This is an archive of the discontinued LLVM Phabricator instance.

Differential D76543

[llvm-dwp] Fix a possible out of bound access.
ClosedPublic

Authored by ikudrin on Mar 21 2020, 4:42 AM.

Details

Reviewers
dblaikie
jhenderson
Commits
rG5125685e915a: [llvm-dwp] Fix a possible out of bound access.
Summary

llvm-dwp did not check section identifiers read from input files. In the case of an unexpected identifier, the calculated index for Contributions[] pointed outside the array. This fix avoids the issue by skipping unsupported identifiers.

Diff Detail

Event Timeline

ikudrin created this revision.Mar 21 2020, 4:42 AM
Harbormaster completed remote builds in B49993: Diff 251836.Mar 21 2020, 5:20 AM
dblaikie added a comment.Mar 21 2020, 9:35 AM

Thanks!

Does the test need the debug_info section? (Probably needs them for some reason, might be worth mentioning)
Seems like the test should also have a tu_index to test the change there?

ikudrin updated this revision to Diff 253512.Mar 30 2020, 12:47 AM
  • The test was extended to add a TU index case.
  • Added a comment to the test that the additional sections are required to reach the test points in the code.
jhenderson added inline comments.Mar 30 2020, 1:13 AM
llvm/tools/llvm-dwp/llvm-dwp.cpp
220

You've got test cases for Kind < DW_SEC_INFO, but you probably also need cases for Kind > DW_SECT_MACRO.

250–252

I've not really looked around this code, so this might not make sense, but is it also worth checking that we don't emit data for these sections?

ikudrin updated this revision to Diff 253525.Mar 30 2020, 2:03 AM
ikudrin marked 3 inline comments as done.
  • Extended the test by adding an unknown ID which is greater than DW_SECT_MACRO.
llvm/tools/llvm-dwp/llvm-dwp.cpp
250–252

llvm-dwp does not emit anything for unknown sections and the patch is not changing that.

jhenderson added a comment.Mar 30 2020, 2:29 AM

Thanks. Looks good from my point of view, but @dblaikie should confirm he's happy.

dblaikie added inline comments.Apr 2 2020, 4:36 PM
llvm/test/tools/llvm-dwp/X86/unknown-section-id.s
2–9

What does llvm-dwp do insteand of out of bounds access? Testing for "does anything other than crash" is usually a bad sign - presumably there's some specific behavior that we'd like llvm-dwp to have in these cases and should be testing for it here.

ikudrin marked 2 inline comments as done.Apr 2 2020, 10:18 PM
ikudrin added inline comments.
llvm/test/tools/llvm-dwp/X86/unknown-section-id.s
2–9

It just ignores the unknown sections because there is little it can do with them anyway.

jhenderson added inline comments.Apr 3 2020, 12:29 AM
llvm/test/tools/llvm-dwp/X86/unknown-section-id.s
2–9

Could we demonstrate that it does something else after the failure point and also that it doesn't try to dump the unknown sections?

ikudrin marked 2 inline comments as done.Apr 3 2020, 1:15 AM
ikudrin added inline comments.
llvm/test/tools/llvm-dwp/X86/unknown-section-id.s
2–9

Nothing comes to my mind. llvm-dwp creates the output, as usual. It ignores unknown sections, as usual. The only change is that it does not write to random memory locations, but that is not something that is easy to demonstrate; only UBSan catches that. Do you have any particular suggestions?

jhenderson added inline comments.Apr 3 2020, 2:59 AM
llvm/test/tools/llvm-dwp/X86/unknown-section-id.s
2–9

Perhaps at least show that the output contains only the expected sections maybe (not their contents)?

ikudrin updated this revision to Diff 254747.Apr 3 2020, 3:50 AM
ikudrin marked 2 inline comments as done.
  • Extended the test.
jhenderson accepted this revision.Apr 3 2020, 4:27 AM

Looks good, though probably should get someone else to confirm.

This revision is now accepted and ready to land.Apr 3 2020, 4:27 AM
dblaikie accepted this revision.Apr 5 2020, 5:43 PM

Looks good - thanks!

Closed by commit rG5125685e915a: [llvm-dwp] Fix a possible out of bound access. (authored by ikudrin). · Explain WhyApr 6 2020, 1:03 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
test/
tools/
llvm-dwp/
X86/
111 lines
tools/
llvm-dwp/
8 lines

Diff 253512

llvm/test/tools/llvm-dwp/X86/unknown-section-id.s

  • This file was added.
## The test checks that llvm-dwp avoids an out of bound access when there is
## an unknown section identifier in an index section. Without the fix, the test
## failed when LLVM is built with UBSan.
## Note that additional sections (.debug_abbrev.dwo, .debug_info.dwo, and
## .debug_types.dwo) are required to reach the test points in the code.
# RUN: llvm-mc -triple x86_64-unknown-linux-gnu %s -filetype=obj -o %t.dwp
# RUN: llvm-dwp %t.dwp -o -
dblaikieUnsubmitted
Done
ReplyInline Actions

What does llvm-dwp do insteand of out of bounds access? Testing for "does anything other than crash" is usually a bad sign - presumably there's some specific behavior that we'd like llvm-dwp to have in these cases and should be testing for it here.

dblaikie: What does llvm-dwp do insteand of out of bounds access? Testing for "does anything other than…
ikudrinAuthorUnsubmitted
Done
ReplyInline Actions

It just ignores the unknown sections because there is little it can do with them anyway.

ikudrin: It just ignores the unknown sections because there is little it can do with them anyway.
jhendersonUnsubmitted
Done
ReplyInline Actions

Could we demonstrate that it does something else after the failure point and also that it doesn't try to dump the unknown sections?

jhenderson: Could we demonstrate that it does something else after the failure point and also that it…
ikudrinAuthorUnsubmitted
Done
ReplyInline Actions

Nothing comes to my mind. llvm-dwp creates the output, as usual. It ignores unknown sections, as usual. The only change is that it does not write to random memory locations, but that is not something that is easy to demonstrate; only UBSan catches that. Do you have any particular suggestions?

ikudrin: Nothing comes to my mind. `llvm-dwp` creates the output, as usual. It ignores unknown sections…
jhendersonUnsubmitted
Done
ReplyInline Actions

Perhaps at least show that the output contains only the expected sections maybe (not their contents)?

jhenderson: Perhaps at least show that the output contains only the expected sections maybe (not their…
.section .debug_abbrev.dwo, "e", @progbits
.LCUAbbrevBegin:
.uleb128 1 # Abbreviation Code
.uleb128 0x11 # DW_TAG_compile_unit
.byte 1 # DW_CHILDREN_no
.uleb128 0x2131 # DW_AT_GNU_dwo_id
.uleb128 7 # DW_FORM_data8
.byte 0 # EOM(1)
.byte 0 # EOM(2)
.byte 0 # EOM(3)
.LCUAbbrevEnd:
.LTUAbbrevBegin:
.uleb128 1 # Abbreviation Code
.uleb128 0x41 # DW_TAG_type_unit
.byte 1 # DW_CHILDREN_yes
.byte 0 # EOM(1)
.byte 0 # EOM(2)
.uleb128 2 # Abbreviation Code
.uleb128 0x13 # DW_TAG_structure_type
.byte 0 # DW_CHILDREN_no
.byte 0 # EOM(1)
.byte 0 # EOM(2)
.byte 0 # EOM(3)
.LTUAbbrevEnd:
.section .debug_info.dwo, "e", @progbits
.LCUBegin:
.long .LCUEnd-.LCUVersion # Length of Unit
.LCUVersion:
.short 4 # Version
.long 0 # Abbrev offset
.byte 8 # Address size
.uleb128 1 # Abbrev [1] DW_TAG_compile_unit
.quad 0x1100002222222222 # DW_AT_GNU_dwo_id
.LCUEnd:
.section .debug_types.dwo, "e", @progbits
.LTUBegin:
.long .LTUEnd-.LTUVersion # Length of Unit
.LTUVersion:
.short 4 # Version
.long 0 # Abbrev offset
.byte 8 # Address size
.quad 0x1100003333333333 # Type signature
.long .LTUType-.LTUBegin # Type offset
.uleb128 1 # Abbrev [1] DW_TAG_type_unit
.LTUType:
.uleb128 2 # Abbrev [2] DW_TAG_structure_type
.LTUEnd:
.section .debug_cu_index, "", @progbits
## Header:
.long 2 # Version
.long 3 # Section count
.long 1 # Unit count
.long 2 # Slot count
## Hash Table of Signatures:
.quad 0x1100002222222222
.quad 0
## Parallel Table of Indexes:
.long 1
.long 0
## Table of Section Offsets:
## Row 0:
.long 1 # DW_SECT_INFO
.long 3 # DW_SECT_ABBREV
.long 0 # Invalid (unknown) section identifier
## Row 1:
.long 0 # Offset in .debug_info.dwo
.long 0 # Offset in .debug_abbrev.dwo
.long 0
## Table of Section Sizes:
.long .LCUEnd-.LCUBegin # Size in .debug_info.dwo
.long .LCUAbbrevEnd-.LCUAbbrevBegin # Size in .debug_abbrev.dwo
.long 1
.section .debug_tu_index, "", @progbits
## Header:
.long 2 # Version
.long 3 # Section count
.long 1 # Unit count
.long 2 # Slot count
## Hash Table of Signatures:
.quad 0x1100003333333333
.quad 0
## Parallel Table of Indexes:
.long 1
.long 0
## Table of Section Offsets:
## Row 0:
.long 2 # DW_SECT_TYPES
.long 3 # DW_SECT_ABBREV
.long 0 # Invalid (unknown) section identifier
## Row 1:
.long 0 # Offset in .debug_types.dwo
.long 0 # Offset in .debug_abbrev.dwo
.long 0
## Table of Section Sizes:
.long .LTUEnd-.LTUBegin # Size in .debug_types.dwo
.long .LTUAbbrevEnd-.LTUAbbrevBegin # Size in .debug_abbrev.dwo
.long 1

llvm/tools/llvm-dwp/llvm-dwp.cpp

Show First 20 LinesShow All 210 Lines▼ Show 20 Lines
struct UnitIndexEntry { struct UnitIndexEntry {
DWARFUnitIndex::Entry::SectionContribution Contributions[8]; DWARFUnitIndex::Entry::SectionContribution Contributions[8];
std::string Name; std::string Name;
std::string DWOName; std::string DWOName;
StringRef DWPName; StringRef DWPName;
}; };
static bool isSupportedSectionKind(DWARFSectionKind Kind) {
return Kind >= DW_SECT_INFO && Kind <= DW_SECT_MACRO;
jhendersonUnsubmitted
Done
ReplyInline Actions

You've got test cases for Kind < DW_SEC_INFO, but you probably also need cases for Kind > DW_SECT_MACRO.

jhenderson: You've got test cases for `Kind < DW_SEC_INFO`, but you probably also need cases for `Kind >…
}
static StringRef getSubsection(StringRef Section, static StringRef getSubsection(StringRef Section,
const DWARFUnitIndex::Entry &Entry, const DWARFUnitIndex::Entry &Entry,
DWARFSectionKind Kind) { DWARFSectionKind Kind) {
const auto *Off = Entry.getOffset(Kind); const auto *Off = Entry.getOffset(Kind);
if (!Off) if (!Off)
return StringRef(); return StringRef();
return Section.substr(Off->Offset, Off->Length); return Section.substr(Off->Offset, Off->Length);
} }
Show All 9 Lines if (!I)
continue; continue;
auto P = TypeIndexEntries.insert(std::make_pair(E.getSignature(), TUEntry)); auto P = TypeIndexEntries.insert(std::make_pair(E.getSignature(), TUEntry));
if (!P.second) if (!P.second)
continue; continue;
auto &Entry = P.first->second; auto &Entry = P.first->second;
// Zero out the debug_info contribution // Zero out the debug_info contribution
Entry.Contributions[0] = {}; Entry.Contributions[0] = {};
for (auto Kind : TUIndex.getColumnKinds()) { for (auto Kind : TUIndex.getColumnKinds()) {
if (!isSupportedSectionKind(Kind))
continue;
auto &C = Entry.Contributions[Kind - DW_SECT_INFO]; auto &C = Entry.Contributions[Kind - DW_SECT_INFO];
C.Offset += I->Offset; C.Offset += I->Offset;
C.Length = I->Length; C.Length = I->Length;
jhendersonUnsubmitted
Done
ReplyInline Actions

I've not really looked around this code, so this might not make sense, but is it also worth checking that we don't emit data for these sections?

jhenderson: I've not really looked around this code, so this might not make sense, but is it also worth…
ikudrinAuthorUnsubmitted
Done
ReplyInline Actions

llvm-dwp does not emit anything for unknown sections and the patch is not changing that.

ikudrin: `llvm-dwp` does not emit anything for unknown sections and the patch is not changing that.
++I; ++I;
} }
auto &C = Entry.Contributions[DW_SECT_TYPES - DW_SECT_INFO]; auto &C = Entry.Contributions[DW_SECT_TYPES - DW_SECT_INFO];
Out.emitBytes(Types.substr( Out.emitBytes(Types.substr(
C.Offset - TUEntry.Contributions[DW_SECT_TYPES - DW_SECT_INFO].Offset, C.Offset - TUEntry.Contributions[DW_SECT_TYPES - DW_SECT_INFO].Offset,
C.Length)); C.Length));
C.Offset = TypesOffset; C.Offset = TypesOffset;
TypesOffset += C.Length; TypesOffset += C.Length;
▲ Show 20 LinesShow All 358 Lines▼ Show 20 Lines for (const DWARFUnitIndex::Entry &E : CUIndex.getRows()) {
const auto &ID = *EID; const auto &ID = *EID;
if (!P.second) if (!P.second)
return buildDuplicateError(*P.first, ID, Input); return buildDuplicateError(*P.first, ID, Input);
auto &NewEntry = P.first->second; auto &NewEntry = P.first->second;
NewEntry.Name = ID.Name; NewEntry.Name = ID.Name;
NewEntry.DWOName = ID.DWOName; NewEntry.DWOName = ID.DWOName;
NewEntry.DWPName = Input; NewEntry.DWPName = Input;
for (auto Kind : CUIndex.getColumnKinds()) { for (auto Kind : CUIndex.getColumnKinds()) {
if (!isSupportedSectionKind(Kind))
continue;
auto &C = NewEntry.Contributions[Kind - DW_SECT_INFO]; auto &C = NewEntry.Contributions[Kind - DW_SECT_INFO];
C.Offset += I->Offset; C.Offset += I->Offset;
C.Length = I->Length; C.Length = I->Length;
++I; ++I;
} }
} }
if (!CurTypesSection.empty()) { if (!CurTypesSection.empty()) {
▲ Show 20 LinesShow All 133 LinesShow Last 20 Lines