This is an archive of the discontinued LLVM Phabricator instance.

Differential D138986

[AIX][BigArchive] Treat the archive is empty if the first child member offset is zero
ClosedPublic

Authored by lkail on Nov 30 2022, 12:23 AM.

Details

Reviewers
Esme
DiggerLin
jhenderson
stephenpeckham
hctim
Group Reviewers
Restricted Project
Commits
rGc0d9e5a0a4b8: Reland [AIX][BigArchive] Treat the archive is empty if the first child member…
rG7f0003c19c3a: [AIX][BigArchive] Treat the archive is empty if the first child member offset…
rGb26fe2a3e520: [AIX][BigArchive] Treat the archive is empty if the first child member offset…
Summary

If the archive contains free list and contains no member file, the buffer length doesn't equal to length of the header.

Diff Detail

Event Timeline

lkail created this revision.Nov 30 2022, 12:23 AM
Herald added a project: Restricted Project. · View Herald TranscriptNov 30 2022, 12:23 AM
lkail requested review of this revision.Nov 30 2022, 12:23 AM
Herald added a project: Restricted Project. · View Herald TranscriptNov 30 2022, 12:23 AM
Herald added a subscriber: llvm-commits. · View Herald TranscriptNov 30 2022, 12:23 AM
Harbormaster completed remote builds in B200195: Diff 478834.Nov 30 2022, 12:24 AM
lkail added a parent revision: D138985: [AIX][BigArchive][NFC] Add test case that list members of archive with free list in it.Nov 30 2022, 12:24 AM
lkail retitled this revision from [BigArchive] Treat the archive is empty if the first child member offset is zero to [AIX][BigArchive] Treat the archive is empty if the first child member offset is zero.Nov 30 2022, 12:27 AM
Esme added inline comments.Dec 8 2022, 12:39 AM
llvm/include/llvm/Object/Archive.h
413

Can we remove the check of Data.getBufferSize() == sizeof(FixLenHdr)? I think getFirstChildOffset() == 0 can cover that case.

lkail updated this revision to Diff 481544.Dec 9 2022, 12:52 AM
lkail marked an inline comment as done.
lkail added inline comments.
llvm/include/llvm/Object/Archive.h
413

Good point, it looks reasonable.

Harbormaster completed remote builds in B202166: Diff 481544.Dec 9 2022, 1:11 AM
Esme accepted this revision.Dec 9 2022, 8:40 AM

LGTM. Thank you for fixing it.

llvm/include/llvm/Object/Archive.h
413
This revision is now accepted and ready to land.Dec 9 2022, 8:40 AM
lkail updated this revision to Diff 481966.Dec 11 2022, 6:24 PM
lkail marked an inline comment as done.
Harbormaster completed remote builds in B202473: Diff 481966.Dec 11 2022, 6:56 PM
DiggerLin added inline comments.Dec 12 2022, 6:23 AM
llvm/include/llvm/Object/Archive.h
413

if we have big archive file which only has archive Fixed-Length Header and the fl_fstmoff[20] is not zero. I am not sure that the program is crash or print malform at this situation(the program should not crash) ? if (Data.getBufferSize() == sizeof(FixLenHdr) || getFirstChildOffset() == 0) , I am sure that it not crash.

lkail updated this revision to Diff 482369.Dec 12 2022, 11:32 PM
lkail updated this revision to Diff 482370.
lkail updated this revision to Diff 482374.Dec 12 2022, 11:57 PM
lkail added inline comments.
llvm/include/llvm/Object/Archive.h
413

Tried with following case

<bigaf>
0                   0                   0                   128                 0                   0

llvm-ar tv exits silently without this patch. While ar tv prints

ar: 0707-123 The archive file libbar.a is corrupted.  
        The member table is missing.
        The command 'ar -o libbar.a' may restore the member table.

I added a test case for it.

lkail updated this revision to Diff 482375.Dec 13 2022, 12:00 AM
Harbormaster completed remote builds in B202771: Diff 482375.Dec 13 2022, 12:43 AM
DiggerLin added a comment.Dec 13 2022, 10:07 AM

thanks for adding a new malform empty archive test case.

llvm/test/Object/archive-big-malformed-first-member.test
3

I think you can generate the malform aix-malformed-big-archive.a with following command in test case ( we do not need llvm/test/Object/Inputs/aix-malformed-big-archive.a)

#RUN:  echo "<bigaf>" > %t.a
#RUN:  echo "0                   0                 123                   0                   0                   0" >> %t.a
#RUN:  %python -c "with open('%t.a', 'r+b') as input: input.truncate(128)"
DiggerLin added inline comments.Dec 13 2022, 1:37 PM
llvm/test/Object/archive-big-malformed-first-member.test
3

there are some examples of using "printf"
you can use
find llvm/test/tools -name "*.test" | xargs grep "printf"

to get the example.

lkail updated this revision to Diff 482786.Dec 14 2022, 3:26 AM

Address comments.

lkail marked 2 inline comments as done.Dec 14 2022, 3:26 AM
lkail updated this revision to Diff 482791.Dec 14 2022, 3:33 AM
Harbormaster completed remote builds in B203078: Diff 482791.Dec 14 2022, 4:37 AM
DiggerLin accepted this revision.Dec 14 2022, 6:47 AM
lkail removed a parent revision: D138985: [AIX][BigArchive][NFC] Add test case that list members of archive with free list in it.Dec 15 2022, 7:25 PM
This revision was landed with ongoing or failed builds.Dec 18 2022, 9:18 PM
Closed by commit rGb26fe2a3e520: [AIX][BigArchive] Treat the archive is empty if the first child member offset… (authored by lkail). · Explain Why
This revision was automatically updated to reflect the committed changes.
lkail added a commit: rGb26fe2a3e520: [AIX][BigArchive] Treat the archive is empty if the first child member offset….
hctim added a subscriber: hctim.Dec 19 2022, 10:15 AM

Looks like this broke the ASan buildbot: https://lab.llvm.org/buildbot/#/builders/5/builds/30103

-- Testing: 70627 tests, 80 workers --
Testing:  0.. 10.. 20.. 30.. 40.. 50.. 60.. 
FAIL: LLVM :: Object/archive-big-malformed-first-member.test (50724 of 70627)
******************** TEST 'LLVM :: Object/archive-big-malformed-first-member.test' FAILED ********************
Script:
--
: 'RUN: at line 2';   echo    "<bigaf>" > /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/test/Object/Output/archive-big-malformed-first-member.test.tmp.a
: 'RUN: at line 3';   echo -n "0                   0                   0                   128                 0                   0                   " >> /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/test/Object/Output/archive-big-malformed-first-member.test.tmp.a
: 'RUN: at line 4';   not /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/llvm-ar tv /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/test/Object/Output/archive-big-malformed-first-member.test.tmp.a 2>&1 | grep 'truncated or malformed archive'
--
Exit Code: 1

I'm guessing that the 2>&1 | grep in the test runline is supporessing an ASan report.

You can reproduce the sanitizer buildbots using our bot scripts here, but this error looks reasonable easy to reproduce with a cmake containing -DLLVM_USE_SANITIZER=Address.

hctim added a reverting change: rG42d3f326d5d8: Revert "[AIX][BigArchive] Treat the archive is empty if the first child member….Dec 19 2022, 11:07 AM
hctim added a comment.Dec 19 2022, 1:05 PM

FYI - here's the ASan report from my local machine (by hacking with the following patch):

diff --git a/llvm/test/Object/archive-big-malformed-first-member.test b/llvm/test/Object/archive-big-malformed-first-member.test
index 9107bdb6d9d2..a085d98c8d6d 100644
--- a/llvm/test/Object/archive-big-malformed-first-member.test
+++ b/llvm/test/Object/archive-big-malformed-first-member.test
@@ -1,4 +1,4 @@
 # Test reading an empty archive with first member's offset is not zero.
 # RUN: echo    "<bigaf>" > %t.a
 # RUN: echo -n "0                   0                   0                   128                 0                   0                   " >> %t.a
-# RUN: not llvm-ar tv %t.a 2>&1 | grep 'truncated or malformed archive'
+# RUN: llvm-ar tv %t.a 2>&1
$ LIT_OPTS='--filter=archive-big' ninja check-llvm
[0/1] Running the LLVM regression tests
llvm-lit: /llvm/llvm/utils/lit/lit/llvm/subst.py:122: note: Did not find llvm-debuginfod in /llvm-build/asan-test/bin
llvm-lit: /llvm/llvm/utils/lit/lit/llvm/config.py:459: note: using ld.lld: /llvm-build/asan-test/bin/ld.lld
llvm-lit: /llvm/llvm/utils/lit/lit/llvm/config.py:459: note: using lld-link: /llvm-build/asan-test/bin/lld-link
llvm-lit: /llvm/llvm/utils/lit/lit/llvm/config.py:459: note: using ld64.lld: /llvm-build/asan-test/bin/ld64.lld
llvm-lit: /llvm/llvm/utils/lit/lit/llvm/config.py:459: note: using wasm-ld: /llvm-build/asan-test/bin/wasm-ld
-- Testing: 5 of 47262 tests, 5 workers --
Testing:  0.. 10
FAIL: LLVM :: Object/archive-big-malformed-first-member.test (5 of 5)
******************** TEST 'LLVM :: Object/archive-big-malformed-first-member.test' FAILED ********************
Script:
--
: 'RUN: at line 2';   echo    "<bigaf>" > /llvm-build/asan-test/test/Object/Output/archive-big-malformed-first-member.test.tmp.a
: 'RUN: at line 3';   echo -n "0                   0                   0                   128                 0                   0                   " >> /llvm-build/asan-test/test/Object/Output/archive-big-malformed-first-member.test.tmp.a
: 'RUN: at line 4';   /llvm-build/asan-test/bin/llvm-ar tv /llvm-build/asan-test/test/Object/Output/archive-big-malformed-first-member.test.tmp.a 2>&1
--
Exit Code: 1

Command Output (stdout):
--
=================================================================
==2063113==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120000001cf at pc 0x55ef0a9db6fa bp 0x7fff8f3b70d0 sp 0x7fff8f3b70c8
READ of size 1 at 0x6120000001cf thread T0
    #0 0x55ef0a9db6f9 in llvm::StringRef::find_last_not_of(llvm::StringRef, unsigned long) const /llvm/llvm/lib/Support/StringRef.cpp:319:39
    #1 0x55ef0a68b732 in rtrim /llvm/llvm/include/llvm/ADT/StringRef.h:802:50
    #2 0x55ef0a68b732 in getFieldRawString<char, 4UL> /llvm/llvm/lib/Object/Archive.cpp:66:30
    #3 0x55ef0a68b732 in llvm::object::BigArchiveMemberHeader::getRawName() const /llvm/llvm/lib/Object/Archive.cpp:210:18
    #4 0x55ef0a68ecb1 in llvm::object::BigArchiveMemberHeader::getName(unsigned long) const /llvm/llvm/lib/Object/Archive.cpp:346:10
    #5 0x55ef0a686ea9 in createMemberHeaderParseError(llvm::object::AbstractArchiveMemberHeader const*, char const*, unsigned long) /llvm/llvm/lib/Object/Archive.cpp:55:48
    #6 0x55ef0a688193 in llvm::object::BigArchiveMemberHeader::BigArchiveMemberHeader(llvm::object::Archive const*, char const*, unsigned long, llvm::Error*) /llvm/llvm/lib/Object/Archive.cpp:139:20
    #7 0x55ef0a6924da in make_unique<llvm::object::BigArchiveMemberHeader, const llvm::object::Archive *, const char *&, unsigned long &, llvm::Error *&> /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/unique_ptr.h:1065:34
    #8 0x55ef0a6924da in createArchiveMemberHeader /llvm/llvm/lib/Object/Archive.cpp:681:10
    #9 0x55ef0a6924da in llvm::object::Archive::Child::Child(llvm::object::Archive const*, char const*, llvm::Error*) /llvm/llvm/lib/Object/Archive.cpp:467:20
    #10 0x55ef0a69c620 in llvm::object::Archive::child_begin(llvm::Error&, bool) const /llvm/llvm/lib/Object/Archive.cpp:953:9
    #11 0x55ef0a69faa9 in llvm::object::BigArchive::BigArchive(llvm::MemoryBufferRef, llvm::Error&) /llvm/llvm/lib/Object/Archive.cpp:1240:22
    #12 0x55ef0a699207 in make_unique<llvm::object::BigArchive, llvm::MemoryBufferRef &, llvm::Error &> /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/unique_ptr.h:1065:34
    #13 0x55ef0a699207 in llvm::object::Archive::create(llvm::MemoryBufferRef) /llvm/llvm/lib/Object/Archive.cpp:666:11
    #14 0x55ef0997c4da in performOperation(ArchiveOperation) /llvm/llvm/tools/llvm-ar/llvm-ar.cpp:1146:9
    #15 0x55ef09979bb1 in ar_main /llvm/llvm/tools/llvm-ar/llvm-ar.cpp:1413:10
    #16 0x55ef09979bb1 in llvm_ar_main(int, char**) /llvm/llvm/tools/llvm-ar/llvm-ar.cpp:1482:12
    #17 0x7f8112629209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7f81126292bb in __libc_start_main csu/../csu/libc-start.c:389:3
    #19 0x55ef098c04f0 in _start (/llvm-build/asan-test/bin/llvm-ar+0x3a114f0)

0x6120000001cf is located 106 bytes to the right of 293-byte region [0x612000000040,0x612000000165)
allocated by thread T0 here:
    #0 0x55ef09974c5d in operator new(unsigned long, std::nothrow_t const&) /llvm/compiler-rt/lib/asan/asan_new_delete.cpp:101:3
    #1 0x55ef0a9876db in llvm::WritableMemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&, std::optional<llvm::Align>) /llvm/llvm/lib/Support/MemoryBuffer.cpp:313:34
    #2 0x55ef0a987fb2 in llvm::ErrorOr<std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>> getOpenFileImpl<llvm::MemoryBuffer>(int, llvm::Twine const&, unsigned long, unsigned long, long, bool, bool, std::optional<llvm::Align>) /llvm/llvm/lib/Support/MemoryBuffer.cpp:493:7
    #3 0x55ef0a986f7a in llvm::ErrorOr<std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>> getFileAux<llvm::MemoryBuffer>(llvm::Twine const&, unsigned long, unsigned long, bool, bool, bool, std::optional<llvm::Align>) /llvm/llvm/lib/Support/MemoryBuffer.cpp:272:14
    #4 0x55ef0a986d95 in llvm::MemoryBuffer::getFile(llvm::Twine const&, bool, bool, bool, std::optional<llvm::Align>) /llvm/llvm/lib/Support/MemoryBuffer.cpp:251:10
    #5 0x55ef0997c412 in performOperation(ArchiveOperation) /llvm/llvm/tools/llvm-ar/llvm-ar.cpp:1138:48
    #6 0x55ef09979bb1 in ar_main /llvm/llvm/tools/llvm-ar/llvm-ar.cpp:1413:10
    #7 0x55ef09979bb1 in llvm_ar_main(int, char**) /llvm/llvm/tools/llvm-ar/llvm-ar.cpp:1482:12
    #8 0x7f8112629209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /llvm/llvm/lib/Support/StringRef.cpp:319:39 in llvm::StringRef::find_last_not_of(llvm::StringRef, unsigned long) const
Shadow bytes around the buggy address:
  0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa fa
=>0x0c247fff8030: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2063113==ABORTING

--

********************
Testing:  0.. 10.. 20.. 30.. 40.. 50.. 60.. 70.. 80.. 90.. 
********************
Failed Tests (1):
  LLVM :: Object/archive-big-malformed-first-member.test


Testing Time: 2.17s
  Excluded: 44834
  Passed  :     4
  Failed  :     1
FAILED: test/CMakeFiles/check-llvm /llvm-build/asan-test/test/CMakeFiles/check-llvm 
cd /llvm-build/asan-test/test && /usr/bin/python3.10 /llvm-build/asan-test/./bin/llvm-lit -sv /llvm-build/asan-test/test
ninja: build stopped: subcommand failed.
lkail reopened this revision.Dec 19 2022, 2:41 PM

Thanks for reverting it in time. I'll have a look at the failure and fix it.

This revision is now accepted and ready to land.Dec 19 2022, 2:41 PM
lkail updated this revision to Diff 484731.Dec 21 2022, 7:03 PM

Check if the offset of the first member is still in the buffer. Fixed asan errors.

Herald added a subscriber: hiraditya. · View Herald TranscriptDec 21 2022, 7:03 PM
lkail requested review of this revision.Dec 21 2022, 7:03 PM
lkail added a reviewer: jhenderson.
Harbormaster completed remote builds in B204501: Diff 484731.Dec 21 2022, 7:52 PM
lkail added a comment.Jan 4 2023, 9:34 PM

Ping.

shchenz added a reviewer: stephenpeckham.Jan 9 2023, 4:25 PM
DiggerLin accepted this revision.Jan 12 2023, 8:18 AM

LGTM

This revision is now accepted and ready to land.Jan 12 2023, 8:18 AM
This revision was landed with ongoing or failed builds.Jan 29 2023, 10:07 PM
Closed by commit rG7f0003c19c3a: [AIX][BigArchive] Treat the archive is empty if the first child member offset… (authored by lkail). · Explain Why
This revision was automatically updated to reflect the committed changes.
lkail added a commit: rG7f0003c19c3a: [AIX][BigArchive] Treat the archive is empty if the first child member offset….
jhenderson added a comment.Jan 30 2023, 2:18 AM

@lkail, please could you update the tests as directed inline. We don't use grep in new tests, and use FileCheck instead. There are plenty of examples in existing tests of how to use FileCheck. Also, I always recommend that test comments (as opposed to lit directives) should use ## rather than just #.

Please either revert and update the tests, or create a new patch to update the tests as suggested.

llvm/test/Object/archive-big-malformed-first-member.test
5

grep is deprecated in testing. Please use FileCheck instead. Please update these tests to not use grep.

llvm/test/Object/archive-big-read-empty-with-freelist.test
2

This test will pass spuriously if the error message is ever updated, which is certainly not impossible. Is the output completely empty, or is there some other output you could check and then show that nothing else is present?

lkail added inline comments.Jan 30 2023, 3:57 AM
llvm/test/Object/archive-big-read-empty-with-freelist.test
2

Thanks for pointing it out. The output is indeed empty. I've posted https://reviews.llvm.org/D142883 to address your comments.

hctim added a comment.Jan 30 2023, 9:41 AM

Looks like this patch still causes errors on the ASan buildbot, even with D142883 patched in.

You can reproduce using the upstream buildbots (https://github.com/google/sanitizers/wiki/SanitizerBotReproduceBuild), but a quick-asan-build that's hacked together might be easier for iterative testing:

$ cmake \
-DLLVM_ENABLE_ASSERTIONS=ON \
-DCMAKE_C_COMPILER=clang \
-DCMAKE_CXX_COMPILER=clang++ \
-DLLVM_USE_LINKER=lld \
-GNinja \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_C_FLAGS="-fsanitize=address" \
-DCMAKE_CXX_FLAGS="-fsanitize=address" \
-DLLVM_ENABLE_PROJECTS="'clang;lld;clang-tools-extra;mlir'" \
-DLLVM_ENABLE_RUNTIMES="libcxx;libcxxabi" \
-DLLVM_LIBC_ENABLE_LINTING=OFF \
-DLLVM_USE_SANITIZER=Address \
-DLLVM_ENABLE_ASSERTIONS=On \
/llvm/llvm
$ LIT_OPTS='--filter=Object/archive-big-malformed-first-member.test' ninja check-llvm
[0/1] Running the LLVM regression tests
-- Testing: 1 of 47854 tests, 1 workers --
Testing: 
FAIL: LLVM :: Object/archive-big-malformed-first-member.test (1 of 1)
******************** TEST 'LLVM :: Object/archive-big-malformed-first-member.test' FAILED ********************
Script:
--
: 'RUN: at line 2';   echo    "<bigaf>" > /llvm-build/asan-test/test/Object/Output/archive-big-malformed-first-member.test.tmp.a
: 'RUN: at line 3';   echo -n "0                   0                   0                   128                 0                   0                   " >> /llvm-build/asan-test/test/Object/Output/archive-big-malformed-first-member.test.tmp.a
: 'RUN: at line 4';   not /llvm-build/asan-test/bin/llvm-ar tv /llvm-build/asan-test/test/Object/Output/archive-big-malformed-first-member.test.tmp.a 2>&1 | /llvm-build/asan-test/bin/FileCheck /llvm/llvm/test/Object/archive-big-malformed-first-member.test
: 'RUN: at line 5';   echo    "<bigaf>" > /llvm-build/asan-test/test/Object/Output/archive-big-malformed-first-member.test.tmp.a
: 'RUN: at line 6';   echo -n "0                   0                   0                   28                  0                   0                   " >> /llvm-build/asan-test/test/Object/Output/archive-big-malformed-first-member.test.tmp.a
: 'RUN: at line 7';   not /llvm-build/asan-test/bin/llvm-ar tv /llvm-build/asan-test/test/Object/Output/archive-big-malformed-first-member.test.tmp.a 2>&1 | /llvm-build/asan-test/bin/FileCheck /llvm/llvm/test/Object/archive-big-malformed-first-member.test
--
Exit Code: 1

Command Output (stderr):
--
/llvm/llvm/test/Object/archive-big-malformed-first-member.test:8:10: error: CHECK: expected string not found in input
# CHECK: truncated or malformed archive
         ^
<stdin>:1:1: note: scanning from here
=================================================================
^
<stdin>:26:1: note: possible intended match here
allocated by thread T0 here:
^

Input file: <stdin>
Check file: /llvm/llvm/test/Object/archive-big-malformed-first-member.test

-dump-input=help explains the following input dump.

Input was:
<<<<<<
           1: ================================================================= 
check:8'0     X~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ error: no match found
           2: ==1479148==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000016b at pc 0x55ae87121dfa bp 0x7ffcb19a9d10 sp 0x7ffcb19a9d08 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           3: READ of size 1 at 0x61200000016b thread T0 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           4:  #0 0x55ae87121df9 in llvm::StringRef::find_last_not_of(llvm::StringRef, unsigned long) const /llvm/llvm/lib/Support/StringRef.cpp:307:39 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           5:  #1 0x55ae86ddea92 in rtrim /llvm/llvm/include/llvm/ADT/StringRef.h:798:50 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           6:  #2 0x55ae86ddea92 in getFieldRawString<char, 4UL> /llvm/llvm/lib/Object/Archive.cpp:66:30 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           .
           .
           .
          21:  #17 0x7f54b3a46189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          22:  #18 0x7f54b3a46244 in __libc_start_main csu/../csu/libc-start.c:381:3 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          23:  #19 0x55ae85fd0470 in _start (/llvm-build/asan-test/bin/llvm-ar+0x3a97470) 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          24:  
check:8'0     ~
          25: 0x61200000016b is located 6 bytes to the right of 293-byte region [0x612000000040,0x612000000165) 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          26: allocated by thread T0 here: 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check:8'1     ?                             possible intended match
          27:  #0 0x55ae86084bdd in operator new(unsigned long, std::nothrow_t const&) /llvm/compiler-rt/lib/asan/asan_new_delete.cpp:101:3 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          28:  #1 0x55ae870cf61b in llvm::WritableMemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&, std::optional<llvm::Align>) /llvm/llvm/lib/Support/MemoryBuffer.cpp:313:34 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          29:  #2 0x55ae870cfef2 in llvm::ErrorOr<std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>> getOpenFileImpl<llvm::MemoryBuffer>(int, llvm::Twine const&, unsigned long, unsigned long, long, bool, bool, std::optional<llvm::Align>) /llvm/llvm/lib/Support/MemoryBuffer.cpp:493:7 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          30:  #3 0x55ae870ceeba in llvm::ErrorOr<std::unique_ptr<llvm::MemoryBuffer, std::default_delete<llvm::MemoryBuffer>>> getFileAux<llvm::MemoryBuffer>(llvm::Twine const&, unsigned long, unsigned long, bool, bool, bool, std::optional<llvm::Align>) /llvm/llvm/lib/Support/MemoryBuffer.cpp:272:14 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          31:  #4 0x55ae870cecd5 in llvm::MemoryBuffer::getFile(llvm::Twine const&, bool, bool, bool, std::optional<llvm::Align>) /llvm/llvm/lib/Support/MemoryBuffer.cpp:251:10 
check:8'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           .
           .
           .
>>>>>>

--

********************
Testing:  0.. 10.. 20.. 30.. 40.. 50.. 60.. 70.. 80.. 90.. 
********************
Failed Tests (1):
  LLVM :: Object/archive-big-malformed-first-member.test


Testing Time: 2.36s
  Excluded: 45318
  Failed  :     1
FAILED: test/CMakeFiles/check-llvm /llvm-build/asan-test/test/CMakeFiles/check-llvm 
cd /llvm-build/asan-test/test && /usr/bin/python3 /llvm-build/asan-test/./bin/llvm-lit -sv /llvm-build/asan-test/test
ninja: build stopped: subcommand failed.
hctim added a reverting change: rG09a3aef0f8f4: Revert "[AIX][BigArchive] Treat the archive is empty if the first child member….Jan 30 2023, 9:42 AM
lkail reopened this revision.Jan 31 2023, 2:57 AM

Will add more check on buffer boundary when reading archive content.

This revision is now accepted and ready to land.Jan 31 2023, 2:57 AM
lkail planned changes to this revision.Jan 31 2023, 2:57 AM

You can reproduce using the upstream buildbots (https://github.com/google/sanitizers/wiki/SanitizerBotReproduceBuild), but a quick-asan-build that's hacked together might be easier for iterative testing:

@hctim Much appreciated! It's weird that I can't reproduce it with quick-asan-build, but luckily I can reproduce it following the instructions in the wiki. I'll post a fix soon.

lkail added a reviewer: hctim.Jan 31 2023, 2:59 AM
lkail updated this revision to Diff 493578.Jan 31 2023, 5:48 AM

Add more checks on buffer boundary.

This revision is now accepted and ready to land.Jan 31 2023, 5:48 AM
lkail requested review of this revision.Jan 31 2023, 5:48 AM
jhenderson added a comment.Jan 31 2023, 6:05 AM

As you've reverted this patch and folded in the changes from D142883, you might as well mark D142883 as abandoned.

llvm/lib/Object/Archive.cpp
141

This message isn't covered by any testing it seems?

1185

I don't see a test case that checks this error message. Please add/extend one to cover it.

lkail mentioned this in D142883: [BigArchive][NFC] Enhance test cases introduced in D138986.Jan 31 2023, 6:15 AM
Harbormaster completed remote builds in B210970: Diff 493578.Jan 31 2023, 6:32 AM
lkail updated this revision to Diff 493589.Jan 31 2023, 6:32 AM

Complete error messages.

lkail marked 2 inline comments as done.Jan 31 2023, 6:33 AM
lkail added inline comments.
llvm/lib/Object/Archive.cpp
141

It should be covered by cases existed, I've updated the error message.

lkail marked 3 inline comments as done.Jan 31 2023, 6:34 AM
jhenderson added a comment.Jan 31 2023, 6:35 AM

Thanks, no more comments from me (I'll leave it to the other reviews to confirm they're happy).

Harbormaster completed remote builds in B210978: Diff 493589.Jan 31 2023, 7:45 AM
lkail added a comment.Feb 22 2023, 6:58 PM

Gentle ping.

jhenderson added a comment.Feb 23 2023, 12:51 AM

@Esme/@DiggerLin, could one of you confirm that the changes since your original approval are still good from your point of view, please?

Esme accepted this revision.Feb 27 2023, 11:26 PM

Thanks for fixing the failure. The changes LGTM.

This revision is now accepted and ready to land.Feb 27 2023, 11:26 PM
Closed by commit rGc0d9e5a0a4b8: Reland [AIX][BigArchive] Treat the archive is empty if the first child member… (authored by lkail). · Explain WhyMar 6 2023, 12:33 AM
This revision was automatically updated to reflect the committed changes.
lkail added a commit: rGc0d9e5a0a4b8: Reland [AIX][BigArchive] Treat the archive is empty if the first child member….

Revision Contents

PathSize
llvm/
include/
llvm/
Object/
4 lines
lib/
Object/
16 lines
test/
Object/
15 lines
6 lines

Diff 502543

llvm/include/llvm/Object/Archive.h

Show First 20 LinesShow All 404 Lines▼ Show 20 Linespublic:
const FixLenHdr *ArFixLenHdr; const FixLenHdr *ArFixLenHdr;
uint64_t FirstChildOffset = 0; uint64_t FirstChildOffset = 0;
uint64_t LastChildOffset = 0; uint64_t LastChildOffset = 0;
public: public:
BigArchive(MemoryBufferRef Source, Error &Err); BigArchive(MemoryBufferRef Source, Error &Err);
uint64_t getFirstChildOffset() const override { return FirstChildOffset; } uint64_t getFirstChildOffset() const override { return FirstChildOffset; }
uint64_t getLastChildOffset() const { return LastChildOffset; } uint64_t getLastChildOffset() const { return LastChildOffset; }
bool isEmpty() const override { bool isEmpty() const override { return getFirstChildOffset() == 0; }
EsmeUnsubmitted
Done
ReplyInline Actions

Can we remove the check of Data.getBufferSize() == sizeof(FixLenHdr)? I think getFirstChildOffset() == 0 can cover that case.

Esme: Can we remove the check of `Data.getBufferSize() == sizeof(FixLenHdr)`? I think…
lkailAuthorUnsubmitted
Done
ReplyInline Actions

Good point, it looks reasonable.

lkail: Good point, it looks reasonable.
EsmeUnsubmitted
Not Done
ReplyInline Actions
uint64_t getLastChildOffset() const { return LastChildOffset; }
- bool isEmpty() const override { getFirstChildOffset() == 0; };
+ bool isEmpty() const override { getFirstChildOffset() == 0; }
};
} // end namespace object
Esme:
DiggerLinUnsubmitted
Not Done
ReplyInline Actions

if we have big archive file which only has archive Fixed-Length Header and the fl_fstmoff[20] is not zero. I am not sure that the program is crash or print malform at this situation(the program should not crash) ? if (Data.getBufferSize() == sizeof(FixLenHdr) || getFirstChildOffset() == 0) , I am sure that it not crash.

DiggerLin: if we have big archive file which only has archive Fixed-Length Header and the fl_fstmoff[20]…
lkailAuthorUnsubmitted
Done
ReplyInline Actions

Tried with following case

<bigaf>
0                   0                   0                   128                 0                   0

llvm-ar tv exits silently without this patch. While ar tv prints

ar: 0707-123 The archive file libbar.a is corrupted.  
        The member table is missing.
        The command 'ar -o libbar.a' may restore the member table.

I added a test case for it.

lkail: Tried with following case ``` <bigaf> 0 0 0…
return Data.getBufferSize() == sizeof(FixLenHdr);
};
}; };
} // end namespace object } // end namespace object
} // end namespace llvm } // end namespace llvm
#endif // LLVM_OBJECT_ARCHIVE_H #endif // LLVM_OBJECT_ARCHIVE_H

llvm/lib/Object/Archive.cpp

Show First 20 LinesShow All 129 Lines▼ Show 20 LinesBigArchiveMemberHeader::BigArchiveMemberHeader(const Archive *Parent,
const char *RawHeaderPtr, const char *RawHeaderPtr,
uint64_t Size, Error *Err) uint64_t Size, Error *Err)
: CommonArchiveMemberHeader<BigArMemHdrType>( : CommonArchiveMemberHeader<BigArMemHdrType>(
Parent, reinterpret_cast<const BigArMemHdrType *>(RawHeaderPtr)) { Parent, reinterpret_cast<const BigArMemHdrType *>(RawHeaderPtr)) {
if (RawHeaderPtr == nullptr) if (RawHeaderPtr == nullptr)
return; return;
ErrorAsOutParameter ErrAsOutParam(Err); ErrorAsOutParameter ErrAsOutParam(Err);
if (RawHeaderPtr + getSizeOf() >= Parent->getData().end()) {
if (Err)
*Err = malformedError("malformed AIX big archive: remaining buffer is "
"unable to contain next archive member");
jhendersonUnsubmitted
Done
ReplyInline Actions
*Err = malformedError(
- "Remaining buffer is unable to contain next archive member");
+ "remaining buffer is unable to contain next archive member");
return;

This message isn't covered by any testing it seems?

jhenderson: This message isn't covered by any testing it seems?
lkailAuthorUnsubmitted
Done
ReplyInline Actions

It should be covered by cases existed, I've updated the error message.

lkail: It should be covered by cases existed, I've updated the error message.
return;
}
if (Size < getSizeOf()) { if (Size < getSizeOf()) {
Error SubErr = createMemberHeaderParseError(this, RawHeaderPtr, Size); Error SubErr = createMemberHeaderParseError(this, RawHeaderPtr, Size);
if (Err) if (Err)
*Err = std::move(SubErr); *Err = std::move(SubErr);
} }
} }
// This gets the raw name from the ArMemHdr->Name field and checks that it is // This gets the raw name from the ArMemHdr->Name field and checks that it is
▲ Show 20 LinesShow All 1,021 Lines▼ Show 20 Lines
bool Archive::hasSymbolTable() const { return !SymbolTable.empty(); } bool Archive::hasSymbolTable() const { return !SymbolTable.empty(); }
BigArchive::BigArchive(MemoryBufferRef Source, Error &Err) BigArchive::BigArchive(MemoryBufferRef Source, Error &Err)
: Archive(Source, Err) { : Archive(Source, Err) {
ErrorAsOutParameter ErrAsOutParam(&Err); ErrorAsOutParameter ErrAsOutParam(&Err);
StringRef Buffer = Data.getBuffer(); StringRef Buffer = Data.getBuffer();
ArFixLenHdr = reinterpret_cast<const FixLenHdr *>(Buffer.data()); ArFixLenHdr = reinterpret_cast<const FixLenHdr *>(Buffer.data());
uint64_t BufferSize = Data.getBufferSize();
if (BufferSize < sizeof(FixLenHdr)) {
Err = malformedError("malformed AIX big archive: incomplete fixed length "
jhendersonUnsubmitted
Done
ReplyInline Actions
if (BufferSize < sizeof(FixLenHdr)) {
- Err = malformedError("malformed AIX big archive: Incomplete fixed length "
+ Err = malformedError("malformed AIX big archive: incomplete fixed length "
"header, the archive is only" +

I don't see a test case that checks this error message. Please add/extend one to cover it.

jhenderson: I don't see a test case that checks this error message. Please add/extend one to cover it.
"header, the archive is only" +
Twine(BufferSize) + " byte(s)");
return;
}
StringRef RawOffset = getFieldRawString(ArFixLenHdr->FirstChildOffset); StringRef RawOffset = getFieldRawString(ArFixLenHdr->FirstChildOffset);
if (RawOffset.getAsInteger(10, FirstChildOffset)) if (RawOffset.getAsInteger(10, FirstChildOffset))
// TODO: Out-of-line. // TODO: Out-of-line.
Err = malformedError("malformed AIX big archive: first member offset \"" + Err = malformedError("malformed AIX big archive: first member offset \"" +
RawOffset + "\" is not a number"); RawOffset + "\" is not a number");
RawOffset = getFieldRawString(ArFixLenHdr->LastChildOffset); RawOffset = getFieldRawString(ArFixLenHdr->LastChildOffset);
Show All 10 Lines if (RawOffset.getAsInteger(10, GlobSymOffset))
Err = malformedError( Err = malformedError(
"malformed AIX big archive: global symbol table offset \"" + RawOffset + "malformed AIX big archive: global symbol table offset \"" + RawOffset +
"\" is not a number"); "\" is not a number");
if (Err) if (Err)
return; return;
if (GlobSymOffset > 0) { if (GlobSymOffset > 0) {
uint64_t BufferSize = Data.getBufferSize();
uint64_t GlobalSymTblContentOffset = uint64_t GlobalSymTblContentOffset =
GlobSymOffset + sizeof(BigArMemHdrType); GlobSymOffset + sizeof(BigArMemHdrType);
if (GlobalSymTblContentOffset > BufferSize) { if (GlobalSymTblContentOffset > BufferSize) {
Err = malformedError("global symbol table header at offset 0x" + Err = malformedError("global symbol table header at offset 0x" +
Twine::utohexstr(GlobSymOffset) + " and size 0x" + Twine::utohexstr(GlobSymOffset) + " and size 0x" +
Twine::utohexstr(sizeof(BigArMemHdrType)) + Twine::utohexstr(sizeof(BigArMemHdrType)) +
" goes past the end of file"); " goes past the end of file");
return; return;
▲ Show 20 LinesShow All 41 LinesShow Last 20 Lines

llvm/test/Object/archive-big-malformed-first-member.test

  • This file was added.
## Test reading an archive with malformed header.
# RUN: echo "<bigaf>" > %t.a
# RUN: not llvm-ar tv %t.a 2>&1 | FileCheck --check-prefix=CHECK-HEADER %s
DiggerLinUnsubmitted
Done
ReplyInline Actions

I think you can generate the malform aix-malformed-big-archive.a with following command in test case ( we do not need llvm/test/Object/Inputs/aix-malformed-big-archive.a)

#RUN:  echo "<bigaf>" > %t.a
#RUN:  echo "0                   0                 123                   0                   0                   0" >> %t.a
#RUN:  %python -c "with open('%t.a', 'r+b') as input: input.truncate(128)"
DiggerLin: I think you can generate the malform aix-malformed-big-archive.a with following command in…
DiggerLinUnsubmitted
Done
ReplyInline Actions

there are some examples of using "printf"
you can use
find llvm/test/tools -name "*.test" | xargs grep "printf"

to get the example.

DiggerLin: there are some examples of using "printf" you can use find llvm/test/tools -name "*.test" |…
# CHECK-HEADER: truncated or malformed archive{{.*}}malformed AIX big archive: incomplete fixed length header
jhendersonUnsubmitted
Done
ReplyInline Actions

grep is deprecated in testing. Please use FileCheck instead. Please update these tests to not use grep.

jhenderson: `grep` is deprecated in testing. Please use `FileCheck` instead. Please update these tests to…
## Test reading an empty archive with first member's offset is not zero.
# RUN: echo "<bigaf>" > %t.a
# RUN: echo -n "0 0 0 128 0 0 " >> %t.a
# RUN: not llvm-ar tv %t.a 2>&1 | FileCheck %s
# RUN: echo "<bigaf>" > %t.a
# RUN: echo -n "0 0 0 28 0 0 " >> %t.a
# RUN: not llvm-ar tv %t.a 2>&1 | FileCheck %s
# CHECK: truncated or malformed archive{{.*}}malformed AIX big archive: remaining buffer is unable to contain next archive member

llvm/test/Object/archive-big-read-empty-with-freelist.test

# Test reading an empty archive with free list in it. ## Test reading an empty archive with free list in it, should exit normally.
# RUN: not llvm-ar tv %p/Inputs/aix-empty-big-archive-with-freelist.a 2>&1 \ # RUN: llvm-ar tv %p/Inputs/aix-empty-big-archive-with-freelist.a 2>&1 \
jhendersonUnsubmitted
Done
ReplyInline Actions

This test will pass spuriously if the error message is ever updated, which is certainly not impossible. Is the output completely empty, or is there some other output you could check and then show that nothing else is present?

jhenderson: This test will pass spuriously if the error message is ever updated, which is certainly not…
lkailAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for pointing it out. The output is indeed empty. I've posted https://reviews.llvm.org/D142883 to address your comments.

lkail: Thanks for pointing it out. The output is indeed empty. I've posted https://reviews.llvm.
# RUN: | grep 'truncated or malformed archive' # RUN: | count 0