<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Buffer overflow for PPC tabortdc"
href="https://bugs.llvm.org/show_bug.cgi?id=41751">41751</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Buffer overflow for PPC tabortdc
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Backend: PowerPC
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>p.antoine@catenacyber.fr
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org, nemanja.i.ibm@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Found by oss-fuzz for capstone project
<a href="https://github.com/aquynh/capstone/pull/1470">https://github.com/aquynh/capstone/pull/1470</a>
Tested versions with the bug are trunk commit
e181a08aa98e9c57cd322904fd6c51c84d178690, 8.0 and 7.1
To reproduce, you can run
echo "0x7d 0x20 0x06 0x5d" | llvm-mc --disassemble -triple=ppc64
The input "7d 20 06 5d" is "tabortdc. 9, r0, r0" on onlinedisassembler.com
The buffer overflow happens on CRRegs access where there are only 8 elements
and index is read with 5 bits from instruction (so it can go up to 31 and thus
overflow)
Stack dump:
0. Program arguments: ./bin/llvm-mc --disassemble -triple=ppc64
0 llvm-mc 0x000000010e45bb2c
llvm::sys::PrintStackTrace(llvm::raw_ostream&) + 60
1 llvm-mc 0x000000010e45c0f9
PrintStackTraceSignalHandler(void*) + 25
2 llvm-mc 0x000000010e4591ce llvm::sys::RunSignalHandlers() +
990
3 llvm-mc 0x000000010e45fa79 SignalHandler(int) + 505
4 libsystem_platform.dylib 0x00007fff51b99f5a _sigtramp + 26
5 libsystem_platform.dylib 0x000000000000000d _sigtramp + 2923847885
6 libsystem_c.dylib 0x00007fff519371ae abort + 127
7 libsystem_c.dylib 0x00007fff518ff1ac basename_r + 0
8 llvm-mc 0x000000010e13ab61
llvm::MCDisassembler::DecodeStatus decodeRegisterClass<8ul>(llvm::MCInst&,
unsigned long long, unsigned short const (&) [8ul]) + 97
9 llvm-mc 0x000000010e139d4f
DecodeCRRC0RegisterClass(llvm::MCInst&, unsigned long long, unsigned long long,
void const*) + 47
10 llvm-mc 0x000000010e131b63
llvm::MCDisassembler::DecodeStatus llvm::decodeToMCInst<unsigned
int>(llvm::MCDisassembler::DecodeStatus, unsigned int, unsigned int,
llvm::MCInst&, unsigned long long, void const*, bool&) + 14915
11 llvm-mc 0x000000010e12d927
llvm::MCDisassembler::DecodeStatus llvm::decodeInstruction<unsigned
int>(unsigned char const*, llvm::MCInst&, unsigned int, unsigned long long,
void const*, llvm::MCSubtargetInfo const&) + 2071
12 llvm-mc 0x000000010e12d0b8 (anonymous
namespace)::PPCDisassembler::getInstruction(llvm::MCInst&, unsigned long long&,
llvm::ArrayRef<unsigned char>, unsigned long long, llvm::raw_ostream&,
llvm::raw_ostream&) const + 1048
13 llvm-mc 0x000000010d8a1076 PrintInsts(llvm::MCDisassembler
const&, std::__1::pair<std::__1::vector<unsigned char,
std::__1::allocator<unsigned char> >, std::__1::vector<char const*,
std::__1::allocator<char const*> > > const&, llvm::SourceMgr&,
llvm::raw_ostream&, llvm::MCStreamer&, bool, llvm::MCSubtargetInfo const&) +
342
14 llvm-mc 0x000000010d89fbe8
llvm::Disassembler::disassemble(llvm::Target const&,
std::__1::basic_string<char, std::__1::char_traits<char>,
std::__1::allocator<char> > const&, llvm::MCSubtargetInfo&, llvm::MCStreamer&,
llvm::MemoryBuffer&, llvm::SourceMgr&, llvm::raw_ostream&) + 4040
15 llvm-mc 0x000000010d882133 main + 17107
16 libdyld.dylib 0x00007fff5188b015 start + 1
Abort trap: 6</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>