[llvm] r312235 - [Object] Verify object sizes before handing out StringRefs pointing out

Thu Aug 31 05:27:10 PDT 2017

Author: d0k
Date: Thu Aug 31 05:27:10 2017
New Revision: 312235

URL: http://llvm.org/viewvc/llvm-project?rev=312235&view=rev
Log:
[Object] Verify object sizes before handing out StringRefs pointing out
of bounds.

This can only happen on corrupt input. Found by OSS-FUZZ!
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3228

Added:
    llvm/trunk/test/DebugInfo/Inputs/dwarfdump-decompression-corrupt.elf-x86-64
    llvm/trunk/test/DebugInfo/dwarfdump-decompression-corrupt.test
Modified:
    llvm/trunk/include/llvm/Object/Binary.h
    llvm/trunk/include/llvm/Object/ELFObjectFile.h
    llvm/trunk/lib/Object/COFFObjectFile.cpp

Modified: llvm/trunk/include/llvm/Object/Binary.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/include/llvm/Object/Binary.h?rev=312235&r1=312234&r2=312235&view=diff
==============================================================================

--- llvm/trunk/include/llvm/Object/Binary.h (original)
+++ llvm/trunk/include/llvm/Object/Binary.h Thu Aug 31 05:27:10 2017
@@ -15,6 +15,7 @@
 #define LLVM_OBJECT_BINARY_H
 
 #include "llvm/ADT/Triple.h"
+#include "llvm/Object/Error.h"
 #include "llvm/Support/Error.h"
 #include "llvm/Support/MemoryBuffer.h"
 #include <algorithm>
@@ -143,6 +144,16 @@ public:
       return Triple::ELF;
     return Triple::UnknownObjectFormat;
   }
+
+  static std::error_code checkOffset(MemoryBufferRef M, uintptr_t Addr,
+                                     const uint64_t Size) {
+    if (Addr + Size < Addr || Addr + Size < Size ||
+        Addr + Size > uintptr_t(M.getBufferEnd()) ||
+        Addr < uintptr_t(M.getBufferStart())) {
+      return object_error::unexpected_eof;
+    }
+    return std::error_code();
+  }
 };
 
 /// @brief Create a Binary from Source, autodetecting the file type.

Modified: llvm/trunk/include/llvm/Object/ELFObjectFile.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/include/llvm/Object/ELFObjectFile.h?rev=312235&r1=312234&r2=312235&view=diff
==============================================================================
--- llvm/trunk/include/llvm/Object/ELFObjectFile.h (original)
+++ llvm/trunk/include/llvm/Object/ELFObjectFile.h Thu Aug 31 05:27:10 2017
@@ -667,6 +667,10 @@ std::error_code
 ELFObjectFile<ELFT>::getSectionContents(DataRefImpl Sec,
                                         StringRef &Result) const {
   const Elf_Shdr *EShdr = getSection(Sec);
+  if (std::error_code EC =
+          checkOffset(getMemoryBufferRef(),
+                      (uintptr_t)base() + EShdr->sh_offset, EShdr->sh_size))
+    return EC;
   Result = StringRef((const char *)base() + EShdr->sh_offset, EShdr->sh_size);
   return std::error_code();
 }

Modified: llvm/trunk/lib/Object/COFFObjectFile.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Object/COFFObjectFile.cpp?rev=312235&r1=312234&r2=312235&view=diff
==============================================================================
--- llvm/trunk/lib/Object/COFFObjectFile.cpp (original)
+++ llvm/trunk/lib/Object/COFFObjectFile.cpp Thu Aug 31 05:27:10 2017
@@ -52,16 +52,6 @@ static bool checkSize(MemoryBufferRef M,
   return true;
 }
 
-static std::error_code checkOffset(MemoryBufferRef M, uintptr_t Addr,
-                                   const uint64_t Size) {
-  if (Addr + Size < Addr || Addr + Size < Size ||
-      Addr + Size > uintptr_t(M.getBufferEnd()) ||
-      Addr < uintptr_t(M.getBufferStart())) {
-    return object_error::unexpected_eof;
-  }
-  return std::error_code();
-}
-
 // Sets Obj unless any bytes in [addr, addr + size) fall outsize of m.
 // Returns unexpected_eof if error.
 template <typename T>
@@ -69,7 +59,7 @@ static std::error_code getObject(const T
                                  const void *Ptr,
                                  const uint64_t Size = sizeof(T)) {
   uintptr_t Addr = uintptr_t(Ptr);
-  if (std::error_code EC = checkOffset(M, Addr, Size))
+  if (std::error_code EC = Binary::checkOffset(M, Addr, Size))
     return EC;
   Obj = reinterpret_cast<const T *>(Addr);
   return std::error_code();
@@ -383,7 +373,8 @@ getFirstReloc(const coff_section *Sec, M
     // relocations.
     begin++;
   }
-  if (checkOffset(M, uintptr_t(begin), sizeof(coff_relocation) * NumRelocs))
+  if (Binary::checkOffset(M, uintptr_t(begin),
+                          sizeof(coff_relocation) * NumRelocs))
     return nullptr;
   return begin;
 }

Added: llvm/trunk/test/DebugInfo/Inputs/dwarfdump-decompression-corrupt.elf-x86-64
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/DebugInfo/Inputs/dwarfdump-decompression-corrupt.elf-x86-64?rev=312235&view=auto
==============================================================================
Binary files llvm/trunk/test/DebugInfo/Inputs/dwarfdump-decompression-corrupt.elf-x86-64 (added) and llvm/trunk/test/DebugInfo/Inputs/dwarfdump-decompression-corrupt.elf-x86-64 Thu Aug 31 05:27:10 2017 differ

Added: llvm/trunk/test/DebugInfo/dwarfdump-decompression-corrupt.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/DebugInfo/dwarfdump-decompression-corrupt.test?rev=312235&view=auto
==============================================================================
--- llvm/trunk/test/DebugInfo/dwarfdump-decompression-corrupt.test (added)
+++ llvm/trunk/test/DebugInfo/dwarfdump-decompression-corrupt.test Thu Aug 31 05:27:10 2017
@@ -0,0 +1,6 @@
+REQUIRES: zlib
+
+// dwarfdump-decompression-corrupt.elf-x86-64 is fuzzer output
+RUN: llvm-dwarfdump %p/Inputs/dwarfdump-decompression-corrupt.elf-x86-64 2>&1 | FileCheck %s
+
+CHECK: error: failed to decompress '', corrupted compressed section header


