This is an archive of the discontinued LLVM Phabricator instance.

[MachO] Prevent heap overflow when load command extends past EOF
ClosedPublic

Authored by JDevlieghere on Sep 4 2017, 8:23 AM.

Download Raw Diff

Details

Reviewers

• rafael
Bigcheese
enderby
aprantl

Commits

rG81f5abe1add3: [MachO] Prevent heap overflow when load command extends past EOF
rL313145: [MachO] Prevent heap overflow when load command extends past EOF

Summary

This patch fixes a heap-buffer-overflow when a malformed Mach-O has a
load command who's size extends past the end of the binary.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3225

Diff Detail

Repository: rL LLVM

Event Timeline

JDevlieghere created this revision.Sep 4 2017, 8:23 AM

Looks good (but I don't know this code).
Thanks for adding the test input -- once the shallow bugs are cleaned up I'll use test/Object/Inputs/ as the seed corpus.

I've run the fuzzer manually and the most frequent failure looks like this:

LLVM ERROR: Invalid data was encountered while parsing the file
 #7 0x560c25 in llvm::object::RelocVisitor::getELFAddend(llvm::object::RelocationRef) Object/RelocVisitor.h:120:7

(and a few similar ones)

Are these something you could fix as well?
W/o fixing these, fuzzing won't go deep (as it crashes almost instantly)

In D37439#860575, @kcc wrote:

Looks good (but I don't know this code).
Thanks for adding the test input -- once the shallow bugs are cleaned up I'll use test/Object/Inputs/ as the seed corpus.

Thanks Kostya!

I've run the fuzzer manually and the most frequent failure looks like this:
LLVM ERROR: Invalid data was encountered while parsing the file
 #7 0x560c25 in llvm::object::RelocVisitor::getELFAddend(llvm::object::RelocationRef) Object/RelocVisitor.h:120:7
(and a few similar ones)

Are these something you could fix as well?
W/o fixing these, fuzzing won't go deep (as it crashes almost instantly)

I'll have a look if I can find some spare time, but I'll be focussing on the Mach-O stuff mostly.

• rafael removed a reviewer: enderby.Sep 6 2017, 11:23 AM

aprantl added a reviewer: enderby.Sep 7 2017, 2:52 PM

ping

aprantl added inline comments.Sep 12 2017, 8:46 AM

lib/Object/MachOObjectFile.cpp
186 ↗	(On Diff #113756)	What happens on a 32-bit platform when cmdsize is so large that the addition wraps around? Or is cmdsize < 32bit ?

Okay, thanks for the explanation, Kevin!

This revision is now accepted and ready to land.Sep 12 2017, 2:24 PM

Closed by commit rL313145: [MachO] Prevent heap overflow when load command extends past EOF (authored by JDevlieghere). · Explain WhySep 13 2017, 6:44 AM

This revision was automatically updated to reflect the committed changes.

Thank you very much for addressing this!
Oss-fuzz has just confirmed the bug is fixed.

Revision Contents

Path

Size

llvm/

trunk/

lib/

Object/

MachOObjectFile.cpp

5 lines

test/

Object/

Inputs/

macho-invalid-dylib-cmdsize-past-eof

macho-invalid.test

3 lines

Diff 115031

llvm/trunk/lib/Object/MachOObjectFile.cpp

Show First 20 Lines • Show All 177 Lines • ▼ Show 20 Lines	static uint32_t getSectionFlags(const MachOObjectFile &O,
MachO::section Sect = O.getSection(Sec);		MachO::section Sect = O.getSection(Sec);
return Sect.flags;		return Sect.flags;
}		}

static Expected<MachOObjectFile::LoadCommandInfo>		static Expected<MachOObjectFile::LoadCommandInfo>
getLoadCommandInfo(const MachOObjectFile &Obj, const char *Ptr,		getLoadCommandInfo(const MachOObjectFile &Obj, const char *Ptr,
uint32_t LoadCommandIndex) {		uint32_t LoadCommandIndex) {
if (auto CmdOrErr = getStructOrErr<MachO::load_command>(Obj, Ptr)) {		if (auto CmdOrErr = getStructOrErr<MachO::load_command>(Obj, Ptr)) {
		if (CmdOrErr->cmdsize + Ptr > Obj.getData().end())
		return malformedError("load command " + Twine(LoadCommandIndex) +
		" extends past end of file");
if (CmdOrErr->cmdsize < 8)		if (CmdOrErr->cmdsize < 8)
return malformedError("load command " + Twine(LoadCommandIndex) +		return malformedError("load command " + Twine(LoadCommandIndex) +
" with size less than 8 bytes");		" with size less than 8 bytes");
return MachOObjectFile::LoadCommandInfo({Ptr, *CmdOrErr});		return MachOObjectFile::LoadCommandInfo({Ptr, *CmdOrErr});
} else		} else
return CmdOrErr.takeError();		return CmdOrErr.takeError();
}		}

▲ Show 20 Lines • Show All 601 Lines • ▼ Show 20 Lines	static Error checkVersCommand(const MachOObjectFile &Obj,
return Error::success();		return Error::success();
}		}

static Error checkNoteCommand(const MachOObjectFile &Obj,		static Error checkNoteCommand(const MachOObjectFile &Obj,
const MachOObjectFile::LoadCommandInfo &Load,		const MachOObjectFile::LoadCommandInfo &Load,
uint32_t LoadCommandIndex,		uint32_t LoadCommandIndex,
std::list<MachOElement> &Elements) {		std::list<MachOElement> &Elements) {
if (Load.C.cmdsize != sizeof(MachO::note_command))		if (Load.C.cmdsize != sizeof(MachO::note_command))
return malformedError("load command " + Twine(LoadCommandIndex) +		return malformedError("load command " + Twine(LoadCommandIndex) +
" LC_NOTE has incorrect cmdsize");		" LC_NOTE has incorrect cmdsize");
MachO::note_command Nt = getStruct<MachO::note_command>(Obj, Load.Ptr);		MachO::note_command Nt = getStruct<MachO::note_command>(Obj, Load.Ptr);
uint64_t FileSize = Obj.getData().size();		uint64_t FileSize = Obj.getData().size();
if (Nt.offset > FileSize)		if (Nt.offset > FileSize)
return malformedError("offset field of LC_NOTE command " +		return malformedError("offset field of LC_NOTE command " +
Twine(LoadCommandIndex) + " extends "		Twine(LoadCommandIndex) + " extends "
"past the end of the file");		"past the end of the file");
uint64_t BigSize = Nt.offset;		uint64_t BigSize = Nt.offset;
▲ Show 20 Lines • Show All 3,709 Lines • Show Last 20 Lines

llvm/trunk/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof

This is a binary file.

llvm/trunk/test/Object/macho-invalid.test

	Show First 20 Lines • Show All 278 Lines • ▼ Show 20 Lines
	INVALID-DYLIB-ID-MORE-THAN-ONE: macho-invalid-dylib-id-more-than-one': truncated or malformed object (more than one LC_ID_DYLIB command)			INVALID-DYLIB-ID-MORE-THAN-ONE: macho-invalid-dylib-id-more-than-one': truncated or malformed object (more than one LC_ID_DYLIB command)

	RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-wrong-filetype 2>&1 \| FileCheck -check-prefix INVALID-DYLIB-WRONG-FILETYPE %s			RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-wrong-filetype 2>&1 \| FileCheck -check-prefix INVALID-DYLIB-WRONG-FILETYPE %s
	INVALID-DYLIB-WRONG-FILETYPE: macho-invalid-dylib-wrong-filetype': truncated or malformed object (LC_ID_DYLIB load command in non-dynamic library file type)			INVALID-DYLIB-WRONG-FILETYPE: macho-invalid-dylib-wrong-filetype': truncated or malformed object (LC_ID_DYLIB load command in non-dynamic library file type)

	RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-no-id 2>&1 \| FileCheck -check-prefix INVALID-DYLIB-NO-ID %s			RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-no-id 2>&1 \| FileCheck -check-prefix INVALID-DYLIB-NO-ID %s
	INVALID-DYLIB-NO-ID: macho-invalid-dylib-no-id': truncated or malformed object (no LC_ID_DYLIB load command in dynamic library filetype)			INVALID-DYLIB-NO-ID: macho-invalid-dylib-no-id': truncated or malformed object (no LC_ID_DYLIB load command in dynamic library filetype)

				RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-cmdsize-past-eof 2>&1 \| FileCheck -check-prefix INVALID-DYLIB-CMDSIZE %s
				INVALID-DYLIB-CMDSIZE: macho-invalid-dylib-cmdsize-past-eof': truncated or malformed object (load command 0 extends past end of file)

	RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-uuid-more-than-one 2>&1 \| FileCheck -check-prefix INVALID-UUID-MORE-THAN-ONE %s			RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-uuid-more-than-one 2>&1 \| FileCheck -check-prefix INVALID-UUID-MORE-THAN-ONE %s
	INVALID-UUID-MORE-THAN-ONE: macho-invalid-uuid-more-than-one': truncated or malformed object (more than one LC_UUID command)			INVALID-UUID-MORE-THAN-ONE: macho-invalid-uuid-more-than-one': truncated or malformed object (more than one LC_UUID command)

	RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-uuid-bad-size 2>&1 \| FileCheck -check-prefix INVALID-UUID-BAD-SIZE %s			RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-uuid-bad-size 2>&1 \| FileCheck -check-prefix INVALID-UUID-BAD-SIZE %s
	INVALID-UUID-BAD-SIZE: macho-invalid-uuid-bad-size': truncated or malformed object (LC_UUID command 0 has incorrect cmdsize)			INVALID-UUID-BAD-SIZE: macho-invalid-uuid-bad-size': truncated or malformed object (LC_UUID command 0 has incorrect cmdsize)

	RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-function_starts-dataoff 2>&1 \| FileCheck -check-prefix INVALID-FUNCTION_STARTS-DATAOFF %s			RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-function_starts-dataoff 2>&1 \| FileCheck -check-prefix INVALID-FUNCTION_STARTS-DATAOFF %s
	INVALID-FUNCTION_STARTS-DATAOFF: macho-invalid-function_starts-dataoff': truncated or malformed object (dataoff field of LC_FUNCTION_STARTS command 0 extends past the end of the file)			INVALID-FUNCTION_STARTS-DATAOFF: macho-invalid-function_starts-dataoff': truncated or malformed object (dataoff field of LC_FUNCTION_STARTS command 0 extends past the end of the file)
	▲ Show 20 Lines • Show All 216 Lines • Show Last 20 Lines