This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/
-
lib/profile/
-
profile/
3/8
InstrProfilingFile.c
-
test/profile/ContinuousSyncMode/
-
profile/
-
ContinuousSyncMode/
-
get-filename.c

Differential D97239

[profile] Fix buffer overrun when parsing %c in filename string
ClosedPublic

Authored by vsk on Feb 22 2021, 4:39 PM.

Download Raw Diff

Details

Reviewers

phosek
MaskRay
ejvaughan
kastiglione

Commits

rGa7d4826101ab: [profile] Fix buffer overrun when parsing %c in filename string

Summary

Fix a buffer overrun that can occur when parsing '%c' at the end of a
filename pattern string.

rdar://74571261

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

vsk requested review of this revision.Feb 22 2021, 4:39 PM

vsk created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptFeb 22 2021, 4:39 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Clean up the test by removing the call to set_dumped.

Harbormaster completed remote builds in B90299: Diff 325610.Feb 22 2021, 5:38 PM

Harbormaster completed remote builds in B90301: Diff 325612.Feb 22 2021, 6:02 PM

MaskRay added inline comments.Feb 22 2021, 11:15 PM

compiler-rt/lib/profile/InstrProfilingFile.c
775–776	Adding `getChar` seems excessive. Does simply dropping `I++` here fix the bug?

vsk added inline comments.Feb 23 2021, 8:32 AM

compiler-rt/lib/profile/InstrProfilingFile.c
775–776	Yes. `getChar` adds a little complexity, but lets us write a test that reliably fails pre-patch. I think that's worth it.

kastiglione added a subscriber: kastiglione.Feb 24 2021, 2:27 PM

kastiglione added inline comments.

compiler-rt/lib/profile/InstrProfilingFile.c
740	It might be nice to have reading a char be consistent across the cases. This first one uses `getChar(…)`, but the others use `FilenamePat[I]`. One option is a function like `bool checkBounds(…)`, then the for loop could have: for (I = 0; checkBounds(I, FilenamePatLen) && FilenamePat[I]; ++I) and then here: ++I; /* Advance to the next character. */ if (!checkBounds(I, FilenamePatLen)) break; if (FilenamePat[I] == 'p') { Another option is to keep `getChar` and save its result to a variable, which each of the cases reuse rather than directly reading from the array. Given that these are case-like, this could be structured as single read by doing `switch (getChar(…))` and then having each read be a `case 'c':` etc.
775–776	So adding `getChar`, but not removing the `I++` causes test failure. And then leaving `getChar` also protects against future changes to the loop body?

Address review feedback. I opted to add the checkBounds helper, as this seemed like the least invasive option. The convention in the rest of this library appears to be to not use stdbool.h, so I decided not to pull it in here.

compiler-rt/lib/profile/InstrProfilingFile.c
775–776	Yes, that's right. The checkBounds helper should serve the same role.

kastiglione accepted this revision.Feb 24 2021, 2:45 PM

This revision is now accepted and ready to land.Feb 24 2021, 2:45 PM

kastiglione added inline comments.Feb 24 2021, 2:46 PM

compiler-rt/lib/profile/InstrProfilingFile.c
707	oh shouldn't these be `Idx < Strlen`?

vsk added inline comments.Feb 24 2021, 2:49 PM

compiler-rt/lib/profile/InstrProfilingFile.c
707	Followed up offline but to recap: no, we dereference the null byte at the end.

This revision was landed with ongoing or failed builds.Feb 24 2021, 2:49 PM

Closed by commit rGa7d4826101ab: [profile] Fix buffer overrun when parsing %c in filename string (authored by vsk). · Explain Why

This revision was automatically updated to reflect the committed changes.

vsk added a commit: rGa7d4826101ab: [profile] Fix buffer overrun when parsing %c in filename string.

shafik added a subscriber: shafik.Feb 24 2021, 3:04 PM

shafik added inline comments.

compiler-rt/lib/profile/InstrProfilingFile.c
776	Obviously not for this PR but it seems unwise we don't actually verify `FilenamePat[I] == 'm'`

Harbormaster completed remote builds in B90689: Diff 326209.Feb 24 2021, 5:09 PM

Revision Contents

Path

Size

compiler-rt/

lib/

profile/

InstrProfilingFile.c

18 lines

test/

profile/

ContinuousSyncMode/

get-filename.c

32 lines

Diff 326212

compiler-rt/lib/profile/InstrProfilingFile.c

/===- InstrProfilingFile.c - Write instrumentation to a file -------------===\		/===- InstrProfilingFile.c - Write instrumentation to a file -------------===\
\|*		\|*
\|* Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		\|* Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
\|* See https://llvm.org/LICENSE.txt for license information.		\|* See https://llvm.org/LICENSE.txt for license information.
\|* SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		\|* SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
\|*		\|*
\===----------------------------------------------------------------------===/		\===----------------------------------------------------------------------===/

#if !defined(__Fuchsia__)		#if !defined(__Fuchsia__)

		#include <assert.h>
#include <errno.h>		#include <errno.h>
#include <stdio.h>		#include <stdio.h>
#include <stdlib.h>		#include <stdlib.h>
#include <string.h>		#include <string.h>
#ifdef _MSC_VER		#ifdef _MSC_VER
/* For _alloca. */		/* For _alloca. */
#include <malloc.h>		#include <malloc.h>
#endif		#endif
▲ Show 20 Lines • Show All 675 Lines • ▼ Show 20 Lines	for (;; ++J) {
Num = Num * 10 + C - '0';		Num = Num * 10 + C - '0';

/* If FilenamePat[*I+J] is between '0' and '9', the next byte is guaranteed		/* If FilenamePat[*I+J] is between '0' and '9', the next byte is guaranteed
* to be in-bound as the string is null terminated. */		* to be in-bound as the string is null terminated. */
}		}
return 0;		return 0;
}		}

		/* Assert that Idx does index past a string null terminator. Return the
		* result of the check. */
		static int checkBounds(int Idx, int Strlen) {
		assert(Idx <= Strlen && "Indexing past string null terminator");
		return Idx <= Strlen;
		kastiglioneUnsubmitted Not Done Reply Inline Actions oh shouldn't these be `Idx < Strlen`? kastiglione: oh shouldn't these be `Idx < Strlen`?
		vskAuthorUnsubmitted Done Reply Inline Actions Followed up offline but to recap: no, we dereference the null byte at the end. vsk: Followed up offline but to recap: no, we dereference the null byte at the end.
		}

/* Parses the pattern string \p FilenamePat and stores the result to		/* Parses the pattern string \p FilenamePat and stores the result to
* lprofcurFilename structure. */		* lprofcurFilename structure. */
static int parseFilenamePattern(const char *FilenamePat,		static int parseFilenamePattern(const char *FilenamePat,
unsigned CopyFilenamePat) {		unsigned CopyFilenamePat) {
int NumPids = 0, NumHosts = 0, I;		int NumPids = 0, NumHosts = 0, I;
char *PidChars = &lprofCurFilename.PidChars[0];		char *PidChars = &lprofCurFilename.PidChars[0];
char *Hostname = &lprofCurFilename.Hostname[0];		char *Hostname = &lprofCurFilename.Hostname[0];
int MergingEnabled = 0;		int MergingEnabled = 0;
		int FilenamePatLen = strlen(FilenamePat);

/* Clean up cached prefix and filename. */		/* Clean up cached prefix and filename. */
if (lprofCurFilename.ProfilePathPrefix)		if (lprofCurFilename.ProfilePathPrefix)
free((void *)lprofCurFilename.ProfilePathPrefix);		free((void *)lprofCurFilename.ProfilePathPrefix);

if (lprofCurFilename.FilenamePat && lprofCurFilename.OwnsFilenamePat) {		if (lprofCurFilename.FilenamePat && lprofCurFilename.OwnsFilenamePat) {
free((void *)lprofCurFilename.FilenamePat);		free((void *)lprofCurFilename.FilenamePat);
}		}

memset(&lprofCurFilename, 0, sizeof(lprofCurFilename));		memset(&lprofCurFilename, 0, sizeof(lprofCurFilename));

if (!CopyFilenamePat)		if (!CopyFilenamePat)
lprofCurFilename.FilenamePat = FilenamePat;		lprofCurFilename.FilenamePat = FilenamePat;
else {		else {
lprofCurFilename.FilenamePat = strdup(FilenamePat);		lprofCurFilename.FilenamePat = strdup(FilenamePat);
lprofCurFilename.OwnsFilenamePat = 1;		lprofCurFilename.OwnsFilenamePat = 1;
}		}
/* Check the filename for "%p", which indicates a pid-substitution. */		/* Check the filename for "%p", which indicates a pid-substitution. */
for (I = 0; FilenamePat[I]; ++I)		for (I = 0; checkBounds(I, FilenamePatLen) && FilenamePat[I]; ++I) {
if (FilenamePat[I] == '%') {		if (FilenamePat[I] == '%') {
if (FilenamePat[++I] == 'p') {		++I; /* Advance to the next character. */
		if (!checkBounds(I, FilenamePatLen))
		kastiglioneUnsubmitted Not Done Reply Inline Actions It might be nice to have reading a char be consistent across the cases. This first one uses `getChar(…)`, but the others use `FilenamePat[I]`. One option is a function like `bool checkBounds(…)`, then the for loop could have: for (I = 0; checkBounds(I, FilenamePatLen) && FilenamePat[I]; ++I) and then here: ++I; /* Advance to the next character. / if (!checkBounds(I, FilenamePatLen)) break; if (FilenamePat[I] == 'p') { Another option is to keep `getChar` and save its result to a variable, which each of the cases reuse rather than directly reading from the array. Given that these are case-like, this could be structured as single read by doing `switch (getChar(…))` and then having each read be a `case 'c':` etc. kastiglione:* It might be nice to have reading a char be consistent across the cases. This first one uses…
		break;
		if (FilenamePat[I] == 'p') {
if (!NumPids++) {		if (!NumPids++) {
if (snprintf(PidChars, MAX_PID_SIZE, "%ld", (long)getpid()) <= 0) {		if (snprintf(PidChars, MAX_PID_SIZE, "%ld", (long)getpid()) <= 0) {
PROF_WARN("Unable to get pid for filename pattern %s. Using the "		PROF_WARN("Unable to get pid for filename pattern %s. Using the "
"default name.",		"default name.",
FilenamePat);		FilenamePat);
return -1;		return -1;
}		}
}		}
Show All 16 Lines	if (FilenamePat[I] == '%') {
} else if (FilenamePat[I] == 'c') {		} else if (FilenamePat[I] == 'c') {
if (__llvm_profile_is_continuous_mode_enabled()) {		if (__llvm_profile_is_continuous_mode_enabled()) {
PROF_WARN("%%c specifier can only be specified once in %s.\n",		PROF_WARN("%%c specifier can only be specified once in %s.\n",
FilenamePat);		FilenamePat);
return -1;		return -1;
}		}

__llvm_profile_set_page_size(getpagesize());		__llvm_profile_set_page_size(getpagesize());
__llvm_profile_enable_continuous_mode();		__llvm_profile_enable_continuous_mode();
I++; /* advance to 'c' */
} else {		} else {
		MaskRayUnsubmitted Not Done Reply Inline Actions Adding `getChar` seems excessive. Does simply dropping `I++` here fix the bug? MaskRay: Adding `getChar` seems excessive. Does simply dropping `I++` here fix the bug?
		vskAuthorUnsubmitted Done Reply Inline Actions Yes. `getChar` adds a little complexity, but lets us write a test that reliably fails pre-patch. I think that's worth it. vsk: Yes. `getChar` adds a little complexity, but lets us write a test that reliably fails pre-patch.
		kastiglioneUnsubmitted Not Done Reply Inline Actions So adding `getChar`, but not removing the `I++` causes test failure. And then leaving `getChar` also protects against future changes to the loop body? kastiglione: So adding `getChar`, but not removing the `I++` causes test failure. And then leaving `getChar`…
		vskAuthorUnsubmitted Done Reply Inline Actions Yes, that's right. The checkBounds helper should serve the same role. vsk: Yes, that's right. The checkBounds helper should serve the same role.
		shafikUnsubmitted Not Done Reply Inline Actions Obviously not for this PR but it seems unwise we don't actually verify `FilenamePat[I] == 'm'` shafik: Obviously not for this PR but it seems unwise we don't actually verify `FilenamePat[I] == 'm'`
unsigned MergePoolSize = getMergePoolSize(FilenamePat, &I);		unsigned MergePoolSize = getMergePoolSize(FilenamePat, &I);
if (!MergePoolSize)		if (!MergePoolSize)
continue;		continue;
if (MergingEnabled) {		if (MergingEnabled) {
PROF_WARN("%%m specifier can only be specified once in %s.\n",		PROF_WARN("%%m specifier can only be specified once in %s.\n",
FilenamePat);		FilenamePat);
return -1;		return -1;
}		}
MergingEnabled = 1;		MergingEnabled = 1;
lprofCurFilename.MergePoolSize = MergePoolSize;		lprofCurFilename.MergePoolSize = MergePoolSize;
}		}
}		}
		}

lprofCurFilename.NumPids = NumPids;		lprofCurFilename.NumPids = NumPids;
lprofCurFilename.NumHosts = NumHosts;		lprofCurFilename.NumHosts = NumHosts;
return 0;		return 0;
}		}

static void parseAndSetFilename(const char *FilenamePat,		static void parseAndSetFilename(const char *FilenamePat,
ProfileNameSpecifier PNS,		ProfileNameSpecifier PNS,
▲ Show 20 Lines • Show All 370 Lines • Show Last 20 Lines

compiler-rt/test/profile/ContinuousSyncMode/get-filename.c

This file was added.

				// REQUIRES: darwin

				// RUN: %clang_pgogen -o %t.exe %s
				// RUN: env LLVM_PROFILE_FILE="%c%t.profraw" %run %t.exe %t.profraw
				// RUN: env LLVM_PROFILE_FILE="%t%c.profraw" %run %t.exe %t.profraw
				// RUN: env LLVM_PROFILE_FILE="%t.profraw%c" %run %t.exe %t.profraw

				#include <string.h>
				#include <stdio.h>

				extern int __llvm_profile_is_continuous_mode_enabled(void);
				extern const char *__llvm_profile_get_filename();
				extern void __llvm_profile_set_dumped(void);

				int main(int argc, char **argv) {
				if (!__llvm_profile_is_continuous_mode_enabled())
				return 1;

				// Check that the filename is "%t.profraw", followed by a null terminator.
				size_t n = strlen(argv[1]) + 1;
				const char *Filename = __llvm_profile_get_filename();

				for (int i = 0; i < n; ++i) {
				if (Filename[i] != argv[1][i]) {
				printf("Difference at: %d, Got: %c, Expected: %c\n", i, Filename[i], argv[1][i]);
				printf("Got: %s\n", Filename);
				printf("Expected: %s\n", argv[1]);
				return 1;
				}
				}
				return 0;
				}