O) { static unsigned getCPUSubType(const MachOObjectFile &O) {
return O.getHeader().cpusubtype; return O.getHeader().cpusubtype;
} }
static uint32_t static uint32_t
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Linesstatic uint32_t getSectionFlags(const MachOObjectFile &O,
MachO::section Sect = O.getSection(Sec); MachO::section Sect = O.getSection(Sec);
return Sect.flags; return Sect.flags;
} }
static Expected<MachOObjectFile::LoadCommandInfo> static Expected<MachOObjectFile::LoadCommandInfo>
getLoadCommandInfo(const MachOObjectFile &Obj, const char *Ptr, getLoadCommandInfo(const MachOObjectFile &Obj, const char *Ptr,
uint32_t LoadCommandIndex) { uint32_t LoadCommandIndex) {
if (auto CmdOrErr = getStructOrErr<MachO::load_command>(Obj, Ptr)) { if (auto CmdOrErr = getStructOrErr<MachO::load_command>(Obj, Ptr)) {
if (CmdOrErr->cmdsize + Ptr > Obj.getData().end()) bool Overflowed = false;
uintptr_t Ret = llvm::SaturatingAdd<uintptr_t>(
CmdOrErr->cmdsize, reinterpret_cast<uintptr_t>(Ptr), &Overflowed);
if (Overflowed)
return malformedError("load command " + Twine(LoadCommandIndex) +
alexander-shaposhnikovUnsubmitted
Done
ReplyInline Actions

nit: I'd probably report a separate message for the overflow case (cause it'd make debugging a tiny bit easier)

alexander-shaposhnikov: nit: I'd probably report a separate message for the overflow case (cause it'd make debugging a…
tschuettUnsubmitted
Done
ReplyInline Actions

nit: could you instead use an integer with a defined bit width: uint64_t?

tschuett: nit: could you instead use an integer with a defined bit width: uint64_t?
oontvooAuthorUnsubmitted
Done
ReplyInline Actions

nit: could you instead use an integer with a defined bit width: uint64_t?

How about uintptr_t ?

oontvoo: > nit: could you instead use an integer with a defined bit width: uint64_t? How about…
jyknightUnsubmitted
Not Done
ReplyInline Actions

long unsigned int should be uintptr_t here.
And I think the comparison should be >=?

jyknight: `long unsigned int` should be uintptr_t here. And I think the comparison should be `>=`?
" results in overflowed address");
if (Ret > reinterpret_cast<uintptr_t>(Obj.getData().end()))
return malformedError("load command " + Twine(LoadCommandIndex) + return malformedError("load command " + Twine(LoadCommandIndex) +
" extends past end of file"); " extends past end of file");
if (CmdOrErr->cmdsize < 8) if (CmdOrErr->cmdsize < 8)
return malformedError("load command " + Twine(LoadCommandIndex) + return malformedError("load command " + Twine(LoadCommandIndex) +
" with size less than 8 bytes"); " with size less than 8 bytes");
return MachOObjectFile::LoadCommandInfo({Ptr, *CmdOrErr}); return MachOObjectFile::LoadCommandInfo({Ptr, *CmdOrErr});
} else } else
return CmdOrErr.takeError(); return CmdOrErr.takeError();
Show All 9 LinesgetFirstLoadCommandInfo(const MachOObjectFile &Obj) {
return getLoadCommandInfo(Obj, getPtr(Obj, HeaderSize), 0); return getLoadCommandInfo(Obj, getPtr(Obj, HeaderSize), 0);
} }
static Expected<MachOObjectFile::LoadCommandInfo> static Expected<MachOObjectFile::LoadCommandInfo>
getNextLoadCommandInfo(const MachOObjectFile &Obj, uint32_t LoadCommandIndex, getNextLoadCommandInfo(const MachOObjectFile &Obj, uint32_t LoadCommandIndex,
const MachOObjectFile::LoadCommandInfo &L) { const MachOObjectFile::LoadCommandInfo &L) {
unsigned HeaderSize = Obj.is64Bit() ? sizeof(MachO::mach_header_64) unsigned HeaderSize = Obj.is64Bit() ? sizeof(MachO::mach_header_64)
: sizeof(MachO::mach_header); : sizeof(MachO::mach_header);
if (L.Ptr + L.C.cmdsize + sizeof(MachO::load_command) >
Obj.getData().data() + HeaderSize + Obj.getHeader().sizeofcmds) bool Overflowed = false;
// FIXME: Perhaps this validation on the Obj file should have been
jyknightUnsubmitted
Not Done
ReplyInline Actions

Probably all of the checks here can go away, except to check that L.Ptr + L.C.cmdsize doesn't overflow.

All the range checks are done by getLoadCommandInfo anyways?

jyknight: Probably all of the checks here can go away, except to check that L.Ptr + L.C.cmdsize doesn't…
// done somewhere else (earlier).
uint32_t LoadCmdsEnd = llvm::SaturatingAdd<uintptr_t>(
tschuettUnsubmitted
Done
ReplyInline Actions

I am known to be stupid. You do saturating add with uintptr_t and claim errors on uint32_t?

Would it help to make the asserts into real errors? I like to be informed about malformed files in release builds.

tschuett: I am known to be stupid. You do saturating add with `uintptr_t` and claim errors on `uint32_t`?
oontvooAuthorUnsubmitted
Done
ReplyInline Actions

oops, sorry - forgot to update the error messages when I updated the types.
yes - can make these errors instead of asserts.

oontvoo: oops, sorry - forgot to update the error messages when I updated the types. yes - can make…
reinterpret_cast<uintptr_t>(Obj.getData().data()), HeaderSize,
&Overflowed);
assert(!Overflowed && "Load commands range extends past uint32_t type limit");
LoadCmdsEnd = llvm::SaturatingAdd<uintptr_t>(
LoadCmdsEnd, Obj.getHeader().sizeofcmds, &Overflowed);
assert(!Overflowed && "Load commands range extends past uint32_t type limit");
uint32_t PtrEnd = llvm::SaturatingAdd<uintptr_t>(
reinterpret_cast<uintptr_t>(L.Ptr), L.C.cmdsize, &Overflowed);
if (!Overflowed)
PtrEnd = llvm::SaturatingAdd<uintptr_t>(PtrEnd, sizeof(MachO::load_command),
&Overflowed);
if (Overflowed)
return malformedError("load command " + Twine(LoadCommandIndex + 1) +
" extends past uint32_t type limit.");
if (PtrEnd > LoadCmdsEnd)
return malformedError("load command " + Twine(LoadCommandIndex + 1) + return malformedError("load command " + Twine(LoadCommandIndex + 1) +
" extends past the end all load commands in the file"); " extends past the end all load commands in the file");
return getLoadCommandInfo(Obj, L.Ptr + L.C.cmdsize, LoadCommandIndex + 1); return getLoadCommandInfo(Obj, L.Ptr + L.C.cmdsize, LoadCommandIndex + 1);
} }
template <typename T> template <typename T>
static void parseHeader(const MachOObjectFile &Obj, T &Header, static void parseHeader(const MachOObjectFile &Obj, T &Header,
Error &Err) { Error &Err) {
▲ Show 20 LinesShow All 5,171 LinesShow Last 20 Lines