This is an archive of the discontinued LLVM Phabricator instance.

Differential D25279

[ELF] - Do not crash on large output.
AbandonedPublic

Authored by grimar on Oct 5 2016, 7:22 AM.

Details

Reviewers
ruiu
davide
rafael
Summary

I found at least 2 possible situations when we may crash on large outputs:

Imagine we have large section sizes. It is simulated in a testcase by providing alignment of 0xFFFFFFFF for 32 bit target.
Then overflow may happen during assigning offsets.

Diff Detail

Event Timeline

grimar updated this revision to Diff 73644.Oct 5 2016, 7:22 AM
grimar retitled this revision from to [ELF] - Do not crash on large output..
grimar updated this object.
grimar added reviewers: ruiu, rafael, davide.
grimar updated this object.
grimar added subscribers: llvm-commits, grimar, evgeny777.
ruiu added inline comments.Oct 5 2016, 10:33 AM
ELF/Writer.cpp
1388–1389

You should consider the following four cases.

Host / Target
32/32 - This check will never fail and silently create broken file.
32/64 - This check will never fail but if you attempt to create a file larger than 4GB, the linker will crash at some point because we are using MMAP IO and the result won't fit in the memory space.
64/32 - This check can catch errors.
64/64 - This check will never fail and silently create broken files.

As you can see, it results in pretty inconsistent behavior.

If you really want to do something about it, please do this.

  • Change FileSize's type to uint64_t
  • and verify that FileSize < SIZE_MAX && FileSize < sizeof(uintX_t)*8.
grimar added inline comments.Oct 6 2016, 2:06 AM
ELF/Writer.cpp
1388–1389

Host / Target
32/32 - This check will never fail and silently create broken file.

Will never fail, but will never create broken file also I think. Unless you mean that overflow of FileSize can happen earlier ? That true and that is what I am trying to diagnose in setOffset(). Changing FileSize type to uint64_t probably can help here, but unfortunately not for 64/64 case below.

32/64 - This check will never fail but if you attempt to create a file larger than 4GB, the linker will crash at some point because we are using MMAP IO and the result won't fit in the memory space.

Agree.

64/32 - This check can catch errors.

Ok.

64/64 - This check will never fail and silently create broken files.

The same as 32/32 I think, but with one more detail.
Do I correctrly understand your idea that you want remove code from setOffset() and just do these 2 suggested changes ? If so I can imaging easy testcase that can break it: just x64 object with section alignment of 0xFFFFFFFFFFFFFFFF (similar to what I have for i386 now) will cause overflow in setOffset() and suggested check will not work :(

So do you think we should just ignore possible fail of 64/64 case and just stop on your suggested change ?

grimar added a comment.Oct 6 2016, 9:39 AM

I`ll try to update this tomorrow. Found that VA also may overflow in next assignAddresses():

template <class ELFT> void Writer<ELFT>::assignAddresses() {
  uintX_t VA = Config->ImageBase + getHeaderSize<ELFT>();
...

And VA affects on how we do calculate offsets.

rafael added inline comments.Oct 6 2016, 10:25 AM
ELF/Writer.cpp
1233

I wonder how many cases there can be where overflow and if there is a general solution.

How was this crashing before?

1388

Maybe move this to another patch?

test/ELF/invalid/too-large-output-i386.s
4

Can you create this with yaml2obj?

grimar added inline comments.Oct 6 2016, 1:24 PM
test/ELF/invalid/too-large-output-i386.s
4

Nope.
Actually I can, but result binary will be too large.

section-alignment.test creates file with big alignment:

Sections:
  - Name:            .text
    Type:            SHT_PROGBITS
    Flags:           [ SHF_ALLOC, SHF_EXECINSTR ]
    AddressAlign:    0x1000000000000001
    Content:         "00000000"

But that works fine only because AddressAlign is casted to unsigned inside yaml2obj and truncated to 0 finally. So produced binary is little.
But 0xFFFFFFFF value will produce huge binary, what probably not good for testcase.

I noticed this behavior today, not sure how much it is correct.

grimar added inline comments.Oct 6 2016, 2:02 PM
ELF/Writer.cpp
1233

Yes, that is a problem, solution is not general :( Crash was because of overflow of Off that is used to calculate FileSize.
So file created was little and it then crashes in writeTo during writing output sections.
We do not check end of buffer there. Probably it can be a that "general solution". I`ll try to do domething tomorrow with that.

grimar updated this revision to Diff 73904.Oct 7 2016, 3:52 AM
grimar updated this object.
  • Addressed review comments.
grimar updated this revision to Diff 73908.Oct 7 2016, 4:11 AM
  • Restored testcase missing in latest diff.
  • Improved error diagnostic messages.
ruiu added inline comments.Oct 7 2016, 2:18 PM
ELF/Writer.cpp
1165

This is I think just too much. We shouldn't introduce this integer-ish class just to check for overflow.

grimar mentioned this in D25467: [ELF] - Alternative fix to prevent possible crash on large output..Oct 11 2016, 4:30 AM
grimar added inline comments.Oct 11 2016, 4:32 AM
ELF/Writer.cpp
1165

Posted different approach: D25467

grimar abandoned this revision.Dec 2 2016, 11:47 PM

Depricated.

grimar mentioned this in D27712: [ELF] - Do not crash when move location counter backward..Dec 14 2016, 4:25 AM

Revision Contents

PathSize
ELF/
Writer.cpp
Writer.cpp (revision 283532)
39 lines
test/
ELF/
invalid/
Inputs/
too-large-output-i386.elf
too-large-output-i386.elf (nonexistent)
too-large-output-i386.s
too-large-output-i386.s (nonexistent)
7 lines

Diff 73908

ELF/Writer.cpp

Show First 20 LinesShow All 1,156 Lines▼ Show 20 Lines if (needsPtLoad(Sec)) {
uintX_t TVA = VA + ThreadBssOffset; uintX_t TVA = VA + ThreadBssOffset;
TVA = alignTo(TVA, Alignment); TVA = alignTo(TVA, Alignment);
Sec->setVA(TVA); Sec->setVA(TVA);
ThreadBssOffset = TVA - VA + Sec->getSize(); ThreadBssOffset = TVA - VA + Sec->getSize();
} }
} }
} }
template <class T> class CheckedType {
ruiuUnsubmitted
Not Done
ReplyInline Actions

This is I think just too much. We shouldn't introduce this integer-ish class just to check for overflow.

ruiu: This is I think just too much. We shouldn't introduce this integer-ish class just to check for…
grimarAuthorUnsubmitted
Not Done
ReplyInline Actions

Posted different approach: D25467

grimar: Posted different approach: D25467
T Val;
StringRef Err;
public:
CheckedType(T Val, StringRef Err) : Val(Val), Err(Err){};
operator uint64_t() { return Val; }
operator uint32_t() {
if (Val > UINT32_MAX)
fatal(Err + "checked type operation overflow");
return Val;
}
template <class T2> CheckedType operator+(T2 R) {
if (R > getMax() || (this->Val > getMax() - R))
fatal(Err + "checked type operation overflow");
return {this->Val + R, Err};
}
template <class T2> CheckedType operator-(T2 R) {
if (R > this->Val)
fatal(Err + "checked type operation overflow");
return {this->Val - R, Err};
}
private:
T getMax() { return std::numeric_limits<typename T>::max(); }
};
template <class T> CheckedType<T> makeChecked(T Val, StringRef S) {
return CheckedType<T>(Val, S);
}
// Adjusts the file alignment for a given output section and returns // Adjusts the file alignment for a given output section and returns
// its new file offset. The file offset must be the same with its // its new file offset. The file offset must be the same with its
// virtual address (modulo the page size) so that the loader can load // virtual address (modulo the page size) so that the loader can load
// executables without any address adjustment. // executables without any address adjustment.
template <class ELFT, class uintX_t> template <class ELFT, class uintX_t>
static uintX_t getFileAlignment(uintX_t Off, OutputSectionBase<ELFT> *Sec) { static uintX_t getFileAlignment(uintX_t Off, OutputSectionBase<ELFT> *Sec) {
uintX_t Alignment = Sec->getAlignment(); uintX_t Alignment = Sec->getAlignment();
if (Sec->PageAlign) if (Sec->PageAlign)
Alignment = std::max<uintX_t>(Alignment, Config->MaxPageSize); Alignment = std::max<uintX_t>(Alignment, Config->MaxPageSize);
Off = alignTo(Off, Alignment); Off = alignTo(Off, Alignment);
OutputSectionBase<ELFT> *First = Sec->FirstInPtLoad; OutputSectionBase<ELFT> *First = Sec->FirstInPtLoad;
// If the section is not in a PT_LOAD, we have no other constraint. // If the section is not in a PT_LOAD, we have no other constraint.
if (!First) if (!First)
return Off; return Off;
// If two sections share the same PT_LOAD the file offset is calculated using // If two sections share the same PT_LOAD the file offset is calculated using
// this formula: Off2 = Off1 + (VA2 - VA1). // this formula: Off2 = Off1 + (VA2 - VA1).
if (Sec == First) if (Sec == First)
return alignTo(Off, Target->MaxPageSize, Sec->getVA()); return alignTo(Off, Target->MaxPageSize, Sec->getVA());
return First->getFileOffset() + Sec->getVA() - First->getVA(); return makeChecked(First->getFileOffset(), "getFileAlignment failed: ") +
Sec->getVA() - First->getVA();
} }
template <class ELFT, class uintX_t> template <class ELFT, class uintX_t>
void setOffset(OutputSectionBase<ELFT> *Sec, uintX_t &Off) { void setOffset(OutputSectionBase<ELFT> *Sec, uintX_t &Off) {
if (Sec->getType() == SHT_NOBITS) { if (Sec->getType() == SHT_NOBITS) {
Sec->setFileOffset(Off); Sec->setFileOffset(Off);
return; return;
} }
Off = getFileAlignment<ELFT>(Off, Sec); Off = getFileAlignment<ELFT>(Off, Sec);
Sec->setFileOffset(Off); Sec->setFileOffset(Off);
Off += Sec->getSize(); Off = makeChecked(Off, "setOffset failed: ") + Sec->getSize();
} }
rafaelUnsubmitted
Not Done
ReplyInline Actions

I wonder how many cases there can be where overflow and if there is a general solution.

How was this crashing before?

rafael: I wonder how many cases there can be where overflow and if there is a general solution. How…
grimarAuthorUnsubmitted
Not Done
ReplyInline Actions

Yes, that is a problem, solution is not general :( Crash was because of overflow of Off that is used to calculate FileSize.
So file created was little and it then crashes in writeTo during writing output sections.
We do not check end of buffer there. Probably it can be a that "general solution". I`ll try to do domething tomorrow with that.

grimar: Yes, that is a problem, solution is not general :( Crash was because of overflow of Off that is…
template <class ELFT> void Writer<ELFT>::assignFileOffsetsBinary() { template <class ELFT> void Writer<ELFT>::assignFileOffsetsBinary() {
uintX_t Off = 0; uintX_t Off = 0;
for (OutputSectionBase<ELFT> *Sec : OutputSections) for (OutputSectionBase<ELFT> *Sec : OutputSections)
if (Sec->getFlags() & SHF_ALLOC) if (Sec->getFlags() & SHF_ALLOC)
setOffset(Sec, Off); setOffset(Sec, Off);
FileSize = alignTo(Off, sizeof(uintX_t)); FileSize = alignTo(Off, sizeof(uintX_t));
} }
▲ Show 20 LinesShow All 138 Lines▼ Show 20 Linestemplate <class ELFT> void Writer<ELFT>::writeHeader() {
// Write the section header table. Note that the first table entry is null. // Write the section header table. Note that the first table entry is null.
auto *SHdrs = reinterpret_cast<Elf_Shdr *>(Buf + EHdr->e_shoff); auto *SHdrs = reinterpret_cast<Elf_Shdr *>(Buf + EHdr->e_shoff);
for (OutputSectionBase<ELFT> *Sec : OutputSections) for (OutputSectionBase<ELFT> *Sec : OutputSections)
Sec->writeHeaderTo(++SHdrs); Sec->writeHeaderTo(++SHdrs);
} }
template <class ELFT> void Writer<ELFT>::openFile() { template <class ELFT> void Writer<ELFT>::openFile() {
ErrorOr<std::unique_ptr<FileOutputBuffer>> BufferOrErr = ErrorOr<std::unique_ptr<FileOutputBuffer>> BufferOrErr =
rafaelUnsubmitted
Not Done
ReplyInline Actions

Maybe move this to another patch?

rafael: Maybe move this to another patch?
FileOutputBuffer::create(Config->OutputFile, FileSize, FileOutputBuffer::create(Config->OutputFile, FileSize,
ruiuUnsubmitted
Not Done
ReplyInline Actions

You should consider the following four cases.

Host / Target
32/32 - This check will never fail and silently create broken file.
32/64 - This check will never fail but if you attempt to create a file larger than 4GB, the linker will crash at some point because we are using MMAP IO and the result won't fit in the memory space.
64/32 - This check can catch errors.
64/64 - This check will never fail and silently create broken files.

As you can see, it results in pretty inconsistent behavior.

If you really want to do something about it, please do this.

  • Change FileSize's type to uint64_t
  • and verify that FileSize < SIZE_MAX && FileSize < sizeof(uintX_t)*8.
ruiu: You should consider the following four cases. Host / Target 32/32 - This check will never…
grimarAuthorUnsubmitted
Not Done
ReplyInline Actions

Host / Target
32/32 - This check will never fail and silently create broken file.

Will never fail, but will never create broken file also I think. Unless you mean that overflow of FileSize can happen earlier ? That true and that is what I am trying to diagnose in setOffset(). Changing FileSize type to uint64_t probably can help here, but unfortunately not for 64/64 case below.

32/64 - This check will never fail but if you attempt to create a file larger than 4GB, the linker will crash at some point because we are using MMAP IO and the result won't fit in the memory space.

Agree.

64/32 - This check can catch errors.

Ok.

64/64 - This check will never fail and silently create broken files.

The same as 32/32 I think, but with one more detail.
Do I correctrly understand your idea that you want remove code from setOffset() and just do these 2 suggested changes ? If so I can imaging easy testcase that can break it: just x64 object with section alignment of 0xFFFFFFFFFFFFFFFF (similar to what I have for i386 now) will cause overflow in setOffset() and suggested check will not work :(

So do you think we should just ignore possible fail of 64/64 case and just stop on your suggested change ?

grimar: >Host / Target >32/32 - This check will never fail and silently create broken file. Will never…
FileOutputBuffer::F_executable); FileOutputBuffer::F_executable);
if (auto EC = BufferOrErr.getError()) if (auto EC = BufferOrErr.getError())
error(EC, "failed to open " + Config->OutputFile); error(EC, "failed to open " + Config->OutputFile);
else else
Buffer = std::move(*BufferOrErr); Buffer = std::move(*BufferOrErr);
} }
template <class ELFT> void Writer<ELFT>::writeSectionsBinary() { template <class ELFT> void Writer<ELFT>::writeSectionsBinary() {
▲ Show 20 LinesShow All 57 LinesShow Last 20 Lines

test/ELF/invalid/Inputs/too-large-output-i386.elf

  • This is a binary file.
PropertyOld ValueNew Value
svn:mime-type nullapplication/octet-stream
\ No newline at end of property

test/ELF/invalid/too-large-output-i386.s

# REQUIRES: x86
## too-large-output-i386.elf contains section with address align.
## of 0xFFFFFFFF. Total file size calculation overflows because of that.
rafaelUnsubmitted
Not Done
ReplyInline Actions

Can you create this with yaml2obj?

rafael: Can you create this with yaml2obj?
grimarAuthorUnsubmitted
Not Done
ReplyInline Actions

Nope.
Actually I can, but result binary will be too large.

section-alignment.test creates file with big alignment:

Sections:
  - Name:            .text
    Type:            SHT_PROGBITS
    Flags:           [ SHF_ALLOC, SHF_EXECINSTR ]
    AddressAlign:    0x1000000000000001
    Content:         "00000000"

But that works fine only because AddressAlign is casted to unsigned inside yaml2obj and truncated to 0 finally. So produced binary is little.
But 0xFFFFFFFF value will produce huge binary, what probably not good for testcase.

I noticed this behavior today, not sure how much it is correct.

grimar: Nope. Actually I can, but result binary will be too large. section-alignment.test creates…
# RUN: not ld.lld -shared %S/Inputs/too-large-output-i386.elf -o %t 2>&1 \
# RUN: | FileCheck %s
# CHECK: checked type operation overflow