This is an archive of the discontinued LLVM Phabricator instance.

Differential D42828

Fix for read-past-end-of-array buglet in ProcessElfCore.cpp while reading linux notes
ClosedPublic

Authored by jasonmolenda on Feb 1 2018, 4:22 PM.

Details

Reviewers
labath
Commits
rG37713073d65e: Fix a copy of a fixed length, possibly non-nul terminated, string into a std…
rLLDB324156: Fix a copy of a fixed length, possibly non-nul terminated, string
rL324156: Fix a copy of a fixed length, possibly non-nul terminated, string
Summary

I caught this while running the testsuite against lldb built with address sanitizer (ASAN) enabled - it found one problem when running the TestLinuxCore.py test. The ELFLinuxPrPsInfo structure has two fixed width strings in it, pr_fname (16 chars) and pr_psargs (80 chars). They are not required to be nul (\0) terminated, and in the case of ppc64le, pr_fname is not -

(lldb) p prpsinfo
(ELFLinuxPrPsInfo) $1 = {

pr_fname = {
  [0] = 'l'
  [1] = 'i'
  [2] = 'n'
  [3] = 'u'
  [4] = 'x'
  [5] = '-'
  [6] = 'p'
  [7] = 'p'
  [8] = 'c'
  [9] = '6'
  [10] = '4'
  [11] = 'l'
  [12] = 'e'
  [13] = '.'
  [14] = 'o'
  [15] = 'u'
}

When we copy this into a std::string,

thread_data.name = prpsinfo.pr_fname;

the read goes off the end of the array. It goes into the next element on the structure, pr_psargs, so it's unlikely to crash, but it's an easy one to fix so I think we should.

TestLinuxCore.py's do_test() could also get passed in the expected thread name and verify that it was set correctly), that would have caught this without using ASAN. But given that ASAN did catch it, I'm pretty happy with it as-is.

Diff Detail

Repository
rL LLVM

Event Timeline

jasonmolenda created this revision.Feb 1 2018, 4:22 PM
Herald added a subscriber: llvm-commits. · View Herald TranscriptFeb 1 2018, 4:22 PM
labath accepted this revision.Feb 2 2018, 2:04 AM

Looks good, just make sure to not include extra \0 bytes.

source/Plugins/Process/elf-core/ProcessElfCore.cpp
668

In case the name *is* null-terminated, this will forcibly include the \0 bytes into the string, which is not good.
I think this should be something like assign(pr_fname, strnlen(pr_fname, sizeof(pf_fname)) (maybe there is a more c++-y way of writing that, but I couldn't think of one).

I think adding a check for the thread name in the test still has value (asan will just check we don't do anything stupid, but it won't verify we actually produce the right name in the end), but I can do that as a follow-up.

This revision is now accepted and ready to land.Feb 2 2018, 2:04 AM
clayborg added a subscriber: clayborg.Feb 2 2018, 8:08 AM
clayborg added inline comments.
source/Plugins/Process/elf-core/ProcessElfCore.cpp
668

This is how we cap segment lengths on ObjectFileMachO:

ConstString const_segname(load_cmd.segname, std::min<size_t>(strlen(load_cmd.segname), sizeof(load_cmd.segname)));

This won't keep ASAN happy though as the strlen might go off the end. You might be able to check the last byte since I am guessing they will zero fill by default:

if (prpsinfo.pr_fname[sizeof (prpsinfo.pr_fname)-1] != '\0')
  thread_data.name.assign (prpsinfo.pr_fname, sizeof (prpsinfo.pr_fname));
else
  thread_data.name = prpsinfo.pr_fname;
Closed by commit rL324156: Fix a copy of a fixed length, possibly non-nul terminated, string (authored by jmolenda). · Explain WhyFeb 2 2018, 2:52 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
source/
Plugins/
Process/
elf-core/
2 lines

Diff 132500

source/Plugins/Process/elf-core/ProcessElfCore.cpp

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines
break; break;
} }
case LINUX::NT_PRPSINFO: { case LINUX::NT_PRPSINFO: {
have_prpsinfo = true; have_prpsinfo = true;
ELFLinuxPrPsInfo prpsinfo; ELFLinuxPrPsInfo prpsinfo;
Status status = prpsinfo.Parse(note.data, arch); Status status = prpsinfo.Parse(note.data, arch);
if (status.Fail()) if (status.Fail())
return status.ToError(); return status.ToError();
thread_data.name = prpsinfo.pr_fname; thread_data.name.assign (prpsinfo.pr_fname, sizeof (prpsinfo.pr_fname));
labathUnsubmitted
Not Done
ReplyInline Actions

In case the name *is* null-terminated, this will forcibly include the \0 bytes into the string, which is not good.
I think this should be something like assign(pr_fname, strnlen(pr_fname, sizeof(pf_fname)) (maybe there is a more c++-y way of writing that, but I couldn't think of one).

I think adding a check for the thread name in the test still has value (asan will just check we don't do anything stupid, but it won't verify we actually produce the right name in the end), but I can do that as a follow-up.

labath: In case the name *is* null-terminated, this will forcibly include the \0 bytes into the string…
clayborgUnsubmitted
Not Done
ReplyInline Actions

This is how we cap segment lengths on ObjectFileMachO:

ConstString const_segname(load_cmd.segname, std::min<size_t>(strlen(load_cmd.segname), sizeof(load_cmd.segname)));

This won't keep ASAN happy though as the strlen might go off the end. You might be able to check the last byte since I am guessing they will zero fill by default:

if (prpsinfo.pr_fname[sizeof (prpsinfo.pr_fname)-1] != '\0')
  thread_data.name.assign (prpsinfo.pr_fname, sizeof (prpsinfo.pr_fname));
else
  thread_data.name = prpsinfo.pr_fname;
clayborg: This is how we cap segment lengths on ObjectFileMachO: ``` ConstString const_segname(load_cmd.
SetID(prpsinfo.pr_pid); SetID(prpsinfo.pr_pid);
break; break;
} }
case LINUX::NT_SIGINFO: { case LINUX::NT_SIGINFO: {
ELFLinuxSigInfo siginfo; ELFLinuxSigInfo siginfo;
Status status = siginfo.Parse(note.data, arch); Status status = siginfo.Parse(note.data, arch);
if (status.Fail()) if (status.Fail())
return status.ToError(); return status.ToError();
▲ Show 20 LinesShow All 42 LinesShow Last 20 Lines