This is an archive of the discontinued LLVM Phabricator instance.

Differential D7733

[lld] Fix heap-buffer-overflow bugs identified by the Address Sanitizer
ClosedPublic

Authored by garious on Feb 18 2015, 12:35 PM.

Details

Reviewers
t.p.northover
nicholas
rafael
Commits
rGcdaea4db2696: Fix heap-buffer-overflow bugs identified by the Address Sanitizer
rLLD229912: Fix heap-buffer-overflow bugs identified by the Address Sanitizer
rL229912: Fix heap-buffer-overflow bugs identified by the Address Sanitizer
Summary

MachO backend is reading memory when the atom content is empty. This patch adds guards to ensure the content exists before reading it.

Diff Detail

Repository
rL LLVM

Event Timeline

garious updated this revision to Diff 20212.Feb 18 2015, 12:35 PM
garious retitled this revision from to [lld] Fix heap-buffer-overflow bugs identified by the Address Sanitizer.
garious updated this object.
garious edited the test plan for this revision. (Show Details)
garious added reviewers: t.p.northover, nicholas.
garious set the repository for this revision to rL LLVM.
garious added a project: lld.
garious added a subscriber: Unknown Object (MLST).
rafael added a subscriber: rafael.Feb 18 2015, 3:04 PM

It needs a testcase.

lib/ReaderWriter/MachO/ArchHandler.cpp
145 ↗(On Diff #20212)

You don't need the '{'

lib/ReaderWriter/MachO/CompactUnwindPass.cpp
414 ↗(On Diff #20212)

Use an early return maybe?

rafael added a comment.Feb 18 2015, 3:05 PM

I just saw the comment about an existing test failing with asan. No need to add another one.

garious updated this revision to Diff 20227.Feb 18 2015, 3:26 PM

Cleanup, per Rafael's feedback.

kcc added a subscriber: kcc.Feb 18 2015, 5:41 PM
In D7733#125922, @rafael wrote:

I just saw the comment about an existing test failing with asan. No need to add another one.

Are we running that test on the bot(s)?

garious added a comment.Feb 18 2015, 6:33 PM

To my knowledge, there isn't an ASan bot for LLD.

rafael accepted this revision.Feb 19 2015, 7:30 AM
rafael added a reviewer: rafael.

Simple enough.

This revision is now accepted and ready to land.Feb 19 2015, 7:30 AM
kcc added a comment.Feb 19 2015, 11:17 AM
In D7733#126132, @garious wrote:

To my knowledge, there isn't an ASan bot for LLD.

Would you like to add lld testing to http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fast/?
If yes, change zorg/buildbot/builders/sanitizers/buildbot_fast.sh and send review to Sergey Matveev <earthdok@google.com>

Closed by commit rL229912: Fix heap-buffer-overflow bugs identified by the Address Sanitizer (authored by garious). · Explain WhyFeb 19 2015, 12:44 PM
This revision was automatically updated to reflect the committed changes.
garious added a comment.Feb 19 2015, 12:55 PM

@kcc, I'll see what I can do. Let's continue this discussion on llvmdev. LLD is now free of ASan errors, but I haven't yet had a chance to evaluate MSan. By the looks of those scripts, I should probably fix up any MSan-reported bugs before lighting up that bot.

Revision Contents

PathSize
lld/
trunk/
lib/
ReaderWriter/
MachO/
2 lines
3 lines

Diff 20332

lld/trunk/lib/ReaderWriter/MachO/ArchHandler.cpp

Show First 20 LinesShow All 136 Lines▼ Show 20 Lines
} }
int64_t ArchHandler::readS64(const uint8_t *addr, bool isBig) { int64_t ArchHandler::readS64(const uint8_t *addr, bool isBig) {
return read64(addr, isBig); return read64(addr, isBig);
} }
bool ArchHandler::isDwarfCIE(bool isBig, const DefinedAtom *atom) { bool ArchHandler::isDwarfCIE(bool isBig, const DefinedAtom *atom) {
assert(atom->contentType() == DefinedAtom::typeCFI); assert(atom->contentType() == DefinedAtom::typeCFI);
if (atom->rawContent().size() < sizeof(uint32_t))
return false;
uint32_t size = read32(atom->rawContent().data(), isBig); uint32_t size = read32(atom->rawContent().data(), isBig);
uint32_t idOffset = sizeof(uint32_t); uint32_t idOffset = sizeof(uint32_t);
if (size == 0xffffffffU) if (size == 0xffffffffU)
idOffset += sizeof(uint64_t); idOffset += sizeof(uint64_t);
return read32(atom->rawContent().data() + idOffset, isBig) == 0; return read32(atom->rawContent().data() + idOffset, isBig) == 0;
} }
Show All 18 Lines

lld/trunk/lib/ReaderWriter/MachO/CompactUnwindPass.cpp

Show First 20 LinesShow All 405 Lines▼ Show 20 Lines for (const Reference *ref : *atom) {
break; break;
case 0x18: case 0x18:
assert(ref->addend() == 0 && "unexpected offset into LSDA atom"); assert(ref->addend() == 0 && "unexpected offset into LSDA atom");
entry.lsdaLocation = ref->target(); entry.lsdaLocation = ref->target();
break; break;
} }
} }
if (atom->rawContent().size() < 4 * sizeof(uint32_t))
return entry;
using normalized::read32; using normalized::read32;
entry.rangeLength = entry.rangeLength =
read32(atom->rawContent().data() + 2 * sizeof(uint32_t), _isBig); read32(atom->rawContent().data() + 2 * sizeof(uint32_t), _isBig);
entry.encoding = entry.encoding =
read32(atom->rawContent().data() + 3 * sizeof(uint32_t), _isBig); read32(atom->rawContent().data() + 3 * sizeof(uint32_t), _isBig);
return entry; return entry;
} }
▲ Show 20 LinesShow All 107 LinesShow Last 20 Lines