[llvm-bugs] [Bug 41751] New: Buffer overflow for PPC tabortdc
via llvm-bugs
llvm-bugs at lists.llvm.org
Sun May 5 05:57:21 PDT 2019
https://bugs.llvm.org/show_bug.cgi?id=41751
Bug ID: 41751
Summary: Buffer overflow for PPC tabortdc
Product: libraries
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P
Component: Backend: PowerPC
Assignee: unassignedbugs at nondot.org
Reporter: p.antoine at catenacyber.fr
CC: llvm-bugs at lists.llvm.org, nemanja.i.ibm at gmail.com
Found by oss-fuzz for capstone project
https://github.com/aquynh/capstone/pull/1470
Tested versions with the bug are trunk commit
e181a08aa98e9c57cd322904fd6c51c84d178690, 8.0 and 7.1
To reproduce, you can run
echo "0x7d 0x20 0x06 0x5d" | llvm-mc --disassemble -triple=ppc64
The input "7d 20 06 5d" is "tabortdc. 9, r0, r0" on onlinedisassembler.com
The buffer overflow happens on CRRegs access where there are only 8 elements
and index is read with 5 bits from instruction (so it can go up to 31 and thus
overflow)
Stack dump:
0. Program arguments: ./bin/llvm-mc --disassemble -triple=ppc64
0 llvm-mc 0x000000010e45bb2c
llvm::sys::PrintStackTrace(llvm::raw_ostream&) + 60
1 llvm-mc 0x000000010e45c0f9
PrintStackTraceSignalHandler(void*) + 25
2 llvm-mc 0x000000010e4591ce llvm::sys::RunSignalHandlers() +
990
3 llvm-mc 0x000000010e45fa79 SignalHandler(int) + 505
4 libsystem_platform.dylib 0x00007fff51b99f5a _sigtramp + 26
5 libsystem_platform.dylib 0x000000000000000d _sigtramp + 2923847885
6 libsystem_c.dylib 0x00007fff519371ae abort + 127
7 libsystem_c.dylib 0x00007fff518ff1ac basename_r + 0
8 llvm-mc 0x000000010e13ab61
llvm::MCDisassembler::DecodeStatus decodeRegisterClass<8ul>(llvm::MCInst&,
unsigned long long, unsigned short const (&) [8ul]) + 97
9 llvm-mc 0x000000010e139d4f
DecodeCRRC0RegisterClass(llvm::MCInst&, unsigned long long, unsigned long long,
void const*) + 47
10 llvm-mc 0x000000010e131b63
llvm::MCDisassembler::DecodeStatus llvm::decodeToMCInst<unsigned
int>(llvm::MCDisassembler::DecodeStatus, unsigned int, unsigned int,
llvm::MCInst&, unsigned long long, void const*, bool&) + 14915
11 llvm-mc 0x000000010e12d927
llvm::MCDisassembler::DecodeStatus llvm::decodeInstruction<unsigned
int>(unsigned char const*, llvm::MCInst&, unsigned int, unsigned long long,
void const*, llvm::MCSubtargetInfo const&) + 2071
12 llvm-mc 0x000000010e12d0b8 (anonymous
namespace)::PPCDisassembler::getInstruction(llvm::MCInst&, unsigned long long&,
llvm::ArrayRef<unsigned char>, unsigned long long, llvm::raw_ostream&,
llvm::raw_ostream&) const + 1048
13 llvm-mc 0x000000010d8a1076 PrintInsts(llvm::MCDisassembler
const&, std::__1::pair<std::__1::vector<unsigned char,
std::__1::allocator<unsigned char> >, std::__1::vector<char const*,
std::__1::allocator<char const*> > > const&, llvm::SourceMgr&,
llvm::raw_ostream&, llvm::MCStreamer&, bool, llvm::MCSubtargetInfo const&) +
342
14 llvm-mc 0x000000010d89fbe8
llvm::Disassembler::disassemble(llvm::Target const&,
std::__1::basic_string<char, std::__1::char_traits<char>,
std::__1::allocator<char> > const&, llvm::MCSubtargetInfo&, llvm::MCStreamer&,
llvm::MemoryBuffer&, llvm::SourceMgr&, llvm::raw_ostream&) + 4040
15 llvm-mc 0x000000010d882133 main + 17107
16 libdyld.dylib 0x00007fff5188b015 start + 1
Abort trap: 6
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190505/a056ae20/attachment.html>
More information about the llvm-bugs
mailing list