This is an archive of the discontinued LLVM Phabricator instance.

Differential D47046

[WebAssembly] Object: Add more error checking for object file reading
ClosedPublic

Authored by sbc100 on May 17 2018, 6:29 PM.

Details

Reviewers
jfb
Commits
rG4bbc6b55e7bc: [WebAssembly] Object: Add more error checking for object file reading
rL332769: [WebAssembly] Object: Add more error checking for object file reading
Summary

This should address some the assert failures the fuzzer has been
finding such as:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6719

Diff Detail

Repository
rL LLVM

Event Timeline

sbc100 created this revision.May 17 2018, 6:29 PM
Herald added subscribers: llvm-commits, sunfish, aheejin and 2 others. · View Herald TranscriptMay 17 2018, 6:29 PM
sbc100 added a reviewer: jfb.May 17 2018, 6:30 PM
jfb accepted this revision.May 17 2018, 9:37 PM

One comment, lgtm otherwise.

lib/Object/WasmObjectFile.cpp
961 ↗(On Diff #147424)

That seems like readvaruint32 went out of valid range, no?

This revision is now accepted and ready to land.May 17 2018, 9:37 PM
sbc100 added inline comments.May 18 2018, 10:11 AM
lib/Object/WasmObjectFile.cpp
961 ↗(On Diff #147424)

This means the reported segment size would make it go off the end of the data section.

The absolute value of Size could still be small.

Closed by commit rL332769: [WebAssembly] Object: Add more error checking for object file reading (authored by sbc). · Explain WhyMay 18 2018, 2:12 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Object/
12 lines

Diff 147580

llvm/trunk/lib/Object/WasmObjectFile.cpp

Show First 20 LinesShow All 106 Lines▼ Show 20 Linesstatic int64_t readLEB128(const uint8_t *&Ptr) {
unsigned Count; unsigned Count;
uint64_t Result = decodeSLEB128(Ptr, &Count); uint64_t Result = decodeSLEB128(Ptr, &Count);
Ptr += Count; Ptr += Count;
return Result; return Result;
} }
static uint8_t readVaruint1(const uint8_t *&Ptr) { static uint8_t readVaruint1(const uint8_t *&Ptr) {
int64_t result = readLEB128(Ptr); int64_t result = readLEB128(Ptr);
assert(result <= VARUINT1_MAX && result >= 0); if (result > VARUINT1_MAX || result < 0)
report_fatal_error("LEB is outside Varuint1 range");
return result; return result;
} }
static int32_t readVarint32(const uint8_t *&Ptr) { static int32_t readVarint32(const uint8_t *&Ptr) {
int64_t result = readLEB128(Ptr); int64_t result = readLEB128(Ptr);
assert(result <= INT32_MAX && result >= INT32_MIN); if (result > INT32_MAX || result < INT32_MIN)
report_fatal_error("LEB is outside Varint32 range");
return result; return result;
} }
static uint32_t readVaruint32(const uint8_t *&Ptr) { static uint32_t readVaruint32(const uint8_t *&Ptr) {
uint64_t result = readULEB128(Ptr); uint64_t result = readULEB128(Ptr);
assert(result <= UINT32_MAX); if (result > UINT32_MAX)
report_fatal_error("LEB is outside Varuint32 range");
return result; return result;
} }
static int64_t readVarint64(const uint8_t *&Ptr) { static int64_t readVarint64(const uint8_t *&Ptr) {
return readLEB128(Ptr); return readLEB128(Ptr);
} }
static uint8_t readOpcode(const uint8_t *&Ptr) { static uint8_t readOpcode(const uint8_t *&Ptr) {
▲ Show 20 LinesShow All 814 Lines▼ Show 20 LinesError WasmObjectFile::parseDataSection(const uint8_t *Ptr, const uint8_t *End) {
uint32_t Count = readVaruint32(Ptr); uint32_t Count = readVaruint32(Ptr);
DataSegments.reserve(Count); DataSegments.reserve(Count);
while (Count--) { while (Count--) {
WasmSegment Segment; WasmSegment Segment;
Segment.Data.MemoryIndex = readVaruint32(Ptr); Segment.Data.MemoryIndex = readVaruint32(Ptr);
if (Error Err = readInitExpr(Segment.Data.Offset, Ptr)) if (Error Err = readInitExpr(Segment.Data.Offset, Ptr))
return Err; return Err;
uint32_t Size = readVaruint32(Ptr); uint32_t Size = readVaruint32(Ptr);
if (Size > End - Ptr)
return make_error<GenericBinaryError>("Invalid segment size",
object_error::parse_failed);
Segment.Data.Content = ArrayRef<uint8_t>(Ptr, Size); Segment.Data.Content = ArrayRef<uint8_t>(Ptr, Size);
// The rest of these Data fields are set later, when reading in the linking // The rest of these Data fields are set later, when reading in the linking
// metadata section. // metadata section.
Segment.Data.Alignment = 0; Segment.Data.Alignment = 0;
Segment.Data.Flags = 0; Segment.Data.Flags = 0;
Segment.Data.Comdat = UINT32_MAX; Segment.Data.Comdat = UINT32_MAX;
Segment.SectionOffset = Ptr - Start; Segment.SectionOffset = Ptr - Start;
Ptr += Size; Ptr += Size;
▲ Show 20 LinesShow All 323 LinesShow Last 20 Lines