This is an archive of the discontinued LLVM Phabricator instance.

Differential D38777

[wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)
ClosedPublic

Authored by vsk on Oct 10 2017, 6:58 PM.

Details

Reviewers
sbc100
aprantl
JDevlieghere
Commits
rG35b50a83aba3: [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)
rL316357: [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)
Summary

A wasm file crafted with a bogus section size can trigger an ASan issue
in the DWARFObjInMemory constructor. Nip the problem in the bud when we
read the wasm section.

Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3219

Diff Detail

Event Timeline

vsk created this revision.Oct 10 2017, 6:58 PM
Herald added subscribers: aheejin, jfb. · View Herald TranscriptOct 10 2017, 6:58 PM
JDevlieghere added inline comments.Oct 13 2017, 3:00 PM
lib/DebugInfo/DWARF/DWARFContext.cpp
1159 ↗(On Diff #118524)

Should this be continue?

vsk added inline comments.Oct 13 2017, 3:02 PM
lib/DebugInfo/DWARF/DWARFContext.cpp
1159 ↗(On Diff #118524)

Oops! Yes. More to the point, the test doesn't cover this code.. I was wondering if you know how to test different error policies?

vsk added inline comments.Oct 13 2017, 3:06 PM
lib/DebugInfo/DWARF/DWARFContext.cpp
1159 ↗(On Diff #118524)

Hm, maybe I should just leave this change out.

JDevlieghere added inline comments.Oct 13 2017, 3:15 PM
lib/DebugInfo/DWARF/DWARFContext.cpp
1159 ↗(On Diff #118524)

I don't think llvm-dwarfdump implements this yet: it just calls DWARFContext::create with the defaultErrorHandler. Could you add an option to specify the policy?

sbc100 added inline comments.Oct 18 2017, 12:36 PM
lib/Object/WasmObjectFile.cpp
193

Perhaps do this before the ArrayRef is created and before Ptr is incremented?

if (Ptr + Size > Eof)

test/tools/llvm-dwarfdump/X86/fuzzer.test
2 ↗(On Diff #118524)

Any reason this lives in 'X86'?

vsk updated this revision to Diff 119546.Oct 18 2017, 10:32 PM
vsk marked an inline comment as done.
vsk edited the summary of this revision. (Show Details)
  • Address review feedback, and set aside the dwarfdump changes for later.
test/tools/llvm-dwarfdump/X86/fuzzer.test
2 ↗(On Diff #118524)

I think it might be a mistake to conflate the libObject fix here with dwarfdump changes. I'll move the test to test/tools/llvm-objdump.

JDevlieghere accepted this revision.Oct 20 2017, 3:52 PM
This revision is now accepted and ready to land.Oct 20 2017, 3:52 PM
sbc100 accepted this revision.Oct 20 2017, 4:24 PM
Closed by commit rL316357: [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219) (authored by vedantk). · Explain WhyOct 23 2017, 11:05 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
Object/
8 lines
test/
tools/
llvm-objdump/
Inputs/
2 lines

Diff 119546

lib/Object/WasmObjectFile.cpp

Show First 20 LinesShow All 172 Lines▼ Show 20 Lines
static wasm::WasmTable readTable(const uint8_t *&Ptr) { static wasm::WasmTable readTable(const uint8_t *&Ptr) {
wasm::WasmTable Table; wasm::WasmTable Table;
Table.ElemType = readVarint7(Ptr); Table.ElemType = readVarint7(Ptr);
Table.Limits = readLimits(Ptr); Table.Limits = readLimits(Ptr);
return Table; return Table;
} }
static Error readSection(WasmSection &Section, const uint8_t *&Ptr, static Error readSection(WasmSection &Section, const uint8_t *&Ptr,
const uint8_t *Start) { const uint8_t *Start, const uint8_t *Eof) {
// TODO(sbc): Avoid reading past EOF in the case of malformed files.
Section.Offset = Ptr - Start; Section.Offset = Ptr - Start;
Section.Type = readVaruint7(Ptr); Section.Type = readVaruint7(Ptr);
uint32_t Size = readVaruint32(Ptr); uint32_t Size = readVaruint32(Ptr);
if (Size == 0) if (Size == 0)
return make_error<StringError>("Zero length section", return make_error<StringError>("Zero length section",
object_error::parse_failed); object_error::parse_failed);
if (Ptr + Size > Eof)
return make_error<StringError>("Section too large",
object_error::parse_failed);
Section.Content = ArrayRef<uint8_t>(Ptr, Size); Section.Content = ArrayRef<uint8_t>(Ptr, Size);
Ptr += Size; Ptr += Size;
return Error::success(); return Error::success();
sbc100Unsubmitted
Done
ReplyInline Actions

Perhaps do this before the ArrayRef is created and before Ptr is incremented?

if (Ptr + Size > Eof)

sbc100: Perhaps do this before the ArrayRef is created and before Ptr is incremented? `if (Ptr + Size…
} }
WasmObjectFile::WasmObjectFile(MemoryBufferRef Buffer, Error &Err) WasmObjectFile::WasmObjectFile(MemoryBufferRef Buffer, Error &Err)
: ObjectFile(Binary::ID_Wasm, Buffer) { : ObjectFile(Binary::ID_Wasm, Buffer) {
LinkingData.DataSize = 0; LinkingData.DataSize = 0;
ErrorAsOutParameter ErrAsOutParam(&Err); ErrorAsOutParameter ErrAsOutParam(&Err);
Header.Magic = getData().substr(0, 4); Header.Magic = getData().substr(0, 4);
Show All 16 LinesWasmObjectFile::WasmObjectFile(MemoryBufferRef Buffer, Error &Err)
if (Header.Version != wasm::WasmVersion) { if (Header.Version != wasm::WasmVersion) {
Err = make_error<StringError>("Bad version number", Err = make_error<StringError>("Bad version number",
object_error::parse_failed); object_error::parse_failed);
return; return;
} }
WasmSection Sec; WasmSection Sec;
while (Ptr < Eof) { while (Ptr < Eof) {
if ((Err = readSection(Sec, Ptr, getPtr(0)))) if ((Err = readSection(Sec, Ptr, getPtr(0), Eof)))
return; return;
if ((Err = parseSection(Sec))) if ((Err = parseSection(Sec)))
return; return;
Sections.push_back(Sec); Sections.push_back(Sec);
} }
} }
▲ Show 20 LinesShow All 818 LinesShow Last 20 Lines

test/tools/llvm-objdump/Inputs/corrupt-section.wasm

  • This binary file was added.

test/tools/llvm-objdump/wasm-corrupt-section.test

  • This file was added.
# RUN: llvm-objdump -h %p/Inputs/corrupt-section.wasm 2>&1 | FileCheck %s
# CHECK: '{{.*}}corrupt-section.wasm': Section too large