[llvm] 2ad0ef6 - [llvm-readelf] - Do not try to read past the end of the file when dumping the the SHT_GNU_HASH.

Georgii Rymar via llvm-commits llvm-commits at lists.llvm.org
Thu Jun 4 02:17:18 PDT 2020 

Author: Georgii Rymar
Date: 2020-06-04T12:00:44+03:00
New Revision: 2ad0ef6ef19dd1678e05b6d219ea0fdd4853bb64

URL: https://github.com/llvm/llvm-project/commit/2ad0ef6ef19dd1678e05b6d219ea0fdd4853bb64
DIFF: https://github.com/llvm/llvm-project/commit/2ad0ef6ef19dd1678e05b6d219ea0fdd4853bb64.diff

LOG: [llvm-readelf] - Do not try to read past the end of the file when dumping the the SHT_GNU_HASH.

We have unobvious issue in the condition that is used to check
that we do not read past the EOF.

The problem is that the result of "GnuHashTable->nbuckets * 4" expression is uint32.
Because of that it was still possible to overflow it and pass the check.

There was no such problem with the "GnuHashTable->maskwords * sizeof(typename ELFT::Off)"
condition, because of `sizeof` on the right (which gives 64-bits value on x64),
but I've added an explicit conversion to 64-bit value for `GnuHashTable->maskwords` too.

Differential revision: https://reviews.llvm.org/D81103

Added: 
    

Modified: 
    llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
    llvm/tools/llvm-readobj/ELFDumper.cpp

Removed: 
    


################################################################################
diff  --git a/llvm/test/tools/llvm-readobj/ELF/hash-histogram.test b/llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
index 4ec772a18f82..a9d2455d5f91 100644
--- a/llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
+++ b/llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
@@ -271,7 +271,7 @@ ProgramHeaders:
 
 ## Case A: the 'nbuckets' field is set so that the GNU hash table goes past the end of the file.
 ##         The value of 1 for the NBUCKETS is no-op.
-# RUN: yaml2obj --docnum=6 -D MASKWORDS=4294967295 -D NBUCKETS=1 %s -o %t7
+# RUN: yaml2obj --docnum=6 -D MASKWORDS=0x80000000 -D NBUCKETS=1 %s -o %t7
 # RUN: llvm-readelf --elf-hash-histogram %t7 2>&1 | \
 # RUN:   FileCheck %s -DFILE=%t7 --check-prefix=ERR5 --implicit-check-not="Histogram"
 
@@ -279,7 +279,7 @@ ProgramHeaders:
 
 ## Case B: the 'maskwords' field is set so that the GNU hash table goes past the end of the file.
 ##         The value of 1 for the MASKWORDS is no-op.
-# RUN: yaml2obj --docnum=6 -D MASKWORDS=1 -D NBUCKETS=4294967295 %s -o %t8
+# RUN: yaml2obj --docnum=6 -D MASKWORDS=1 -D NBUCKETS=0x80000000 %s -o %t8
 # RUN: llvm-readelf --elf-hash-histogram %t8 2>&1 | \
 # RUN:   FileCheck %s -DFILE=%t8 --check-prefix=ERR5 --implicit-check-not="Histogram"
 

diff  --git a/llvm/tools/llvm-readobj/ELFDumper.cpp b/llvm/tools/llvm-readobj/ELFDumper.cpp
index 861149ab9ca7..6c197cf0239c 100644
--- a/llvm/tools/llvm-readobj/ELFDumper.cpp
+++ b/llvm/tools/llvm-readobj/ELFDumper.cpp
@@ -2681,8 +2681,8 @@ static Error checkGNUHashTable(const ELFFile<ELFT> *Obj,
   uint64_t TableOffset = TableData - Obj->base();
   if (IsHeaderValid)
     *IsHeaderValid = TableOffset + /*Header size:*/ 16 < Obj->getBufSize();
-  if (TableOffset + 16 + GnuHashTable->nbuckets * 4 +
-          GnuHashTable->maskwords * sizeof(typename ELFT::Off) >=
+  if (TableOffset + 16 + (uint64_t)GnuHashTable->nbuckets * 4 +
+          (uint64_t)GnuHashTable->maskwords * sizeof(typename ELFT::Off) >=
       Obj->getBufSize())
     return createError("unable to dump the SHT_GNU_HASH "
                        "section at 0x" +

More information about the llvm-commits mailing list