The code that reports "PT_DYNAMIC segment offset + size exceeds the size of the file"
has an issue: it is possible to bypass the validation by overflowing the size + offset result.
Details
Diff Detail
Event Timeline
Maybe it would be a good idea to split this change in two - one to update the test, and the other to change the behaviour - to ensure we don't accidentally break something in the test and behaviour at the same time. What do you think?
llvm/test/tools/llvm-readobj/ELF/malformed-pt-dynamic.test | ||
---|---|---|
68–69 | Do we actually need to strip the section headers any more? I'm not sure the original issue really applies any more, as it was just to do with yaml2obj's previous limitations. |
Well, OK. It might require more than 2 changes then, I think. Currently we report "PT_DYNAMIC segment offset + size exceeds the size of the file" for two slightly different cases
and it does not provide enough information about the difference. So I'd start from improving this message first. Then partially rewriting the test to a new one, simplified, which will use the new messages.
And then a third patch will change the logic and add the corresponding testing.
llvm/test/tools/llvm-readobj/ELF/malformed-pt-dynamic.test | ||
---|---|---|
68–69 | I'll answer on this later. I am observing a different behavior without stripping headers - llvm-readobj complains about broken PT_DYNAMIC and says it going to use some information from the sections header instead. But I had no chance to investigate it better yet. |
- Rebased and updated after landing patches that were splitted out.
(Now we have here a behavior update and the corresponding test case changes only).
Reverted, because broke UBSan. The test triggers an overflow issue in the different place in the llvm-readobj code.
(http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-bootstrap-ubsan/builds/21386/steps/check-llvm%20ubsan/logs/stdio)
- Updated checks in createDRI to fix issue reported by UBSan.
(I've verified that malformed-pt-dynamic.test now pass with -DLLVM_USE_SANITIZER=Undefined)
This line:
const uint8_t *Addr = Obj->base() + Offset;
I believe pointers are not allowed to overflow.
Do we actually need to strip the section headers any more? I'm not sure the original issue really applies any more, as it was just to do with yaml2obj's previous limitations.