This is an archive of the discontinued LLVM Phabricator instance.

[WASM] Fix overflow when reading custom section
ClosedPublic

Authored by JDevlieghere on Aug 7 2018, 7:36 AM.

Details

Summary

When reading a custom WASM section, it was possible that its name
extended beyond the size of the section. This resulted in a bogus value
for the section size due to the size overflowing.

Fixes heap buffer overflow detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8190

Diff Detail

Repository
rL LLVM

Event Timeline

JDevlieghere created this revision.Aug 7 2018, 7:36 AM
JDevlieghere added inline comments.Aug 7 2018, 7:54 AM
llvm/lib/Object/WasmObjectFile.cpp
222 ↗(On Diff #159506)

Can this section be empty? (i.e. should I make this greater or equal)

sbc100 added inline comments.Aug 7 2018, 9:30 AM
llvm/lib/Object/WasmObjectFile.cpp
222 ↗(On Diff #159506)

I think the ReadContext is probably a better way to enforce this. readString already does this check based on the context.

This check seems a little strange since it reads the string before checking if its too long.

JDevlieghere added inline comments.Aug 7 2018, 11:48 AM
llvm/lib/Object/WasmObjectFile.cpp
222 ↗(On Diff #159506)

I started out by doing that that but then you still have to update the current pointer and the size which made the code less intuitive. That combined with a less readable error message made me go this route. I'm happy to change it if you still think the ReadContext is better given the context. (pun not intended :-)

sbc100 added inline comments.Aug 7 2018, 3:48 PM
llvm/lib/Object/WasmObjectFile.cpp
222 ↗(On Diff #159506)

I don't particularly care about the precision and readability of the errors we generate on malformed input. Having a specific error message for this one strange case actually seems like overkill. However, if this is the most readable solution I think I'd be ok with it.

What did you earlier attempt look like. I would suggest creating an entirely new Context on the stack just for reading this Name. Is that less readable?

I'm happy to change the error massage to say "out of bounds" or something like that rather than "EOF" too.

Updated to use the ReadContext. If the error message doesn't matter that much then I agree this is better.

JDevlieghere marked 4 inline comments as done.Aug 8 2018, 4:56 AM
sbc100 accepted this revision.Aug 8 2018, 8:35 AM

I agree this feels a bit awkward, but I prefer to custom bounds checking I think.

This revision is now accepted and ready to land.Aug 8 2018, 8:35 AM
This revision was automatically updated to reflect the committed changes.

Hello. How did you generate this malformed test case? I added a new section on wasm binary format and now this case is failing for another reason before it reaches the custom section. I'd like to update the test case but don't know how this was generated.

sbc100 added a comment.Nov 5 2018, 9:17 AM

Hello. How did you generate this malformed test case? I added a new section on wasm binary format and now this case is failing for another reason before it reaches the custom section. I'd like to update the test case but don't know how this was generated.

How is your new section causing this binary to fail to load? The new section is not mandatory, surly?