This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/
-
DebugInfo/DWARF/
-
DWARF/
4
DWARFContext.cpp
-
Object/
1/1
WasmObjectFile.cpp
-
test/tools/llvm-dwarfdump/X86/
-
tools/
-
llvm-dwarfdump/
-
X86/
-
Inputs/
-
oss-fuzz-3219
2
fuzzer.test

Differential D38777

[wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)
ClosedPublic

Authored by vsk on Oct 10 2017, 6:58 PM.

Download Raw Diff

Details

Reviewers

sbc100
aprantl
JDevlieghere

Commits

rG35b50a83aba3: [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)
rL316357: [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)

Summary

A wasm file crafted with a bogus section size can trigger an ASan issue
in the DWARFObjInMemory constructor. Nip the problem in the bud when we
read the wasm section.

Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3219

Diff Detail

Event Timeline

vsk created this revision.Oct 10 2017, 6:58 PM

Herald added subscribers: aheejin, jfb. · View Herald TranscriptOct 10 2017, 6:58 PM

JDevlieghere added inline comments.Oct 13 2017, 3:00 PM

lib/DebugInfo/DWARF/DWARFContext.cpp
1159	Should this be `continue`?

vsk added inline comments.Oct 13 2017, 3:02 PM

lib/DebugInfo/DWARF/DWARFContext.cpp
1159	Oops! Yes. More to the point, the test doesn't cover this code.. I was wondering if you know how to test different error policies?

vsk added inline comments.Oct 13 2017, 3:06 PM

lib/DebugInfo/DWARF/DWARFContext.cpp
1159	Hm, maybe I should just leave this change out.

JDevlieghere added inline comments.Oct 13 2017, 3:15 PM

lib/DebugInfo/DWARF/DWARFContext.cpp
1159	I don't think llvm-dwarfdump implements this yet: it just calls `DWARFContext::create` with the `defaultErrorHandler`. Could you add an option to specify the policy?

sbc100 added inline comments.Oct 18 2017, 12:36 PM

lib/Object/WasmObjectFile.cpp
190	Perhaps do this before the ArrayRef is created and before Ptr is incremented? `if (Ptr + Size > Eof)`
test/tools/llvm-dwarfdump/X86/fuzzer.test
2	Any reason this lives in 'X86'?

Address review feedback, and set aside the dwarfdump changes for later.

test/tools/llvm-dwarfdump/X86/fuzzer.test
2	I think it might be a mistake to conflate the libObject fix here with dwarfdump changes. I'll move the test to test/tools/llvm-objdump.

JDevlieghere accepted this revision.Oct 20 2017, 3:52 PM

This revision is now accepted and ready to land.Oct 20 2017, 3:52 PM

sbc100 accepted this revision.Oct 20 2017, 4:24 PM

Closed by commit rL316357: [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219) (authored by vedantk). · Explain WhyOct 23 2017, 11:05 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

DebugInfo/

DWARF/

DWARFContext.cpp

11 lines

Object/

WasmObjectFile.cpp

8 lines

test/

tools/

llvm-dwarfdump/

X86/

Inputs/

oss-fuzz-3219

fuzzer.test

2 lines

Diff 118524

lib/DebugInfo/DWARF/DWARFContext.cpp

Show First 20 Lines • Show All 1,143 Lines • ▼ Show 20 Lines	DWARFObjInMemory(const object::ObjectFile &Obj, const LoadedObjectInfo *L,
function_ref<ErrorPolicy(Error)> HandleError)		function_ref<ErrorPolicy(Error)> HandleError)
: IsLittleEndian(Obj.isLittleEndian()),		: IsLittleEndian(Obj.isLittleEndian()),
AddressSize(Obj.getBytesInAddress()), FileName(Obj.getFileName()),		AddressSize(Obj.getBytesInAddress()), FileName(Obj.getFileName()),
Obj(&Obj) {		Obj(&Obj) {

StringMap<unsigned> SectionAmountMap;		StringMap<unsigned> SectionAmountMap;
for (const SectionRef &Section : Obj.sections()) {		for (const SectionRef &Section : Obj.sections()) {
StringRef Name;		StringRef Name;
Section.getName(Name);		auto Err = Section.getName(Name);
		if (Err) {
		ErrorPolicy EP = HandleError(
		createError("could not get section name in " + Obj.getFileName(),
		errorCodeToError(Err)));
		if (EP == ErrorPolicy::Halt)
		return;
		return;
		JDevlieghereUnsubmitted Not Done Reply Inline Actions Should this be `continue`? JDevlieghere: Should this be `continue`?
		vskAuthorUnsubmitted Not Done Reply Inline Actions Oops! Yes. More to the point, the test doesn't cover this code.. I was wondering if you know how to test different error policies? vsk: Oops! Yes. More to the point, the test doesn't cover this code.. I was wondering if you know…
		vskAuthorUnsubmitted Not Done Reply Inline Actions Hm, maybe I should just leave this change out. vsk: Hm, maybe I should just leave this change out.
		JDevlieghereUnsubmitted Not Done Reply Inline Actions I don't think llvm-dwarfdump implements this yet: it just calls `DWARFContext::create` with the `defaultErrorHandler`. Could you add an option to specify the policy? JDevlieghere: I don't think llvm-dwarfdump implements this yet: it just calls `DWARFContext::create` with the…
		}

++SectionAmountMap[Name];		++SectionAmountMap[Name];
SectionNames.push_back({ Name, true });		SectionNames.push_back({ Name, true });

// Skip BSS and Virtual sections, they aren't interesting.		// Skip BSS and Virtual sections, they aren't interesting.
if (Section.isBSS() \|\| Section.isVirtual())		if (Section.isBSS() \|\| Section.isVirtual())
continue;		continue;

// Skip sections stripped by dsymutil.		// Skip sections stripped by dsymutil.
▲ Show 20 Lines • Show All 248 Lines • Show Last 20 Lines

lib/Object/WasmObjectFile.cpp

Show First 20 Lines • Show All 172 Lines • ▼ Show 20 Lines
static wasm::WasmTable readTable(const uint8_t *&Ptr) {		static wasm::WasmTable readTable(const uint8_t *&Ptr) {
wasm::WasmTable Table;		wasm::WasmTable Table;
Table.ElemType = readVarint7(Ptr);		Table.ElemType = readVarint7(Ptr);
Table.Limits = readLimits(Ptr);		Table.Limits = readLimits(Ptr);
return Table;		return Table;
}		}

static Error readSection(WasmSection &Section, const uint8_t *&Ptr,		static Error readSection(WasmSection &Section, const uint8_t *&Ptr,
const uint8_t *Start) {		const uint8_t Start, const uint8_t Eof) {
// TODO(sbc): Avoid reading past EOF in the case of malformed files.
Section.Offset = Ptr - Start;		Section.Offset = Ptr - Start;
Section.Type = readVaruint7(Ptr);		Section.Type = readVaruint7(Ptr);
uint32_t Size = readVaruint32(Ptr);		uint32_t Size = readVaruint32(Ptr);
if (Size == 0)		if (Size == 0)
return make_error<StringError>("Zero length section",		return make_error<StringError>("Zero length section",
object_error::parse_failed);		object_error::parse_failed);
Section.Content = ArrayRef<uint8_t>(Ptr, Size);		Section.Content = ArrayRef<uint8_t>(Ptr, Size);
Ptr += Size;		Ptr += Size;
		if (Ptr > Eof)
		sbc100Unsubmitted Done Reply Inline Actions Perhaps do this before the ArrayRef is created and before Ptr is incremented? `if (Ptr + Size > Eof)` sbc100: Perhaps do this before the ArrayRef is created and before Ptr is incremented? `if (Ptr + Size…
		return make_error<StringError>("Section too large",
		object_error::parse_failed);
return Error::success();		return Error::success();
}		}

WasmObjectFile::WasmObjectFile(MemoryBufferRef Buffer, Error &Err)		WasmObjectFile::WasmObjectFile(MemoryBufferRef Buffer, Error &Err)
: ObjectFile(Binary::ID_Wasm, Buffer) {		: ObjectFile(Binary::ID_Wasm, Buffer) {
LinkingData.DataSize = 0;		LinkingData.DataSize = 0;

ErrorAsOutParameter ErrAsOutParam(&Err);		ErrorAsOutParameter ErrAsOutParam(&Err);
Show All 17 Lines	WasmObjectFile::WasmObjectFile(MemoryBufferRef Buffer, Error &Err)
if (Header.Version != wasm::WasmVersion) {		if (Header.Version != wasm::WasmVersion) {
Err = make_error<StringError>("Bad version number",		Err = make_error<StringError>("Bad version number",
object_error::parse_failed);		object_error::parse_failed);
return;		return;
}		}

WasmSection Sec;		WasmSection Sec;
while (Ptr < Eof) {		while (Ptr < Eof) {
if ((Err = readSection(Sec, Ptr, getPtr(0))))		if ((Err = readSection(Sec, Ptr, getPtr(0), Eof)))
return;		return;
if ((Err = parseSection(Sec)))		if ((Err = parseSection(Sec)))
return;		return;

Sections.push_back(Sec);		Sections.push_back(Sec);
}		}
}		}

▲ Show 20 Lines • Show All 818 Lines • Show Last 20 Lines

test/tools/llvm-dwarfdump/X86/Inputs/oss-fuzz-3219

This binary file was added.

test/tools/llvm-dwarfdump/X86/fuzzer.test

This file was added.

				RUN: not llvm-dwarfdump %S/Inputs/oss-fuzz-3219 2>&1 \| FileCheck --check-prefix=FUZZ3219 %s
				FUZZ3219: oss-fuzz-3219: Invalid data was encountered while parsing the file
				sbc100Unsubmitted Not Done Reply Inline Actions Any reason this lives in 'X86'? sbc100: Any reason this lives in 'X86'?
				vskAuthorUnsubmitted Not Done Reply Inline Actions I think it might be a mistake to conflate the libObject fix here with dwarfdump changes. I'll move the test to test/tools/llvm-objdump. vsk: I think it might be a mistake to conflate the libObject fix here with dwarfdump changes. I'll…