This is an archive of the discontinued LLVM Phabricator instance.

Differential D72409

[clang] Fix out-of-bounds memory access in ComputeLineNumbers
ClosedPublic

Authored by jkorous on Jan 8 2020, 12:38 PM.

Details

Reviewers
arphaman
Bigcheese
Commits
rG0c47feb2b26e: [clang] Fix out-of-bounds memory access in ComputeLineNumbers
rGf28972facc1f: [clang] Fix out-of-bounds memory access in ComputeLineNumbers
Summary

There was an access past the end of buffer for buffers not terminated by zero.

Diff Detail

Event Timeline

jkorous created this revision.Jan 8 2020, 12:38 PM
Herald added a subscriber: dexonsmith. · View Herald TranscriptJan 8 2020, 12:38 PM
arphaman added a comment.Jan 8 2020, 2:27 PM

Did you check if you can reproduce it with a unittest by passing in a Buffer that's not nil-terminated?

clang/lib/Basic/SourceManager.cpp
1255–1258

It might be better to check if I is <. than the size of the buffer here and down below to avoid extra pointer arithmetic.

jkorous marked an inline comment as done.Jan 8 2020, 4:11 PM

I tried but couldn't reproduce a segfault. Do you have any suggestion on how to reasonably reliably (TM) reproduce it?

jkorous updated this revision to Diff 236930.Jan 8 2020, 4:12 PM

calculate the size of the buffer upfront

arphaman added a comment.Jan 9 2020, 12:18 PM

It might be hard to test in a regular build: you probably would need to construct a test-case where the buffer is precisely a multiple of the page size and not nil-terminated, and then hopefully the OS will trigger a fault once you access the out of bounds character. Have you tried ASANified build? I think it could trigger a crash even if you don't get the pages right and just have a not-nil terminated buffer.

jkorous added a comment.Jan 9 2020, 2:25 PM

Ok, seems such test fails reliably (on macOS).

jkorous updated this revision to Diff 237200.Jan 9 2020, 2:26 PM

test

jkorous added a comment.Jan 9 2020, 2:26 PM

Oh, I will just add some ASSERT to the test and a comment on what it actually tests.

jkorous added a comment.Jan 9 2020, 2:27 PM

(and a delete[])

jkorous updated this revision to Diff 237219.Jan 9 2020, 3:18 PM
jkorous retitled this revision from [clang] Fix segfault in ComputeLineNumbers to [clang] Fix out-of-bounds memory access in ComputeLineNumbers.
jkorous edited the summary of this revision. (Show Details)

polish test

arphaman accepted this revision.Jan 10 2020, 10:42 AM

LGTM, with a nit mentioned.

clang/unittests/Basic/SourceManagerTest.cpp
249

Nit: you can use std::unique_ptr<char[]> to avoid the manual delete[] below.

This revision is now accepted and ready to land.Jan 10 2020, 10:42 AM
Closed by commit rGf28972facc1f: [clang] Fix out-of-bounds memory access in ComputeLineNumbers (authored by jkorous). · Explain WhyJan 10 2020, 11:27 AM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptJan 10 2020, 11:27 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
lib/
Basic/
21 lines
unittests/
Basic/
24 lines

Diff 237399

clang/lib/Basic/SourceManager.cpp

Show First 20 LinesShow All 1,244 Lines▼ Show 20 Linesstatic void ComputeLineNumbers(DiagnosticsEngine &Diag, ContentCache *FI,
// not look at trigraphs, escaped newlines, or anything else tricky. // not look at trigraphs, escaped newlines, or anything else tricky.
SmallVector<unsigned, 256> LineOffsets; SmallVector<unsigned, 256> LineOffsets;
// Line #1 starts at char 0. // Line #1 starts at char 0.
LineOffsets.push_back(0); LineOffsets.push_back(0);
const unsigned char *Buf = (const unsigned char *)Buffer->getBufferStart(); const unsigned char *Buf = (const unsigned char *)Buffer->getBufferStart();
const unsigned char *End = (const unsigned char *)Buffer->getBufferEnd(); const unsigned char *End = (const unsigned char *)Buffer->getBufferEnd();
const std::size_t BufLen = End - Buf;
unsigned I = 0; unsigned I = 0;
while (true) { while (I < BufLen) {
// Skip over the contents of the line. if (Buf[I] == '\n') {
while (Buf[I] != '\n' && Buf[I] != '\r' && Buf[I] != '\0') LineOffsets.push_back(I + 1);
++I; } else if (Buf[I] == '\r') {
arphamanUnsubmitted
Done
ReplyInline Actions

It might be better to check if I is <. than the size of the buffer here and down below to avoid extra pointer arithmetic.

arphaman: It might be better to check if `I` is <. than the size of the buffer here and down below to…
if (Buf[I] == '\n' || Buf[I] == '\r') {
// If this is \r\n, skip both characters. // If this is \r\n, skip both characters.
if (Buf[I] == '\r' && Buf[I+1] == '\n') if (I + 1 < BufLen && Buf[I + 1] == '\n')
++I;
++I;
LineOffsets.push_back(I);
} else {
// Otherwise, this is a NUL. If end of file, exit.
if (Buf+I == End) break;
++I; ++I;
LineOffsets.push_back(I + 1);
} }
++I;
} }
// Copy the offsets into the FileInfo structure. // Copy the offsets into the FileInfo structure.
FI->NumLines = LineOffsets.size(); FI->NumLines = LineOffsets.size();
FI->SourceLineCache = Alloc.Allocate<unsigned>(LineOffsets.size()); FI->SourceLineCache = Alloc.Allocate<unsigned>(LineOffsets.size());
std::copy(LineOffsets.begin(), LineOffsets.end(), FI->SourceLineCache); std::copy(LineOffsets.begin(), LineOffsets.end(), FI->SourceLineCache);
} }
▲ Show 20 LinesShow All 916 LinesShow Last 20 Lines

clang/unittests/Basic/SourceManagerTest.cpp

Show All 14 Lines
#include "clang/Basic/TargetOptions.h" #include "clang/Basic/TargetOptions.h"
#include "clang/Lex/HeaderSearch.h" #include "clang/Lex/HeaderSearch.h"
#include "clang/Lex/HeaderSearchOptions.h" #include "clang/Lex/HeaderSearchOptions.h"
#include "clang/Lex/ModuleLoader.h" #include "clang/Lex/ModuleLoader.h"
#include "clang/Lex/Preprocessor.h" #include "clang/Lex/Preprocessor.h"
#include "clang/Lex/PreprocessorOptions.h" #include "clang/Lex/PreprocessorOptions.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Config/llvm-config.h" #include "llvm/Config/llvm-config.h"
#include "llvm/Support/Process.h"
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include <cstddef>
using namespace clang; using namespace clang;
namespace { namespace {
// The test fixture. // The test fixture.
class SourceManagerTest : public ::testing::Test { class SourceManagerTest : public ::testing::Test {
protected: protected:
▲ Show 20 LinesShow All 204 Lines▼ Show 20 Lines ASSERT_EQ(StringRef(SrcMgr::ContentCache::getInvalidBOM(
"\x00\x00\xFE\xFF#include <iostream>"))), "\x00\x00\xFE\xFF#include <iostream>"))),
"UTF-32 (BE)"); "UTF-32 (BE)");
ASSERT_EQ(StringRef(SrcMgr::ContentCache::getInvalidBOM( ASSERT_EQ(StringRef(SrcMgr::ContentCache::getInvalidBOM(
llvm::StringLiteral::withInnerNUL( llvm::StringLiteral::withInnerNUL(
"\xFF\xFE\x00\x00#include <iostream>"))), "\xFF\xFE\x00\x00#include <iostream>"))),
"UTF-32 (LE)"); "UTF-32 (LE)");
} }
// Regression test - there was an out of bound access for buffers not terminated by zero.
TEST_F(SourceManagerTest, getLineNumber) {
const unsigned pageSize = llvm::sys::Process::getPageSizeEstimate();
std::unique_ptr<char[]> source(new char[pageSize]);
arphamanUnsubmitted
Not Done
ReplyInline Actions

Nit: you can use std::unique_ptr<char[]> to avoid the manual delete[] below.

arphaman: Nit: you can use `std::unique_ptr<char[]>` to avoid the manual `delete[]` below.
for(unsigned i = 0; i < pageSize; ++i) {
source[i] = 'a';
}
std::unique_ptr<llvm::MemoryBuffer> Buf =
llvm::MemoryBuffer::getMemBuffer(
llvm::MemoryBufferRef(
llvm::StringRef(source.get(), 3), "whatever"
),
false
);
FileID mainFileID = SourceMgr.createFileID(std::move(Buf));
SourceMgr.setMainFileID(mainFileID);
ASSERT_NO_FATAL_FAILURE(SourceMgr.getLineNumber(mainFileID, 1, nullptr));
}
#if defined(LLVM_ON_UNIX) #if defined(LLVM_ON_UNIX)
TEST_F(SourceManagerTest, getMacroArgExpandedLocation) { TEST_F(SourceManagerTest, getMacroArgExpandedLocation) {
const char *header = const char *header =
"#define FM(x,y) x\n"; "#define FM(x,y) x\n";
const char *main = const char *main =
"#include \"/test-header.h\"\n" "#include \"/test-header.h\"\n"
▲ Show 20 LinesShow All 215 LinesShow Last 20 Lines