This is an archive of the discontinued LLVM Phabricator instance.

Differential D59179

Detect malformed LC_LINKER_COMMANDs in Mach-O binaries
ClosedPublic

Authored by mtrent on Mar 9 2019, 12:09 PM.

Details

Reviewers
lhames
pete
Commits
rG76d66123b27d: Detect malformed LC_LINKER_COMMANDs in Mach-O binaries
rL355851: Detect malformed LC_LINKER_COMMANDs in Mach-O binaries
Summary

llvm-objdump can be tricked into reading beyond valid memory and
segfaulting if LC_LINKER_COMMAND strings are not null terminated. libObject
does have code to validate the integrity of the LC_LINKER_COMMAND struct,
but this validator improperly assumes linker command strings are null
terminated.

The solution is to report an error if a string extends beyond the end of
the LC_LINKER_COMMAND struct.

Diff Detail

Repository
rL LLVM

Event Timeline

mtrent created this revision.Mar 9 2019, 12:09 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 9 2019, 12:09 PM
Herald added a subscriber: rupprecht. · View Herald Transcript
Harbormaster completed remote builds in B28958: Diff 189992.Mar 9 2019, 12:10 PM
pete accepted this revision.Mar 9 2019, 3:16 PM

LGTM.

This revision is now accepted and ready to land.Mar 9 2019, 3:16 PM
Closed by commit rL355851: Detect malformed LC_LINKER_COMMANDs in Mach-O binaries (authored by mtrent). · Explain WhyMar 11 2019, 11:31 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Object/
4 lines
test/
tools/
llvm-objdump/
X86/
Inputs/
17 lines

Diff 190130

llvm/trunk/lib/Object/MachOObjectFile.cpp

Show First 20 LinesShow All 912 Lines▼ Show 20 Linesstatic Error checkLinkerOptCommand(const MachOObjectFile &Obj,
while (left > 0) { while (left > 0) {
while (*string == '\0' && left > 0) { while (*string == '\0' && left > 0) {
string++; string++;
left--; left--;
} }
if (left > 0) { if (left > 0) {
i++; i++;
uint32_t NullPos = StringRef(string, left).find('\0'); uint32_t NullPos = StringRef(string, left).find('\0');
if (0xffffffff == NullPos)
return malformedError("load command " + Twine(LoadCommandIndex) +
" LC_LINKER_OPTION string #" + Twine(i) +
" is not NULL terminated");
uint32_t len = std::min(NullPos, left) + 1; uint32_t len = std::min(NullPos, left) + 1;
string += len; string += len;
left -= len; left -= len;
} }
} }
if (L.count != i) if (L.count != i)
return malformedError("load command " + Twine(LoadCommandIndex) + return malformedError("load command " + Twine(LoadCommandIndex) +
" LC_LINKER_OPTION string count " + Twine(L.count) + " LC_LINKER_OPTION string count " + Twine(L.count) +
▲ Show 20 LinesShow All 3,713 LinesShow Last 20 Lines

llvm/trunk/test/tools/llvm-objdump/X86/Inputs/macho-invalid-linker-command

  • This is a binary file.
PropertyOld ValueNew Value
svn:mime-typenullapplication/octet-stream
\ No newline at end of property

llvm/trunk/test/tools/llvm-objdump/X86/malformed-machos.test

// These test checks that llvm-objdump will not crash with malformed Mach-O // These test checks that llvm-objdump will not crash with malformed Mach-O
// files. So the check line is not all that important but the bug fixes to // files. So the check line is not all that important but the bug fixes to
// make sure llvm-objdump is robust is what matters. // make sure llvm-objdump is robust is what matters.
# RUN: not llvm-objdump -macho -objc-meta-data \ # RUN: not llvm-objdump -macho -objc-meta-data \
# RUN: %p/Inputs/malformed-machos/mem-crup-0001.macho 2>&1 \ # RUN: %p/Inputs/malformed-machos/mem-crup-0001.macho 2>&1 \
# RUN: | FileCheck -check-prefix=m0001 %s # RUN: | FileCheck -check-prefix=m0001 %s
# m0001: mem-crup-0001.macho': truncated or malformed object (addr field plus size of section 2 in LC_SEGMENT_64 command 0 greater than than the segment's vmaddr plus vmsize) # m0001: mem-crup-0001.macho': truncated or malformed object (addr field plus size of section 2 in LC_SEGMENT_64 command 0 greater than than the segment's vmaddr plus vmsize)
# RUN: not llvm-objdump -macho -objc-meta-data \ # RUN: not llvm-objdump -macho -objc-meta-data \
# RUN: %p/Inputs/malformed-machos/mem-crup-0006.macho 2>&1 \ # RUN: %p/Inputs/malformed-machos/mem-crup-0006.macho 2>&1 \
# RUN: | FileCheck -check-prefix=m0006 %s # RUN: | FileCheck -check-prefix=m0006 %s
# m0006: malformed-machos/mem-crup-0006.macho': truncated or malformed object (section contents at offset 4128 with a size of 176, overlaps section contents at offset 4128 with a size of 8) # m0006: malformed-machos/mem-crup-0006.macho': truncated or malformed object (section contents at offset 4128 with a size of 176, overlaps section contents at offset 4128 with a size of 8)
# RUN: not llvm-objdump -macho -objc-meta-data \ # RUN: not llvm-objdump -macho -objc-meta-data \
# RUN: %p/Inputs/malformed-machos/mem-crup-0010.macho 2>&1 \ # RUN: %p/Inputs/malformed-machos/mem-crup-0010.macho 2>&1 \
# RUN: | FileCheck -check-prefix=m0010 %s # RUN: | FileCheck -check-prefix=m0010 %s
# m0010: mem-crup-0010.macho': truncated or malformed object (section contents at offset 4320 with a size of 80, overlaps section contents at offset 4320 with a size of 8) # m0010: mem-crup-0010.macho': truncated or malformed object (section contents at offset 4320 with a size of 80, overlaps section contents at offset 4320 with a size of 8)
# RUN: not llvm-objdump -macho -objc-meta-data \ # RUN: not llvm-objdump -macho -objc-meta-data \
# RUN: %p/Inputs/malformed-machos/mem-crup-0040.macho 2>&1 \ # RUN: %p/Inputs/malformed-machos/mem-crup-0040.macho 2>&1 \
# RUN: | FileCheck -check-prefix=m0040 %s # RUN: | FileCheck -check-prefix=m0040 %s
# m0040: mem-crup-0040.macho': truncated or malformed object (offset field plus size field of section 2 in LC_SEGMENT_64 command 1 extends past the end of the file) # m0040: mem-crup-0040.macho': truncated or malformed object (offset field plus size field of section 2 in LC_SEGMENT_64 command 1 extends past the end of the file)
# RUN: not llvm-objdump -macho -objc-meta-data \ # RUN: not llvm-objdump -macho -objc-meta-data \
# RUN: %p/Inputs/malformed-machos/mem-crup-0080.macho 2>&1 \ # RUN: %p/Inputs/malformed-machos/mem-crup-0080.macho 2>&1 \
# RUN: | FileCheck -check-prefix=m0080 %s # RUN: | FileCheck -check-prefix=m0080 %s
# m0080: mem-crup-0080.macho': truncated or malformed object (addr field plus size of section 2 in LC_SEGMENT_64 command 1 greater than than the segment's vmaddr plus vmsize) # m0080: mem-crup-0080.macho': truncated or malformed object (addr field plus size of section 2 in LC_SEGMENT_64 command 1 greater than than the segment's vmaddr plus vmsize)
# RUN: llvm-objdump -macho -objc-meta-data \ # RUN: llvm-objdump -macho -objc-meta-data \
# RUN: %p/Inputs/malformed-machos/mem-crup-0261.macho # RUN: %p/Inputs/malformed-machos/mem-crup-0261.macho
# RUN: not llvm-objdump -macho -disassemble \ # RUN: not llvm-objdump -macho -disassemble \
# RUN: %p/Inputs/malformed-machos/mem-crup-0337.macho 2>&1 \ # RUN: %p/Inputs/malformed-machos/mem-crup-0337.macho 2>&1 \
# RUN: | FileCheck -check-prefix=m0337 %s # RUN: | FileCheck -check-prefix=m0337 %s
# m0337: mem-crup-0337.macho': truncated or malformed object (section relocation entries at offset 0 with a size of 512, overlaps Mach-O headers at offset 0 with a size of 2048) # m0337: mem-crup-0337.macho': truncated or malformed object (section relocation entries at offset 0 with a size of 512, overlaps Mach-O headers at offset 0 with a size of 2048)
RUN: not llvm-objdump -macho -disassemble %p/Inputs/macho-invalid-symbol-nsect 2>&1 | FileCheck -check-prefix INVALID-SYMBOL-NSECT %s RUN: not llvm-objdump -macho -disassemble %p/Inputs/macho-invalid-symbol-nsect 2>&1 | FileCheck -check-prefix INVALID-SYMBOL-NSECT %s
INVALID-SYMBOL-NSECT: macho-invalid-symbol-nsect': truncated or malformed object (bad section index: 97 for symbol at index 1) INVALID-SYMBOL-NSECT: macho-invalid-symbol-nsect': truncated or malformed object (bad section index: 97 for symbol at index 1)
RUN: not llvm-objdump -macho -disassemble %p/Inputs/macho-invalid-symbol-nsect-archive 2>&1 | FileCheck -check-prefix INVALID-SYMBOL-NSECT-ARCHIVE %s RUN: not llvm-objdump -macho -disassemble %p/Inputs/macho-invalid-symbol-nsect-archive 2>&1 | FileCheck -check-prefix INVALID-SYMBOL-NSECT-ARCHIVE %s
INVALID-SYMBOL-NSECT-ARCHIVE: macho-invalid-symbol-nsect-archive(macho-invalid-symbol-nsect): truncated or malformed object (bad section index: 97 for symbol at index 1) INVALID-SYMBOL-NSECT-ARCHIVE: macho-invalid-symbol-nsect-archive(macho-invalid-symbol-nsect): truncated or malformed object (bad section index: 97 for symbol at index 1)
Show All 14 Lines
INVALID-SYMBOL-STRX-UNIVERSAL: macho-invalid-symbol-strx-universal' (for architecture i386): truncated or malformed object (bad string table index: 22 past the end of string table, for symbol at index 1) INVALID-SYMBOL-STRX-UNIVERSAL: macho-invalid-symbol-strx-universal' (for architecture i386): truncated or malformed object (bad string table index: 22 past the end of string table, for symbol at index 1)
RUN: not llvm-objdump -macho -disassemble %p/Inputs/macho-invalid-symbol-lib_ordinal 2>&1 | FileCheck -check-prefix INVALID-SYMBOL-LIB_ORDINAL %s RUN: not llvm-objdump -macho -disassemble %p/Inputs/macho-invalid-symbol-lib_ordinal 2>&1 | FileCheck -check-prefix INVALID-SYMBOL-LIB_ORDINAL %s
INVALID-SYMBOL-LIB_ORDINAL: macho-invalid-symbol-lib_ordinal': truncated or malformed object (bad library ordinal: 7 for symbol at index 2) INVALID-SYMBOL-LIB_ORDINAL: macho-invalid-symbol-lib_ordinal': truncated or malformed object (bad library ordinal: 7 for symbol at index 2)
RUN: not llvm-objdump -macho -objc-meta-data %p/Inputs/macho-invalid-bind-entry 2>&1 | FileCheck -check-prefix INVALID-BIND-ENTRY %s RUN: not llvm-objdump -macho -objc-meta-data %p/Inputs/macho-invalid-bind-entry 2>&1 | FileCheck -check-prefix INVALID-BIND-ENTRY %s
INVALID-BIND-ENTRY: macho-invalid-bind-entry': truncated or malformed object (for BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB bad library ordinal: 83 (max 0) for opcode at: 0x0) INVALID-BIND-ENTRY: macho-invalid-bind-entry': truncated or malformed object (for BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB bad library ordinal: 83 (max 0) for opcode at: 0x0)
RUN: llvm-objdump -macho -r -arch x86_64 %p/Inputs/macho-invalid-reloc-section-index | FileCheck -check-prefix INVALID-RELOC-SECTION-INDEX %s RUN: llvm-objdump -macho -r -arch x86_64 %p/Inputs/macho-invalid-reloc-section-index 2>&1 | FileCheck -check-prefix INVALID-RELOC-SECTION-INDEX %s
INVALID-RELOC-SECTION-INDEX: 00000021 False byte False UNSIGND False 8388613 (?,?) INVALID-RELOC-SECTION-INDEX: 00000021 False byte False UNSIGND False 8388613 (?,?)
RUN: not llvm-objdump -bind -g -macho -r -rebase -s -section-headers -t -unwind-info %p/Inputs/macho-invalid-linker-command 2>&1 | FileCheck -check-prefix INVALID-LINKCMD %s
INVALID-LINKCMD: truncated or malformed object (load command 4 LC_LINKER_OPTION string #2 is not NULL terminated)