This is an archive of the discontinued LLVM Phabricator instance.

Differential D25518

[ELF] - Handle broken size field of compressed sections header.
AbandonedPublic

Authored by grimar on Oct 12 2016, 8:53 AM.

Details

Reviewers
ruiu
davide
rafael
Summary

Patch fixes issue when 32bit host may have overflow after assigning ch_size to size_t.
Also adds uncompressed section size limit to help in diagnostic of broken inputs.

Diff Detail

Event Timeline

grimar updated this revision to Diff 74389.Oct 12 2016, 8:53 AM
grimar retitled this revision from to [ELF] - Handle broken size field of compressed sections header..
grimar updated this object.
grimar added reviewers: ruiu, rafael, davide.
grimar added subscribers: llvm-commits, grimar, evgeny777.
davide edited edge metadata.Oct 12 2016, 9:05 AM

Independently from this patch. Are we really trying to fully support 32-bit hosts? We mmap() the whole set of input which I think very likely causes shortage of VA on 32-bit platforms.

grimar added a comment.Oct 12 2016, 9:07 AM
In D25518#568300, @davide wrote:

Independently from this patch. Are we really trying to fully support 32-bit hosts? We mmap() the whole set of input which I think very likely causes shortage of VA on 32-bit platforms.

Do you think we should check if 32 bits host is used to link 64 bit app and just error out before trying to link ?

ruiu edited edge metadata.Oct 12 2016, 10:39 AM

Our current policy is essentially to trust file contents but reject silly apparent errors. We are not trying to recover from all possible crashes (and this patch doesn't save the linker from crashing neither -- but instead it makes the linker to kill itself after printing out an error message.) Naturally, there are a lot of places left we can add error checking, but in most places we don't as a policy. When you add a check like this, I think you want to show that why this is special among other possible errors. Otherwise, we'd have tons of error checks in our code base and still the linker crashes for broken inputs.

As to 32-bit hosts, I think we want to support it, because, why not? You cannot create >4GB binary on 32 bit, but as long as it is smaller than a few gigs, LLD should work fine.

grimar added a comment.Oct 13 2016, 1:46 AM
In D25518#568396, @ruiu wrote:

When you add a check like this, I think you want to show that why this is special among other possible errors. Otherwise, we'd have tons of error checks in our code base and still the linker crashes for broken inputs.

This error check at least special for 32 bit hosts. As if overflow happens here, user will get probably get error "error uncompressing section" instead of real reason "uncompressed section size is too large". Isn't that useful ?

grimar abandoned this revision.Dec 2 2016, 11:47 PM

Depricated.

Revision Contents

PathSize
ELF/
4 lines
test/
ELF/
invalid/
Inputs/
7 lines

Diff 74389

ELF/InputSection.cpp

Show First 20 LinesShow All 109 Lines▼ Show 20 Linestemplate <class ELFT> void InputSectionBase<ELFT>::uncompress() {
if (Data.size() < sizeof(Elf_Chdr)) if (Data.size() < sizeof(Elf_Chdr))
fatal("corrupt compressed section"); fatal("corrupt compressed section");
auto *Hdr = reinterpret_cast<const Elf_Chdr *>(Data.data()); auto *Hdr = reinterpret_cast<const Elf_Chdr *>(Data.data());
Data = Data.slice(sizeof(Elf_Chdr)); Data = Data.slice(sizeof(Elf_Chdr));
if (Hdr->ch_type != ELFCOMPRESS_ZLIB) if (Hdr->ch_type != ELFCOMPRESS_ZLIB)
fatal(getName(this) + ": unsupported compression type"); fatal(getName(this) + ": unsupported compression type");
// We check that uncompressed section size is not greater than 2^40
// because it seems to be reasonable limit to protect from broken inputs.
if (Hdr->ch_size > SIZE_MAX || Hdr->ch_size > 0x10000000000)
fatal(getName(this) + ": uncompressed section size is too large");
StringRef Buf((const char *)Data.data(), Data.size()); StringRef Buf((const char *)Data.data(), Data.size());
size_t UncompressedDataSize = Hdr->ch_size; size_t UncompressedDataSize = Hdr->ch_size;
UncompressedData.reset(new char[UncompressedDataSize]); UncompressedData.reset(new char[UncompressedDataSize]);
if (zlib::uncompress(Buf, UncompressedData.get(), UncompressedDataSize) != if (zlib::uncompress(Buf, UncompressedData.get(), UncompressedDataSize) !=
zlib::StatusOK) zlib::StatusOK)
fatal(getName(this) + ": error uncompressing section"); fatal(getName(this) + ": error uncompressing section");
Data = ArrayRef<uint8_t>((uint8_t *)UncompressedData.get(), Data = ArrayRef<uint8_t>((uint8_t *)UncompressedData.get(),
▲ Show 20 LinesShow All 679 LinesShow Last 20 Lines

test/ELF/invalid/Inputs/too-large-compressed-sec.elf

  • This is a binary file.
PropertyOld ValueNew Value
svn:mime-typenullapplication/octet-stream
\ No newline at end of property

test/ELF/invalid/too-large-compressed-sec.s

# REQUIRES: x86
## too-large-compressed-sec.elf contains compressed section
## with broken header containing huge uncompressed section size value.
# RUN: not ld.lld %S/Inputs/common-symbol-alignment.elf \
# RUN: -o %t 2>&1 | FileCheck %s
# CHECK: uncompressed section size is too large