[llvm] [WebAssembly] Limit increase of Ctx.End (PR #76676)
via llvm-commits
llvm-commits at lists.llvm.org
Fri Feb 9 11:13:25 PST 2024
https://github.com/DavidKorczynski updated https://github.com/llvm/llvm-project/pull/76676
>From 1aa5a9d1d2b9bc825eb1325cef5f864adf65965d Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Mon, 1 Jan 2024 04:56:29 -0800
Subject: [PATCH 1/3] [WebAssembly] Limit increase of Ctx.End
Extending `Ctx.End` beyond the original buffer leads to buffer
overflows. This limits extending Ctx.End beyond OrigEnd to prevent these
overflows.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65432
Signed-off-by: David Korczynski <david at adalogics.com>
---
llvm/lib/Object/WasmObjectFile.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp
index 40665d686cf939..6f89e183118d63 100644
--- a/llvm/lib/Object/WasmObjectFile.cpp
+++ b/llvm/lib/Object/WasmObjectFile.cpp
@@ -546,6 +546,9 @@ Error WasmObjectFile::parseLinkingSection(ReadContext &Ctx) {
uint32_t Size = readVaruint32(Ctx);
LLVM_DEBUG(dbgs() << "readSubsection type=" << int(Type) << " size=" << Size
<< "\n");
+ if ((const uint8_t *)(Ctx.Ptr + Size) > OrigEnd)
+ return make_error<GenericBinaryError>("invalid segment size",
+ object_error::parse_failed);
Ctx.End = Ctx.Ptr + Size;
switch (Type) {
case wasm::WASM_SYMBOL_TABLE:
>From 9fe0eb2c16e250078e1a1564931af5eddc4f9f3d Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Fri, 5 Jan 2024 08:35:09 -0800
Subject: [PATCH 2/3] Add OSSFuzz regression test
Signed-off-by: David Korczynski <david at adalogics.com>
---
llvm/unittests/Object/CMakeLists.txt | 1 +
.../Object/ObjectFuzzRegressions.cpp | 32 +++++++++++++++++++
2 files changed, 33 insertions(+)
create mode 100644 llvm/unittests/Object/ObjectFuzzRegressions.cpp
diff --git a/llvm/unittests/Object/CMakeLists.txt b/llvm/unittests/Object/CMakeLists.txt
index 81bc4a5577e681..399334b0e599e0 100644
--- a/llvm/unittests/Object/CMakeLists.txt
+++ b/llvm/unittests/Object/CMakeLists.txt
@@ -19,6 +19,7 @@ add_llvm_unittest(ObjectTests
SymbolSizeTest.cpp
SymbolicFileTest.cpp
XCOFFObjectFileTest.cpp
+ ObjectFuzzRegressions.cpp
)
target_link_libraries(ObjectTests PRIVATE LLVMTestingSupport)
diff --git a/llvm/unittests/Object/ObjectFuzzRegressions.cpp b/llvm/unittests/Object/ObjectFuzzRegressions.cpp
new file mode 100644
index 00000000000000..761557426a3d4f
--- /dev/null
+++ b/llvm/unittests/Object/ObjectFuzzRegressions.cpp
@@ -0,0 +1,32 @@
+//===-- ObjectFuzzRegressions.cpp - Fuzz regression checking -------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "llvm/Object/ObjectFile.h"
+#include "llvm/Testing/Support/Error.h"
+#include "gtest/gtest.h"
+
+using namespace llvm;
+using namespace llvm::object;
+
+TEST(ObjectFuzzRegressions, OSSFUZZ30308) {
+ // Regression test for
+ // https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30308
+ const uint8_t data[47] = {
+ 0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x07, 0x6c,
+ 0x69, 0x6e, 0x6b, 0x69, 0x6e, 0x67, 0x02, 0x08, 0xe2, 0x29, 0x01, 0x01,
+ 0x02, 0xea, 0x06, 0xf9, 0xee, 0x28, 0xe1, 0x2b, 0x2f, 0x09, 0x00, 0xef,
+ 0xbf, 0xbf, 0x00, 0x00, 0xdd, 0x73, 0x66, 0x83, 0x7b, 0x00, 0x55};
+
+ std::string Payload(reinterpret_cast<const char *>(data), 47);
+ std::unique_ptr<MemoryBuffer> Buff = MemoryBuffer::getMemBuffer(Payload);
+ Expected<std::unique_ptr<ObjectFile>> ObjOrErr =
+ ObjectFile::createObjectFile(Buff->getMemBufferRef());
+ if (auto E = ObjOrErr.takeError()) {
+ consumeError(std::move(E));
+ }
+}
>From eb8a47df0fc6bb05800ab1b229434b2a9b4bf4bf Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Fri, 9 Feb 2024 11:13:00 -0800
Subject: [PATCH 3/3] avoid magic and add trigger file
Signed-off-by: David Korczynski <david at adalogics.com>
---
...inimized-llvm-dwarfdump-fuzzer-4510378518511616 | Bin 0 -> 47 bytes
llvm/unittests/Object/ObjectFuzzRegressions.cpp | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
create mode 100644 llvm/test/Object/Inputs/WASM/clusterfuzz-testcase-minimized-llvm-dwarfdump-fuzzer-4510378518511616
diff --git a/llvm/test/Object/Inputs/WASM/clusterfuzz-testcase-minimized-llvm-dwarfdump-fuzzer-4510378518511616 b/llvm/test/Object/Inputs/WASM/clusterfuzz-testcase-minimized-llvm-dwarfdump-fuzzer-4510378518511616
new file mode 100644
index 0000000000000000000000000000000000000000..f49d5773ea45c640e52bf7a6c533b06ad101b3aa
GIT binary patch
literal 47
zcmZQbEY4+Q00IH_oXouJ%)E3ajz^k|j7+cCe!kOqsIAY*@P7Y(28O%EY0cFPp#U`S
B4;TOd
literal 0
HcmV?d00001
diff --git a/llvm/unittests/Object/ObjectFuzzRegressions.cpp b/llvm/unittests/Object/ObjectFuzzRegressions.cpp
index 761557426a3d4f..c56c1ea13bd5c8 100644
--- a/llvm/unittests/Object/ObjectFuzzRegressions.cpp
+++ b/llvm/unittests/Object/ObjectFuzzRegressions.cpp
@@ -22,7 +22,7 @@ TEST(ObjectFuzzRegressions, OSSFUZZ30308) {
0x02, 0xea, 0x06, 0xf9, 0xee, 0x28, 0xe1, 0x2b, 0x2f, 0x09, 0x00, 0xef,
0xbf, 0xbf, 0x00, 0x00, 0xdd, 0x73, 0x66, 0x83, 0x7b, 0x00, 0x55};
- std::string Payload(reinterpret_cast<const char *>(data), 47);
+ std::string Payload(reinterpret_cast<const char *>(data), sizeof(data));
std::unique_ptr<MemoryBuffer> Buff = MemoryBuffer::getMemBuffer(Payload);
Expected<std::unique_ptr<ObjectFile>> ObjOrErr =
ObjectFile::createObjectFile(Buff->getMemBufferRef());
More information about the llvm-commits
mailing list