[llvm] r313145 - [MachO] Prevent heap overflow when load command extends past EOF
Jonas Devlieghere via llvm-commits
llvm-commits at lists.llvm.org
Wed Sep 13 06:43:01 PDT 2017
Author: jdevlieghere
Date: Wed Sep 13 06:43:01 2017
New Revision: 313145
URL: http://llvm.org/viewvc/llvm-project?rev=313145&view=rev
Log:
[MachO] Prevent heap overflow when load command extends past EOF
This patch fixes a heap-buffer-overflow when a malformed Mach-O has a
load command who's size extends past the end of the binary.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3225
Differential revision: https://reviews.llvm.org/D37439
Added:
llvm/trunk/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof
Modified:
llvm/trunk/lib/Object/MachOObjectFile.cpp
llvm/trunk/test/Object/macho-invalid.test
Modified: llvm/trunk/lib/Object/MachOObjectFile.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Object/MachOObjectFile.cpp?rev=313145&r1=313144&r2=313145&view=diff
==============================================================================
--- llvm/trunk/lib/Object/MachOObjectFile.cpp (original)
+++ llvm/trunk/lib/Object/MachOObjectFile.cpp Wed Sep 13 06:43:01 2017
@@ -183,6 +183,9 @@ static Expected<MachOObjectFile::LoadCom
getLoadCommandInfo(const MachOObjectFile &Obj, const char *Ptr,
uint32_t LoadCommandIndex) {
if (auto CmdOrErr = getStructOrErr<MachO::load_command>(Obj, Ptr)) {
+ if (CmdOrErr->cmdsize + Ptr > Obj.getData().end())
+ return malformedError("load command " + Twine(LoadCommandIndex) +
+ " extends past end of file");
if (CmdOrErr->cmdsize < 8)
return malformedError("load command " + Twine(LoadCommandIndex) +
" with size less than 8 bytes");
@@ -800,7 +803,7 @@ static Error checkNoteCommand(const Mach
uint32_t LoadCommandIndex,
std::list<MachOElement> &Elements) {
if (Load.C.cmdsize != sizeof(MachO::note_command))
- return malformedError("load command " + Twine(LoadCommandIndex) +
+ return malformedError("load command " + Twine(LoadCommandIndex) +
" LC_NOTE has incorrect cmdsize");
MachO::note_command Nt = getStruct<MachO::note_command>(Obj, Load.Ptr);
uint64_t FileSize = Obj.getData().size();
Added: llvm/trunk/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof?rev=313145&view=auto
==============================================================================
Binary files llvm/trunk/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof (added) and llvm/trunk/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof Wed Sep 13 06:43:01 2017 differ
Modified: llvm/trunk/test/Object/macho-invalid.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Object/macho-invalid.test?rev=313145&r1=313144&r2=313145&view=diff
==============================================================================
--- llvm/trunk/test/Object/macho-invalid.test (original)
+++ llvm/trunk/test/Object/macho-invalid.test Wed Sep 13 06:43:01 2017
@@ -284,6 +284,9 @@ INVALID-DYLIB-WRONG-FILETYPE: macho-inva
RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-no-id 2>&1 | FileCheck -check-prefix INVALID-DYLIB-NO-ID %s
INVALID-DYLIB-NO-ID: macho-invalid-dylib-no-id': truncated or malformed object (no LC_ID_DYLIB load command in dynamic library filetype)
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-cmdsize-past-eof 2>&1 | FileCheck -check-prefix INVALID-DYLIB-CMDSIZE %s
+INVALID-DYLIB-CMDSIZE: macho-invalid-dylib-cmdsize-past-eof': truncated or malformed object (load command 0 extends past end of file)
+
RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-uuid-more-than-one 2>&1 | FileCheck -check-prefix INVALID-UUID-MORE-THAN-ONE %s
INVALID-UUID-MORE-THAN-ONE: macho-invalid-uuid-more-than-one': truncated or malformed object (more than one LC_UUID command)
More information about the llvm-commits
mailing list