This is an archive of the discontinued LLVM Phabricator instance.

Differential D79853

[llvm-readobj] - --gnu-hash-table: do not crash when the GNU hash table goes past the EOF.
ClosedPublic

Authored by grimar on May 13 2020, 5:15 AM.

Details

Reviewers
jhenderson
MaskRay
espindola
Commits
rG56970ec6a0be: [llvm-readobj] - --gnu-hash-table: do not crash when the GNU hash table goes…
Summary

We might have a scenario where a the GbuHashTable variable correctly points
to a place inside the file (we validate this fact early in parseDynamicTable),
but nbuckets/maskwords fields are broken in the way the code tries
to read the data past the EOF. This patch fixes the issue.

Diff Detail

Event Timeline

grimar created this revision.May 13 2020, 5:15 AM
Herald added a reviewer: espindola. · View Herald TranscriptMay 13 2020, 5:15 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: rupprecht, emaste. · View Herald Transcript
MaskRay accepted this revision.May 13 2020, 9:28 AM

LGTM.

llvm/tools/llvm-readobj/ELFDumper.cpp
2681

IIRC this is guaranteed by ELFFile<ELFT>::toMappedAddr

This revision is now accepted and ready to land.May 13 2020, 9:28 AM
jhenderson accepted this revision.May 14 2020, 12:07 AM

LGTM, with one suggestion.

llvm/test/tools/llvm-readobj/ELF/gnuhash.test
323–324

I'd probably put these lines with their respective cases, since they're only used once.

grimar marked 2 inline comments as done.May 15 2020, 1:34 AM
grimar added inline comments.
llvm/tools/llvm-readobj/ELFDumper.cpp
2681

Yes.

Closed by commit rG56970ec6a0be: [llvm-readobj] - --gnu-hash-table: do not crash when the GNU hash table goes… (authored by grimar). · Explain WhyMay 15 2020, 2:19 AM
This revision was automatically updated to reflect the committed changes.
grimar marked an inline comment as done.

Revision Contents

PathSize
llvm/
test/
tools/
llvm-readobj/
ELF/
30 lines
tools/
llvm-readobj/
24 lines
2 lines
2 lines

Diff 264189

llvm/test/tools/llvm-readobj/ELF/gnuhash.test

## Check how the GNU Hash section is dumped with --gnu-hash-table. ## Check how the GNU Hash section is dumped with --gnu-hash-table.
# RUN: yaml2obj --docnum=1 %s -o %t.x64 # RUN: yaml2obj --docnum=1 -D MASKWORDS=2 -D NBUCKETS=3 %s -o %t.x64
# RUN: yaml2obj --docnum=2 %s -o %t.x32 # RUN: yaml2obj --docnum=2 %s -o %t.x32
# RUN: llvm-readobj --gnu-hash-table %t.x64 | FileCheck %s # RUN: llvm-readobj --gnu-hash-table %t.x64 | FileCheck %s
# RUN: llvm-readelf --gnu-hash-table %t.x64 | FileCheck %s # RUN: llvm-readelf --gnu-hash-table %t.x64 | FileCheck %s
# RUN: llvm-readobj --gnu-hash-table %t.x32 | FileCheck %s # RUN: llvm-readobj --gnu-hash-table %t.x32 | FileCheck %s
# RUN: llvm-readelf --gnu-hash-table %t.x32 | FileCheck %s # RUN: llvm-readelf --gnu-hash-table %t.x32 | FileCheck %s
Show All 15 LinesFileHeader:
Machine: EM_X86_64 Machine: EM_X86_64
Sections: Sections:
- Name: .gnu.hash - Name: .gnu.hash
Type: SHT_GNU_HASH Type: SHT_GNU_HASH
Flags: [ SHF_ALLOC ] Flags: [ SHF_ALLOC ]
Header: Header:
SymNdx: 0x1 SymNdx: 0x1
Shift2: 0x2 Shift2: 0x2
## The number of words in the Bloom filter. The value of 2 is no-op.
MaskWords: [[MASKWORDS]]
## The number of hash buckets. The value of 3 is no-op.
NBuckets: [[NBUCKETS]]
BloomFilter: [0x3, 0x4] BloomFilter: [0x3, 0x4]
HashBuckets: [0x5, 0x6, 0x7] HashBuckets: [0x5, 0x6, 0x7]
HashValues: [0x8, 0x9, 0xA, 0xB] HashValues: [0x8, 0x9, 0xA, 0xB]
- Name: .dynamic - Name: .dynamic
Type: SHT_DYNAMIC Type: SHT_DYNAMIC
Flags: [ SHF_ALLOC ] Flags: [ SHF_ALLOC ]
Link: .dynstr Link: .dynstr
Entries: Entries:
▲ Show 20 LinesShow All 266 Lines▼ Show 20 Lines Entries:
Value: 0x0 Value: 0x0
DynamicSymbols: [] DynamicSymbols: []
ProgramHeaders: ProgramHeaders:
- Type: PT_LOAD - Type: PT_LOAD
Flags: [ PF_R, PF_X ] Flags: [ PF_R, PF_X ]
Sections: Sections:
- Section: .gnu.hash - Section: .gnu.hash
- Section: .dynamic - Section: .dynamic
## Check we report a proper warning when a hash table goes past the end of the file.
## Case A: the 'nbuckets' field is set so that the table goes past the end of the file.
jhendersonUnsubmitted
Not Done
ReplyInline Actions

I'd probably put these lines with their respective cases, since they're only used once.

jhenderson: I'd probably put these lines with their respective cases, since they're only used once.
# RUN: yaml2obj --docnum=1 -D MASKWORDS=4294967295 -D NBUCKETS=3 %s -o %t.err.maskwords
# RUN: llvm-readobj --gnu-hash-table %t.err.maskwords 2>&1 | \
# RUN: FileCheck %s -DFILE=%t.err.maskwords -DMASKWORDS=4294967295 -DNBUCKETS=3 --check-prefix=ERR
# RUN: llvm-readelf --gnu-hash-table %t.err.maskwords 2>&1 | \
# RUN: FileCheck %s -DFILE=%t.err.maskwords -DMASKWORDS=4294967295 -DNBUCKETS=3 --check-prefix=ERR
## Case B: the 'maskwords' field is set so that the table goes past the end of the file.
# RUN: yaml2obj --docnum=1 -D MASKWORDS=2 -D NBUCKETS=4294967295 %s -o %t.err.nbuckets
# RUN: llvm-readobj --gnu-hash-table %t.err.nbuckets 2>&1 | \
# RUN: FileCheck %s -DFILE=%t.err.nbuckets -DMASKWORDS=2 -DNBUCKETS=4294967295 --check-prefix=ERR
# RUN: llvm-readelf --gnu-hash-table %t.err.nbuckets 2>&1 | \
# RUN: FileCheck %s -DFILE=%t.err.nbuckets -DMASKWORDS=2 -DNBUCKETS=4294967295 --check-prefix=ERR
# ERR: GnuHashTable {
# ERR-NEXT: Num Buckets: [[NBUCKETS]]
# ERR-NEXT: First Hashed Symbol Index: 1
# ERR-NEXT: Num Mask Words: [[MASKWORDS]]
# ERR-NEXT: Shift Count: 2
# ERR-NEXT: warning: '[[FILE]]': unable to dump the SHT_GNU_HASH section at 0x78: it goes past the end of the file
# ERR-NEXT: }

llvm/tools/llvm-readobj/ELFDumper.cpp

Show First 20 LinesShow All 215 Lines▼ Show 20 Linespublic:
void printHashSymbols() override; void printHashSymbols() override;
void printUnwindInfo() override; void printUnwindInfo() override;
void printDynamicTable() override; void printDynamicTable() override;
void printNeededLibraries() override; void printNeededLibraries() override;
void printProgramHeaders(bool PrintProgramHeaders, void printProgramHeaders(bool PrintProgramHeaders,
cl::boolOrDefault PrintSectionMapping) override; cl::boolOrDefault PrintSectionMapping) override;
void printHashTable() override; void printHashTable() override;
void printGnuHashTable() override; void printGnuHashTable(const object::ObjectFile *Obj) override;
void printLoadName() override; void printLoadName() override;
void printVersionInfo() override; void printVersionInfo() override;
void printGroupSections() override; void printGroupSections() override;
void printArchSpecificInfo() override; void printArchSpecificInfo() override;
void printStackMap() const override; void printStackMap() const override;
▲ Show 20 LinesShow All 2,428 Lines▼ Show 20 Lines if (!HashTable ||
!checkHashTable(ObjF->getELFFile(), HashTable, ObjF->getFileName())) !checkHashTable(ObjF->getELFFile(), HashTable, ObjF->getFileName()))
return; return;
W.printNumber("Num Buckets", HashTable->nbucket); W.printNumber("Num Buckets", HashTable->nbucket);
W.printNumber("Num Chains", HashTable->nchain); W.printNumber("Num Chains", HashTable->nchain);
W.printList("Buckets", HashTable->buckets()); W.printList("Buckets", HashTable->buckets());
W.printList("Chains", HashTable->chains()); W.printList("Chains", HashTable->chains());
} }
template <typename ELFT> void ELFDumper<ELFT>::printGnuHashTable() { template <typename ELFT>
void ELFDumper<ELFT>::printGnuHashTable(const object::ObjectFile *Obj) {
DictScope D(W, "GnuHashTable"); DictScope D(W, "GnuHashTable");
if (!GnuHashTable) if (!GnuHashTable)
return; return;
W.printNumber("Num Buckets", GnuHashTable->nbuckets); W.printNumber("Num Buckets", GnuHashTable->nbuckets);
W.printNumber("First Hashed Symbol Index", GnuHashTable->symndx); W.printNumber("First Hashed Symbol Index", GnuHashTable->symndx);
W.printNumber("Num Mask Words", GnuHashTable->maskwords); W.printNumber("Num Mask Words", GnuHashTable->maskwords);
W.printNumber("Shift Count", GnuHashTable->shift2); W.printNumber("Shift Count", GnuHashTable->shift2);
MemoryBufferRef File = Obj->getMemoryBufferRef();
const char *TableData = reinterpret_cast<const char *>(GnuHashTable);
assert(TableData >= File.getBufferStart() &&
MaskRayUnsubmitted
Done
ReplyInline Actions

IIRC this is guaranteed by ELFFile<ELFT>::toMappedAddr

MaskRay: IIRC this is guaranteed by `ELFFile<ELFT>::toMappedAddr`
grimarAuthorUnsubmitted
Done
ReplyInline Actions

Yes.

grimar: Yes.
TableData < File.getBufferEnd() &&
"GnuHashTable must always point to a location inside the file");
uint64_t TableOffset = TableData - File.getBufferStart();
if (TableOffset +
/*Header size:*/ 16 + GnuHashTable->nbuckets * 4 +
GnuHashTable->maskwords * sizeof(typename ELFT::Off) >=
File.getBufferSize()) {
reportWarning(createError("unable to dump the SHT_GNU_HASH "
"section at 0x" +
Twine::utohexstr(TableOffset) +
": it goes past the end of the file"),
ObjF->getFileName());
return;
}
ArrayRef<typename ELFT::Off> BloomFilter = GnuHashTable->filter(); ArrayRef<typename ELFT::Off> BloomFilter = GnuHashTable->filter();
W.printHexList("Bloom Filter", BloomFilter); W.printHexList("Bloom Filter", BloomFilter);
ArrayRef<Elf_Word> Buckets = GnuHashTable->buckets(); ArrayRef<Elf_Word> Buckets = GnuHashTable->buckets();
W.printList("Buckets", Buckets); W.printList("Buckets", Buckets);
if (!DynSymRegion) { if (!DynSymRegion) {
reportWarning(createError("unable to dump 'Values' for the SHT_GNU_HASH " reportWarning(createError("unable to dump 'Values' for the SHT_GNU_HASH "
▲ Show 20 LinesShow All 4,064 LinesShow Last 20 Lines

llvm/tools/llvm-readobj/ObjDumper.h

Show First 20 LinesShow All 53 Lines▼ Show 20 Linespublic:
// Only implemented for ELF at this time. // Only implemented for ELF at this time.
virtual void printDependentLibs() {} virtual void printDependentLibs() {}
virtual void printDynamicRelocations() { } virtual void printDynamicRelocations() { }
virtual void printDynamicTable() { } virtual void printDynamicTable() { }
virtual void printNeededLibraries() { } virtual void printNeededLibraries() { }
virtual void printSectionAsHex(StringRef SectionName) {} virtual void printSectionAsHex(StringRef SectionName) {}
virtual void printHashTable() { } virtual void printHashTable() { }
virtual void printGnuHashTable() { } virtual void printGnuHashTable(const object::ObjectFile *Obj) {}
virtual void printHashSymbols() {} virtual void printHashSymbols() {}
virtual void printLoadName() {} virtual void printLoadName() {}
virtual void printVersionInfo() {} virtual void printVersionInfo() {}
virtual void printGroupSections() {} virtual void printGroupSections() {}
virtual void printHashHistogram() {} virtual void printHashHistogram() {}
virtual void printCGProfile() {} virtual void printCGProfile() {}
virtual void printAddrsig() {} virtual void printAddrsig() {}
virtual void printNotes() {} virtual void printNotes() {}
▲ Show 20 LinesShow All 75 LinesShow Last 20 Lines

llvm/tools/llvm-readobj/llvm-readobj.cpp

Show First 20 LinesShow All 483 Lines▼ Show 20 Lines if (opts::Symbols || opts::DynamicSymbols)
Dumper->printSymbols(opts::Symbols, opts::DynamicSymbols); Dumper->printSymbols(opts::Symbols, opts::DynamicSymbols);
if (!opts::StringDump.empty()) if (!opts::StringDump.empty())
Dumper->printSectionsAsString(Obj, opts::StringDump); Dumper->printSectionsAsString(Obj, opts::StringDump);
if (!opts::HexDump.empty()) if (!opts::HexDump.empty())
Dumper->printSectionsAsHex(Obj, opts::HexDump); Dumper->printSectionsAsHex(Obj, opts::HexDump);
if (opts::HashTable) if (opts::HashTable)
Dumper->printHashTable(); Dumper->printHashTable();
if (opts::GnuHashTable) if (opts::GnuHashTable)
Dumper->printGnuHashTable(); Dumper->printGnuHashTable(Obj);
if (opts::VersionInfo) if (opts::VersionInfo)
Dumper->printVersionInfo(); Dumper->printVersionInfo();
if (Obj->isELF()) { if (Obj->isELF()) {
if (opts::DependentLibraries) if (opts::DependentLibraries)
Dumper->printDependentLibs(); Dumper->printDependentLibs();
if (opts::ELFLinkerOptions) if (opts::ELFLinkerOptions)
Dumper->printELFLinkerOptions(); Dumper->printELFLinkerOptions();
if (opts::ArchSpecificInfo) if (opts::ArchSpecificInfo)
▲ Show 20 LinesShow All 230 LinesShow Last 20 Lines