This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
libunwind/src/
-
src/
-
DwarfInstructions.hpp

Differential D69893

libunwind: Evaluating DWARF operation DW_OP_pick is broken
ClosedPublic

Authored by kamleshbhalui on Nov 6 2019, 6:59 AM.

Download Raw Diff

Details

Reviewers

phosek
mclow.lists
ldionne
compnerd
kledzik
steven_wu

Commits

rG9366397f057d: [libunwind] Fix evaluating DWARF operation DW_OP_pick

Summary

reg is unsigned type and used here for getting array element from the end by negating it.
negation of unsigned can result in large number and array access with that index will result in segmentation
fault.
As a Fix we cast reg to int then negate it.
Fixes this.
https://bugs.llvm.org/show_bug.cgi?id=43872

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

kamleshbhalui created this revision.Nov 6 2019, 6:59 AM

Herald added subscribers: libcxx-commits, ldionne, christof. · View Herald TranscriptNov 6 2019, 6:59 AM

kamleshbhalui edited the summary of this revision. (Show Details)Nov 6 2019, 7:00 AM

kamleshbhalui added reviewers: mclow.lists, ldionne.Nov 6 2019, 7:08 AM

kamleshbhalui added a project: Restricted Project.

Herald added a subscriber: dexonsmith. · View Herald TranscriptNov 6 2019, 7:09 AM

ldionne added a reviewer: compnerd.Nov 6 2019, 7:39 AM

This looks good to me, but I must admit I'm surprised this problem has never come up before (this code is very old), and also I don't know what the code is trying to do. Adding Saleem and Nick who have more experience with libunwind just to double-check.

This revision is now accepted and ready to land.Nov 6 2019, 7:44 AM

Is it tested? Intuitively I would expect DW_OP_pick to be kind of an unusual operator, unlikely to be seen in the wild.

`I do not have a test related to libunwind ,but I do simulated this behavior in c and got segfault.
------
int main(){

	int stack[10]={0};
	int* sp=stack;
	*(sp)=1;
	*(++sp)=2;
	*(++sp)=3;
	unsigned int r=1;
	int d=sp[-r];
	return 0;
}
---------`

Yes, Tested All tests passes.

Testing Time: 0.95s

Expected Passes    : 4

@ldionne Can you please commit this for me.
I do not have commit access.

ping?
can someone commit this for me?

The fix LGTM. Do you have a reproducer that can be used as a testcase? We should really add more tests for libunwind.

In D69893#1786202, @steven_wu wrote:

The fix LGTM. Do you have a reproducer that can be used as a test case? We should really add more tests for libunwind.

I currently do not have a reproducer test case for this.

In D69893#1786222, @kamleshbhalui wrote:

In D69893#1786202, @steven_wu wrote:

The fix LGTM. Do you have a reproducer that can be used as a test case? We should really add more tests for libunwind.

I currently do not have a reproducer test case for this.

Ok. We will need to come back dealing with test coverage in the future. I can commit it for you.

Commited in: 9366397f057d18401e680b2cb28a0ee17c59d4a6

Phabriactor might not update this because the patch was created on libunwind repo, not the monorepo.

Closed by commit rG9366397f057d: [libunwind] Fix evaluating DWARF operation DW_OP_pick (authored by steven_wu). · Explain WhyDec 18 2019, 12:34 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

libunwind/

src/

DwarfInstructions.hpp

2 lines

Diff 234597

libunwind/src/DwarfInstructions.hpp

Show First 20 Lines • Show All 427 Lines • ▼ Show 20 Lines	case DW_OP_over:
if (log)		if (log)
fprintf(stderr, "duplicate second in stack\n");		fprintf(stderr, "duplicate second in stack\n");
break;		break;

case DW_OP_pick:		case DW_OP_pick:
// pick from		// pick from
reg = addressSpace.get8(p);		reg = addressSpace.get8(p);
p += 1;		p += 1;
value = sp[-reg];		value = sp[-(int)reg];
*(++sp) = value;		*(++sp) = value;
if (log)		if (log)
fprintf(stderr, "duplicate %d in stack\n", reg);		fprintf(stderr, "duplicate %d in stack\n", reg);
break;		break;

case DW_OP_swap:		case DW_OP_swap:
// swap top two		// swap top two
value = sp[0];		value = sp[0];
▲ Show 20 Lines • Show All 377 Lines • Show Last 20 Lines