This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/lib/Bitstream/Reader/
-
lib/
-
Bitstream/
-
Reader/
1/1
BitstreamReader.cpp

Differential D86500

Fix a 32-bit overflow issue when reading LTO-generated bitcode files whose strtab are of size > 2^29
ClosedPublic

Authored by stephan.yichao.zhao on Aug 24 2020, 5:47 PM.

Download Raw Diff

Details

Reviewers

void
MaskRay
bkramer

Commits

rG47849870278c: Fix a 32-bit overflow issue when reading LTO-generated bitcode files whose…

Summary

This happens when using -flto and -Wl,--plugin-opt=emit-llvm to create a linked LTO bitcode file, and the bitcode file has a strtab with size > 2^29.

The code path is GetBitcodeFileContents->readBlobInRecord->readRecord

All the changes relate to a pattern like this

size_t x64 = y64 + z32 * C

When z32 is >= (2^32)/C, z32 * C overflows.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

stephan.yichao.zhao created this revision.Aug 24 2020, 5:47 PM

Herald added a project: Restricted Project. · View Herald TranscriptAug 24 2020, 5:47 PM

Herald added subscribers: llvm-commits, dexonsmith, hiraditya, inglorion. · View Herald Transcript

stephan.yichao.zhao requested review of this revision.Aug 24 2020, 5:47 PM

LGTM. This only affects very large bitcode files. I don't know how to create a reasonable small test for this. Worth waiting one day or so before committing to give others some time to respond.

This revision is now accepted and ready to land.Aug 24 2020, 5:53 PM

MaskRay added inline comments.Aug 24 2020, 5:54 PM

llvm/lib/Bitstream/Reader/BitstreamReader.cpp
190–191	`const size_t` while you are updating it

Harbormaster completed remote builds in B69384: Diff 287534.Aug 24 2020, 6:24 PM

addressed comments

stephan.yichao.zhao marked an inline comment as done.Aug 24 2020, 7:14 PM

Harbormaster completed remote builds in B69395: Diff 287548.Aug 24 2020, 7:43 PM

Closed by commit rG47849870278c: Fix a 32-bit overflow issue when reading LTO-generated bitcode files whose… (authored by Jianzhou Zhao <jianzhouzh@google.com>). · Explain WhyAug 25 2020, 10:51 PM

This revision was automatically updated to reflect the committed changes.

Jianzhou Zhao <jianzhouzh@google.com> added a commit: rG47849870278c: Fix a 32-bit overflow issue when reading LTO-generated bitcode files whose….

craig.topper mentioned this in D86957: [Bitstream] Use alignTo to make code more readable. NFC.Sep 1 2020, 9:41 AM

craig.topper mentioned this in rG96ae43bad5b8: [Bitstream] Use alignTo to make code more readable. NFC.Sep 1 2020, 11:07 AM

Revision Contents

Path

Size

llvm/

lib/

Bitstream/

Reader/

BitstreamReader.cpp

11 lines

Diff 287830

llvm/lib/Bitstream/Reader/BitstreamReader.cpp

Show First 20 Lines • Show All 150 Lines • ▼ Show 20 Lines	if (Op.getEncoding() == BitCodeAbbrevOp::Array) {

// Read all the elements.		// Read all the elements.
// Decode the value as we are commanded.		// Decode the value as we are commanded.
switch (EltEnc.getEncoding()) {		switch (EltEnc.getEncoding()) {
default:		default:
report_fatal_error("Array element type can't be an Array or a Blob");		report_fatal_error("Array element type can't be an Array or a Blob");
case BitCodeAbbrevOp::Fixed:		case BitCodeAbbrevOp::Fixed:
assert((unsigned)EltEnc.getEncodingData() <= MaxChunkSize);		assert((unsigned)EltEnc.getEncodingData() <= MaxChunkSize);
if (Error Err = JumpToBit(GetCurrentBitNo() +		if (Error Err =
NumElts * EltEnc.getEncodingData()))		JumpToBit(GetCurrentBitNo() + static_cast<uint64_t>(NumElts) *
		EltEnc.getEncodingData()))
return std::move(Err);		return std::move(Err);
break;		break;
case BitCodeAbbrevOp::VBR:		case BitCodeAbbrevOp::VBR:
assert((unsigned)EltEnc.getEncodingData() <= MaxChunkSize);		assert((unsigned)EltEnc.getEncodingData() <= MaxChunkSize);
for (; NumElts; --NumElts)		for (; NumElts; --NumElts)
if (Expected<uint64_t> Res =		if (Expected<uint64_t> Res =
ReadVBR64((unsigned)EltEnc.getEncodingData()))		ReadVBR64((unsigned)EltEnc.getEncodingData()))
; // Skip!		; // Skip!
Show All 12 Lines	for (unsigned i = 1, e = Abbv->getNumOperandInfos(); i < e; ++i) {
// Blob case. Read the number of bytes as a vbr6.		// Blob case. Read the number of bytes as a vbr6.
Expected<uint32_t> MaybeNum = ReadVBR(6);		Expected<uint32_t> MaybeNum = ReadVBR(6);
if (!MaybeNum)		if (!MaybeNum)
return MaybeNum.takeError();		return MaybeNum.takeError();
unsigned NumElts = MaybeNum.get();		unsigned NumElts = MaybeNum.get();
SkipToFourByteBoundary(); // 32-bit alignment		SkipToFourByteBoundary(); // 32-bit alignment

// Figure out where the end of this blob will be including tail padding.		// Figure out where the end of this blob will be including tail padding.
size_t NewEnd = GetCurrentBitNo()+((NumElts+3)&~3)*8;		const size_t NewEnd =
		GetCurrentBitNo() + ((static_cast<uint64_t>(NumElts) + 3) & ~3) * 8;
		MaskRayUnsubmitted Done Reply Inline Actions `const size_t` while you are updating it MaskRay: `const size_t` while you are updating it

// If this would read off the end of the bitcode file, just set the		// If this would read off the end of the bitcode file, just set the
// record to empty and return.		// record to empty and return.
if (!canSkipToPos(NewEnd/8)) {		if (!canSkipToPos(NewEnd/8)) {
skipToEnd();		skipToEnd();
break;		break;
}		}

▲ Show 20 Lines • Show All 111 Lines • ▼ Show 20 Lines	for (unsigned i = 1, e = Abbv->getNumOperandInfos(); i != e; ++i) {
Expected<uint32_t> MaybeNumElts = ReadVBR(6);		Expected<uint32_t> MaybeNumElts = ReadVBR(6);
if (!MaybeNumElts)		if (!MaybeNumElts)
return MaybeNumElts.takeError();		return MaybeNumElts.takeError();
uint32_t NumElts = MaybeNumElts.get();		uint32_t NumElts = MaybeNumElts.get();
SkipToFourByteBoundary(); // 32-bit alignment		SkipToFourByteBoundary(); // 32-bit alignment

// Figure out where the end of this blob will be including tail padding.		// Figure out where the end of this blob will be including tail padding.
size_t CurBitPos = GetCurrentBitNo();		size_t CurBitPos = GetCurrentBitNo();
size_t NewEnd = CurBitPos+((NumElts+3)&~3)*8;		const size_t NewEnd =
		CurBitPos + ((static_cast<uint64_t>(NumElts) + 3) & ~3) * 8;

// If this would read off the end of the bitcode file, just set the		// If this would read off the end of the bitcode file, just set the
// record to empty and return.		// record to empty and return.
if (!canSkipToPos(NewEnd/8)) {		if (!canSkipToPos(NewEnd/8)) {
Vals.append(NumElts, 0);		Vals.append(NumElts, 0);
skipToEnd();		skipToEnd();
break;		break;
}		}
▲ Show 20 Lines • Show All 151 Lines • Show Last 20 Lines