This is an archive of the discontinued LLVM Phabricator instance.

Differential D81103

[llvm-readelf] - Do not read past the end of file when dumping SHT_GNU_HASH.
ClosedPublic

Authored by grimar on Jun 3 2020, 8:26 AM.

Details

Reviewers
jhenderson
MaskRay
espindola
Commits
rG2ad0ef6ef19d: [llvm-readelf] - Do not try to read past the end of the file when dumping the…
Summary

We have unobvious issue in the condition that is used to check
that we do not read past the EOF.

The problem is that the result of "GnuHashTable->nbuckets * 4" expression is uint32.
Because of that it was still possible to overflow it and pass the check.

There was no such problem with the "GnuHashTable->maskwords * sizeof(typename ELFT::Off)"
condition, because of sizeof on the right (which gives 64-bits value on x64),
but I've added an explicit conversion to 64-bit value for GnuHashTable->maskwords too.

Diff Detail

Event Timeline

grimar created this revision.Jun 3 2020, 8:26 AM
Herald added a reviewer: espindola. · View Herald TranscriptJun 3 2020, 8:26 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: rupprecht, emaste. · View Herald Transcript
MaskRay accepted this revision.Jun 3 2020, 12:31 PM

Do not try to read past the end of the file when dumping the the SHT_GNU_HASH.

Do not read past the end of file when dumping SHT_GNU_HASH?

This revision is now accepted and ready to land.Jun 3 2020, 12:31 PM
grimar retitled this revision from [llvm-readelf] - Do not try to read past the end of the file when dumping the the SHT_GNU_HASH. to [llvm-readelf] - Do not read past the end of file when dumping SHT_GNU_HASH..Jun 4 2020, 1:26 AM
In D81103#2072024, @MaskRay wrote:

Do not try to read past the end of the file when dumping the the SHT_GNU_HASH.

Do not read past the end of file when dumping SHT_GNU_HASH?

Thanks!

jhenderson accepted this revision.Jun 4 2020, 1:41 AM

LGTM too.

Closed by commit rG2ad0ef6ef19d: [llvm-readelf] - Do not try to read past the end of the file when dumping the… (authored by grimar). · Explain WhyJun 4 2020, 2:40 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
test/
tools/
llvm-readobj/
ELF/
4 lines
tools/
llvm-readobj/
4 lines

Diff 268399

llvm/test/tools/llvm-readobj/ELF/hash-histogram.test

Show First 20 LinesShow All 265 Lines▼ Show 20 Lines Sections:
- Section: .hash - Section: .hash
- Section: .gnu.hash - Section: .gnu.hash
- Section: .dynamic - Section: .dynamic
## Check we report a proper warning when the GNU hash table goes past the end of the file. ## Check we report a proper warning when the GNU hash table goes past the end of the file.
## Case A: the 'nbuckets' field is set so that the GNU hash table goes past the end of the file. ## Case A: the 'nbuckets' field is set so that the GNU hash table goes past the end of the file.
## The value of 1 for the NBUCKETS is no-op. ## The value of 1 for the NBUCKETS is no-op.
# RUN: yaml2obj --docnum=6 -D MASKWORDS=4294967295 -D NBUCKETS=1 %s -o %t7 # RUN: yaml2obj --docnum=6 -D MASKWORDS=0x80000000 -D NBUCKETS=1 %s -o %t7
# RUN: llvm-readelf --elf-hash-histogram %t7 2>&1 | \ # RUN: llvm-readelf --elf-hash-histogram %t7 2>&1 | \
# RUN: FileCheck %s -DFILE=%t7 --check-prefix=ERR5 --implicit-check-not="Histogram" # RUN: FileCheck %s -DFILE=%t7 --check-prefix=ERR5 --implicit-check-not="Histogram"
# ERR5: warning: '[[FILE]]': unable to dump the SHT_GNU_HASH section at 0x78: it goes past the end of the file # ERR5: warning: '[[FILE]]': unable to dump the SHT_GNU_HASH section at 0x78: it goes past the end of the file
## Case B: the 'maskwords' field is set so that the GNU hash table goes past the end of the file. ## Case B: the 'maskwords' field is set so that the GNU hash table goes past the end of the file.
## The value of 1 for the MASKWORDS is no-op. ## The value of 1 for the MASKWORDS is no-op.
# RUN: yaml2obj --docnum=6 -D MASKWORDS=1 -D NBUCKETS=4294967295 %s -o %t8 # RUN: yaml2obj --docnum=6 -D MASKWORDS=1 -D NBUCKETS=0x80000000 %s -o %t8
# RUN: llvm-readelf --elf-hash-histogram %t8 2>&1 | \ # RUN: llvm-readelf --elf-hash-histogram %t8 2>&1 | \
# RUN: FileCheck %s -DFILE=%t8 --check-prefix=ERR5 --implicit-check-not="Histogram" # RUN: FileCheck %s -DFILE=%t8 --check-prefix=ERR5 --implicit-check-not="Histogram"
--- !ELF --- !ELF
FileHeader: FileHeader:
Class: ELFCLASS64 Class: ELFCLASS64
Data: ELFDATA2LSB Data: ELFDATA2LSB
Type: ET_DYN Type: ET_DYN
Show All 30 Lines

llvm/tools/llvm-readobj/ELFDumper.cpp

Show First 20 LinesShow All 2,675 Lines▼ Show 20 Linesstatic Error checkGNUHashTable(const ELFFile<ELFT> *Obj,
const uint8_t *TableData = reinterpret_cast<const uint8_t *>(GnuHashTable); const uint8_t *TableData = reinterpret_cast<const uint8_t *>(GnuHashTable);
assert(TableData >= Obj->base() && assert(TableData >= Obj->base() &&
TableData < Obj->base() + Obj->getBufSize() && TableData < Obj->base() + Obj->getBufSize() &&
"GnuHashTable must always point to a location inside the file"); "GnuHashTable must always point to a location inside the file");
uint64_t TableOffset = TableData - Obj->base(); uint64_t TableOffset = TableData - Obj->base();
if (IsHeaderValid) if (IsHeaderValid)
*IsHeaderValid = TableOffset + /*Header size:*/ 16 < Obj->getBufSize(); *IsHeaderValid = TableOffset + /*Header size:*/ 16 < Obj->getBufSize();
if (TableOffset + 16 + GnuHashTable->nbuckets * 4 + if (TableOffset + 16 + (uint64_t)GnuHashTable->nbuckets * 4 +
GnuHashTable->maskwords * sizeof(typename ELFT::Off) >= (uint64_t)GnuHashTable->maskwords * sizeof(typename ELFT::Off) >=
Obj->getBufSize()) Obj->getBufSize())
return createError("unable to dump the SHT_GNU_HASH " return createError("unable to dump the SHT_GNU_HASH "
"section at 0x" + "section at 0x" +
Twine::utohexstr(TableOffset) + Twine::utohexstr(TableOffset) +
": it goes past the end of the file"); ": it goes past the end of the file");
return Error::success(); return Error::success();
} }
▲ Show 20 LinesShow All 4,179 LinesShow Last 20 Lines