This is an archive of the discontinued LLVM Phabricator instance.

Differential D93760

[obj2yaml] - Dump the content of a broken GNU hash table properly.
ClosedPublic

Authored by grimar on Dec 23 2020, 5:25 AM.

Details

Reviewers
jhenderson
MaskRay
espindola
Commits
rGb8cb1802a8a2: [obj2yaml] - Dump the content of a broken GNU hash table properly.
Summary

When something is wrong with the GNU hash table header we dump
its context as a raw data.

Currently we have the calculation overflow issue and it is possible to
bypass the validation we have (and crash).

The patch fixes it.

Diff Detail

Event Timeline

grimar created this revision.Dec 23 2020, 5:25 AM
Herald added a reviewer: espindola. · View Herald TranscriptDec 23 2020, 5:25 AM
Herald added a subscriber: emaste. · View Herald Transcript
grimar requested review of this revision.Dec 23 2020, 5:25 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 23 2020, 5:25 AM
grimar edited the summary of this revision. (Show Details)Dec 23 2020, 5:26 AM
MaskRay accepted this revision.Dec 23 2020, 11:43 AM

Looks great!

llvm/test/tools/obj2yaml/ELF/gnu-hash-section.yaml
126

NBuckets = 0xFFFFFFFF is incorrect. The result will cause 32-bit unsigned overflows if we keep intermediate expressions uint32_t.

This revision is now accepted and ready to land.Dec 23 2020, 11:43 AM
Closed by commit rGb8cb1802a8a2: [obj2yaml] - Dump the content of a broken GNU hash table properly. (authored by grimar). · Explain WhyDec 24 2020, 12:23 AM
This revision was automatically updated to reflect the committed changes.
grimar marked an inline comment as done.
grimar added a commit: rGb8cb1802a8a2: [obj2yaml] - Dump the content of a broken GNU hash table properly..
grimar mentioned this in D93799: [obj2yaml] - Dump the content of a broken hash table properly..Dec 24 2020, 2:07 AM
grimar mentioned this in rG893c84d71c4a: [obj2yaml] - Dump the content of a broken hash table properly..Dec 25 2020, 1:01 AM

Revision Contents

PathSize
llvm/
test/
tools/
obj2yaml/
ELF/
21 lines
tools/
obj2yaml/
4 lines

Diff 313668

llvm/test/tools/obj2yaml/ELF/gnu-hash-section.yaml

Show First 20 LinesShow All 48 Lines▼ Show 20 Lines
# INVALID-NEXT: SymNdx: 0x0 # INVALID-NEXT: SymNdx: 0x0
# INVALID-NEXT: Shift2: 0x0 # INVALID-NEXT: Shift2: 0x0
# INVALID-NEXT: BloomFilter: [ ] # INVALID-NEXT: BloomFilter: [ ]
# INVALID-NEXT: HashBuckets: [ ] # INVALID-NEXT: HashBuckets: [ ]
# INVALID-NEXT: HashValues: [ ] # INVALID-NEXT: HashValues: [ ]
# INVALID-NEXT: - Name: .gnu.hash.broken.maskwords # INVALID-NEXT: - Name: .gnu.hash.broken.maskwords
# INVALID-NEXT: Type: SHT_GNU_HASH # INVALID-NEXT: Type: SHT_GNU_HASH
# INVALID-NEXT: Content: '00000000000000000100000000000000' # INVALID-NEXT: Content: '00000000000000000100000000000000'
# INVALID-NEXT: - Name: .gnu.hash.broken.nbuckets # INVALID-NEXT: - Name: .gnu.hash.broken.nbuckets.a
# INVALID-NEXT: Type: SHT_GNU_HASH # INVALID-NEXT: Type: SHT_GNU_HASH
# INVALID-NEXT: Content: '01000000000000000000000000000000' # INVALID-NEXT: Content: '01000000000000000000000000000000'
# INVALID-NEXT: - Name: .gnu.hash.broken.nbuckets.b
# INVALID-NEXT: Type: SHT_GNU_HASH
# INVALID-NEXT: Content: FFFFFFFF000000000100000000000000{{$}}
# INVALID-NEXT: - Name: .gnu.hash.hashvalues.ok # INVALID-NEXT: - Name: .gnu.hash.hashvalues.ok
# INVALID-NEXT: Type: SHT_GNU_HASH # INVALID-NEXT: Type: SHT_GNU_HASH
# INVALID-NEXT: Header: # INVALID-NEXT: Header:
# INVALID-NEXT: SymNdx: 0x0 # INVALID-NEXT: SymNdx: 0x0
# INVALID-NEXT: Shift2: 0x0 # INVALID-NEXT: Shift2: 0x0
# INVALID-NEXT: BloomFilter: [ ] # INVALID-NEXT: BloomFilter: [ ]
# INVALID-NEXT: HashBuckets: [ ] # INVALID-NEXT: HashBuckets: [ ]
# INVALID-NEXT: HashValues: [ 0x0 ] # INVALID-NEXT: HashValues: [ 0x0 ]
Show All 35 Lines - Name: .gnu.hash.broken.maskwords
Header: Header:
SymNdx: 0x0 SymNdx: 0x0
Shift2: 0x0 Shift2: 0x0
MaskWords: 0x1 MaskWords: 0x1
NBuckets: 0x0 NBuckets: 0x0
BloomFilter: [] BloomFilter: []
HashBuckets: [] HashBuckets: []
HashValues: [] HashValues: []
## Case 4: NBuckets field is broken, it says that the number of entries ## Case 4(a): NBuckets field is broken, it says that the number of entries
## in the hash buckets is 1, but it is empty. ## in the hash buckets is 1, but it is empty.
- Name: .gnu.hash.broken.nbuckets - Name: .gnu.hash.broken.nbuckets.a
Type: SHT_GNU_HASH Type: SHT_GNU_HASH
Header: Header:
SymNdx: 0x0 SymNdx: 0x0
Shift2: 0x0 Shift2: 0x0
MaskWords: 0x0 MaskWords: 0x0
NBuckets: 0x1 NBuckets: 0x1
BloomFilter: [] BloomFilter: []
HashBuckets: [] HashBuckets: []
HashValues: [] HashValues: []
## Case 4(b): NBuckets = 0xFFFFFFFF is incorrect. The result will cause 32-bit
MaskRayUnsubmitted
Done
ReplyInline Actions

NBuckets = 0xFFFFFFFF is incorrect. The result will cause 32-bit unsigned overflows if we keep intermediate expressions uint32_t.

MaskRay: NBuckets = 0xFFFFFFFF is incorrect. The result will cause 32-bit unsigned overflows if we keep…
## unsigned overflows if we keep intermediate expressions uint32_t.
- Name: .gnu.hash.broken.nbuckets.b
Type: SHT_GNU_HASH
Header:
SymNdx: 0x0
Shift2: 0x0
MaskWords: 0x1
NBuckets: 0xFFFFFFFF
BloomFilter: []
HashBuckets: []
HashValues: []
## Case 5: Check that we use the various properties to dump the data when it ## Case 5: Check that we use the various properties to dump the data when it
## has a size that is a multiple of 4, but fallback to dumping the whole section ## has a size that is a multiple of 4, but fallback to dumping the whole section
## using the "Content" property otherwise. ## using the "Content" property otherwise.
- Name: .gnu.hash.hashvalues.ok - Name: .gnu.hash.hashvalues.ok
Type: SHT_GNU_HASH Type: SHT_GNU_HASH
Content: "0000000000000000000000000000000000000000" Content: "0000000000000000000000000000000000000000"
- Name: .gnu.hash.hashvalues.fail - Name: .gnu.hash.hashvalues.fail
Type: SHT_GNU_HASH Type: SHT_GNU_HASH
Content: "000000000000000000000000000000000000000000" Content: "000000000000000000000000000000000000000000"

llvm/tools/obj2yaml/elf2yaml.cpp

Show First 20 LinesShow All 1,265 Lines▼ Show 20 Lines if (!ContentOrErr)
return ContentOrErr.takeError(); return ContentOrErr.takeError();
unsigned AddrSize = ELFT::Is64Bits ? 8 : 4; unsigned AddrSize = ELFT::Is64Bits ? 8 : 4;
ArrayRef<uint8_t> Content = *ContentOrErr; ArrayRef<uint8_t> Content = *ContentOrErr;
DataExtractor Data(Content, Obj.isLE(), AddrSize); DataExtractor Data(Content, Obj.isLE(), AddrSize);
ELFYAML::GnuHashHeader Header; ELFYAML::GnuHashHeader Header;
DataExtractor::Cursor Cur(0); DataExtractor::Cursor Cur(0);
uint32_t NBuckets = Data.getU32(Cur); uint64_t NBuckets = Data.getU32(Cur);
Header.SymNdx = Data.getU32(Cur); Header.SymNdx = Data.getU32(Cur);
uint32_t MaskWords = Data.getU32(Cur); uint64_t MaskWords = Data.getU32(Cur);
Header.Shift2 = Data.getU32(Cur); Header.Shift2 = Data.getU32(Cur);
// Set just the raw binary content if we were unable to read the header // Set just the raw binary content if we were unable to read the header
// or when the section data is truncated or malformed. // or when the section data is truncated or malformed.
uint64_t Size = Data.getData().size() - Cur.tell(); uint64_t Size = Data.getData().size() - Cur.tell();
if (!Cur || (Size < MaskWords * AddrSize + NBuckets * 4) || if (!Cur || (Size < MaskWords * AddrSize + NBuckets * 4) ||
(Size % 4 != 0)) { (Size % 4 != 0)) {
consumeError(Cur.takeError()); consumeError(Cur.takeError());
▲ Show 20 LinesShow All 294 LinesShow Last 20 Lines