[Lldb-commits] [lldb] 3885cea - [LLDB] Fix buffer overflow problem in DWARFExpression::Evaluate

Caroline Tice via lldb-commits lldb-commits at lists.llvm.org
Mon Jul 10 19:48:05 PDT 2023


Author: Caroline Tice
Date: 2023-07-10T19:47:38-07:00
New Revision: 3885ceafa9347dd729eba5cf872091a689b63d98

URL: https://github.com/llvm/llvm-project/commit/3885ceafa9347dd729eba5cf872091a689b63d98
DIFF: https://github.com/llvm/llvm-project/commit/3885ceafa9347dd729eba5cf872091a689b63d98.diff

LOG: [LLDB] Fix buffer overflow problem in DWARFExpression::Evaluate

In two calls to ReadMemory in DWARFExpression.cpp, the buffer size
passed to ReadMemory is not checked and can be bigger than the actual
size of the buffer. This caused a buffer overflow bug, which we
found through Address Sanitizer. This patch fixes the problem by
checking the address size when it is first read out of the DWARF, and
setting an error and returning immediatley if the size is invalid.

This is the second attempt to fix this issue; I reverted the first one,
as it was not quite correct.

Differential Revision: https://reviews.llvm.org/D154907

Added: 
    

Modified: 
    lldb/source/Expression/DWARFExpression.cpp

Removed: 
    


################################################################################
diff  --git a/lldb/source/Expression/DWARFExpression.cpp b/lldb/source/Expression/DWARFExpression.cpp
index 2e512bf7581e86..b829a6f7c86477 100644
--- a/lldb/source/Expression/DWARFExpression.cpp
+++ b/lldb/source/Expression/DWARFExpression.cpp
@@ -1069,6 +1069,13 @@ bool DWARFExpression::Evaluate(
         return false;
       }
       uint8_t size = opcodes.GetU8(&offset);
+      if (size > 8) {
+        if (error_ptr)
+              error_ptr->SetErrorStringWithFormat(
+                  "Invalid address size for DW_OP_deref_size: %d\n",
+                  size);
+        return false;
+      }
       Value::ValueType value_type = stack.back().GetValueType();
       switch (value_type) {
       case Value::ValueType::HostAddress: {
@@ -1141,7 +1148,7 @@ bool DWARFExpression::Evaluate(
           } else {
             if (error_ptr)
               error_ptr->SetErrorStringWithFormat(
-                  "Failed to dereference pointer for for DW_OP_deref_size: "
+                  "Failed to dereference pointer for DW_OP_deref_size: "
                   "%s\n",
                   error.AsCString());
             return false;


        


More information about the lldb-commits mailing list