This is an archive of the discontinued LLVM Phabricator instance.

[RISCV] Fix AddressSanitizer heap-buffer-overflow in disassembling
ClosedPublic

Authored by apazos on Sep 5 2018, 4:04 PM.

Download Raw Diff

Details

Reviewers

Commits

rGb97d18945b82: [RISCV] Fix AddressSanitizer heap-buffer-overflow in disassembling
rL341686: [RISCV] Fix AddressSanitizer heap-buffer-overflow in disassembling

Summary

RISCVDisassembler should check number of bytes available before reading them.
Crash noticed when enabling -DLLVM_USE_SANITIZER=Address.

This bug was uncovered by a LLVM MC Disassembler Protocol Buffer Fuzzer for the RISC-V assembly language.

Diff Detail

Repository: rL LLVM

Event Timeline

apazos created this revision.Sep 5 2018, 4:04 PM

Herald added subscribers: jocewei, PkmX, rkruppe and 14 others. · View Herald TranscriptSep 5 2018, 4:04 PM

Looks good to me, thanks.

This revision is now accepted and ready to land.Sep 6 2018, 7:18 AM

Moved test to MC/Disassembler/RISCV

Closed by commit rL341686: [RISCV] Fix AddressSanitizer heap-buffer-overflow in disassembling (authored by apazos). · Explain WhySep 7 2018, 11:27 AM

This revision was automatically updated to reflect the committed changes.

Herald added subscribers: llvm-commits, jrtc27. · View Herald TranscriptSep 7 2018, 11:27 AM

Revision Contents

Path

Size

llvm/

trunk/

lib/

Target/

RISCV/

Disassembler/

RISCVDisassembler.cpp

8 lines

test/

MC/

Disassembler/

RISCV/

fuzzer-invalid.txt

8 lines

lit.local.cfg

3 lines

Diff 164472

llvm/trunk/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp

Show First 20 Lines • Show All 251 Lines • ▼ Show 20 Lines	DecodeStatus RISCVDisassembler::getInstruction(MCInst &MI, uint64_t &Size,
raw_ostream &CS) const {		raw_ostream &CS) const {
// TODO: This will need modification when supporting instruction set		// TODO: This will need modification when supporting instruction set
// extensions with instructions > 32-bits (up to 176 bits wide).		// extensions with instructions > 32-bits (up to 176 bits wide).
uint32_t Insn;		uint32_t Insn;
DecodeStatus Result;		DecodeStatus Result;

// It's a 32 bit instruction if bit 0 and 1 are 1.		// It's a 32 bit instruction if bit 0 and 1 are 1.
if ((Bytes[0] & 0x3) == 0x3) {		if ((Bytes[0] & 0x3) == 0x3) {
		if (Bytes.size() < 4) {
		Size = 0;
		return MCDisassembler::Fail;
		}
Insn = support::endian::read32le(Bytes.data());		Insn = support::endian::read32le(Bytes.data());
LLVM_DEBUG(dbgs() << "Trying RISCV32 table :\n");		LLVM_DEBUG(dbgs() << "Trying RISCV32 table :\n");
Result = decodeInstruction(DecoderTable32, MI, Insn, Address, this, STI);		Result = decodeInstruction(DecoderTable32, MI, Insn, Address, this, STI);
Size = 4;		Size = 4;
} else {		} else {
		if (Bytes.size() < 2) {
		Size = 0;
		return MCDisassembler::Fail;
		}
Insn = support::endian::read16le(Bytes.data());		Insn = support::endian::read16le(Bytes.data());

if (!STI.getFeatureBits()[RISCV::Feature64Bit]) {		if (!STI.getFeatureBits()[RISCV::Feature64Bit]) {
LLVM_DEBUG(		LLVM_DEBUG(
dbgs() << "Trying RISCV32Only_16 table (16-bit Instruction):\n");		dbgs() << "Trying RISCV32Only_16 table (16-bit Instruction):\n");
// Calling the auto-generated decoder function.		// Calling the auto-generated decoder function.
Result = decodeInstruction(DecoderTableRISCV32Only_16, MI, Insn, Address,		Result = decodeInstruction(DecoderTableRISCV32Only_16, MI, Insn, Address,
this, STI);		this, STI);
Show All 14 Lines

llvm/trunk/test/MC/Disassembler/RISCV/fuzzer-invalid.txt

				# RUN: not llvm-mc -disassemble -triple=riscv32 < %s 2>&1 \| FileCheck %s
				# RUN: not llvm-mc -disassemble -triple=riscv64 < %s 2>&1 \| FileCheck %s
				#
				# Test generated by a LLVM MC Disassembler Protocol Buffer Fuzzer
				# for the RISC-V assembly language.

				[0xf9 0x95 0xab 0x99]
				# CHECK: warning: invalid instruction encoding

llvm/trunk/test/MC/Disassembler/RISCV/lit.local.cfg

				if not 'RISCV' in config.root.targets:
				config.unsupported = True