This is an archive of the discontinued LLVM Phabricator instance.

Differential D50387

[WASM] Fix overflow when reading custom section
ClosedPublic

Authored by JDevlieghere on Aug 7 2018, 7:36 AM.

Details

Reviewers
sbc100
Commits
rG8511777d3a41: [WASM] Fix overflow when reading custom section
rL339269: [WASM] Fix overflow when reading custom section
Summary

When reading a custom WASM section, it was possible that its name
extended beyond the size of the section. This resulted in a bogus value
for the section size due to the size overflowing.

Fixes heap buffer overflow detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8190

Diff Detail

Repository
rL LLVM

Event Timeline

JDevlieghere created this revision.Aug 7 2018, 7:36 AM
Herald added subscribers: sunfish, aheejin, hiraditya. · View Herald TranscriptAug 7 2018, 7:36 AM
JDevlieghere added inline comments.Aug 7 2018, 7:54 AM
llvm/lib/Object/WasmObjectFile.cpp
222 ↗(On Diff #159506)

Can this section be empty? (i.e. should I make this greater or equal)

sbc100 added inline comments.Aug 7 2018, 9:30 AM
llvm/lib/Object/WasmObjectFile.cpp
222 ↗(On Diff #159506)

I think the ReadContext is probably a better way to enforce this. readString already does this check based on the context.

This check seems a little strange since it reads the string before checking if its too long.

JDevlieghere added inline comments.Aug 7 2018, 11:48 AM
llvm/lib/Object/WasmObjectFile.cpp
222 ↗(On Diff #159506)

I started out by doing that that but then you still have to update the current pointer and the size which made the code less intuitive. That combined with a less readable error message made me go this route. I'm happy to change it if you still think the ReadContext is better given the context. (pun not intended :-)

sbc100 added inline comments.Aug 7 2018, 3:48 PM
llvm/lib/Object/WasmObjectFile.cpp
222 ↗(On Diff #159506)

I don't particularly care about the precision and readability of the errors we generate on malformed input. Having a specific error message for this one strange case actually seems like overkill. However, if this is the most readable solution I think I'd be ok with it.

What did you earlier attempt look like. I would suggest creating an entirely new Context on the stack just for reading this Name. Is that less readable?

I'm happy to change the error massage to say "out of bounds" or something like that rather than "EOF" too.

JDevlieghere updated this revision to Diff 159685.Aug 8 2018, 4:56 AM

Updated to use the ReadContext. If the error message doesn't matter that much then I agree this is better.

JDevlieghere marked 4 inline comments as done.Aug 8 2018, 4:56 AM
sbc100 accepted this revision.Aug 8 2018, 8:35 AM

I agree this feels a bit awkward, but I prefer to custom bounds checking I think.

This revision is now accepted and ready to land.Aug 8 2018, 8:35 AM
Closed by commit rL339269: [WASM] Fix overflow when reading custom section (authored by JDevlieghere). · Explain WhyAug 8 2018, 9:34 AM
This revision was automatically updated to reflect the committed changes.
aheejin added a comment.Nov 3 2018, 4:34 AM

Hello. How did you generate this malformed test case? I added a new section on wasm binary format and now this case is failing for another reason before it reaches the custom section. I'd like to update the test case but don't know how this was generated.

aheejin mentioned this in D54096: [WebAssembly] Add support for the event section.Nov 5 2018, 3:09 AM
sbc100 added a comment.Nov 5 2018, 9:17 AM
In D50387#1286459, @aheejin wrote:

Hello. How did you generate this malformed test case? I added a new section on wasm binary format and now this case is failing for another reason before it reaches the custom section. I'd like to update the test case but don't know how this was generated.

How is your new section causing this binary to fail to load? The new section is not mandatory, surly?

Revision Contents

PathSize
llvm/
trunk/
lib/
Object/
13 lines
test/
Object/
Inputs/
WASM/
3 lines

Diff 159740

llvm/trunk/lib/Object/WasmObjectFile.cpp

Show First 20 LinesShow All 210 Lines▼ Show 20 Linesstatic Error readSection(WasmSection &Section,
uint32_t Size = readVaruint32(Ctx); uint32_t Size = readVaruint32(Ctx);
if (Size == 0) if (Size == 0)
return make_error<StringError>("Zero length section", return make_error<StringError>("Zero length section",
object_error::parse_failed); object_error::parse_failed);
if (Ctx.Ptr + Size > Ctx.End) if (Ctx.Ptr + Size > Ctx.End)
return make_error<StringError>("Section too large", return make_error<StringError>("Section too large",
object_error::parse_failed); object_error::parse_failed);
if (Section.Type == wasm::WASM_SEC_CUSTOM) { if (Section.Type == wasm::WASM_SEC_CUSTOM) {
const uint8_t *NameStart = Ctx.Ptr; WasmObjectFile::ReadContext SectionCtx;
Section.Name = readString(Ctx); SectionCtx.Start = Ctx.Ptr;
Size -= Ctx.Ptr - NameStart; SectionCtx.Ptr = Ctx.Ptr;
SectionCtx.End = Ctx.Ptr + Size;
Section.Name = readString(SectionCtx);
uint32_t SectionNameSize = SectionCtx.Ptr - SectionCtx.Start;
Ctx.Ptr += SectionNameSize;
Size -= SectionNameSize;
} }
Section.Content = ArrayRef<uint8_t>(Ctx.Ptr, Size); Section.Content = ArrayRef<uint8_t>(Ctx.Ptr, Size);
Ctx.Ptr += Size; Ctx.Ptr += Size;
return Error::success(); return Error::success();
} }
WasmObjectFile::WasmObjectFile(MemoryBufferRef Buffer, Error &Err) WasmObjectFile::WasmObjectFile(MemoryBufferRef Buffer, Error &Err)
: ObjectFile(Binary::ID_Wasm, Buffer) { : ObjectFile(Binary::ID_Wasm, Buffer) {
▲ Show 20 LinesShow All 1,082 LinesShow Last 20 Lines

llvm/trunk/test/Object/Inputs/WASM/string-outside-section.wasm

  • This is a binary file.
PropertyOld ValueNew Value
svn:mime-typenullapplication/octet-stream
\ No newline at end of property

llvm/trunk/test/Object/wasm-string-outside-section.test

RUN: not llvm-objdump -s %p/Inputs/WASM/string-outside-section.wasm 2>&1 | FileCheck %s
CHECK: LLVM ERROR: EOF while reading string