[PATCH] D38777: [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)
Vedant Kumar via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Tue Oct 10 18:58:18 PDT 2017
vsk created this revision.
Herald added subscribers: aheejin, jfb.
A wasm file crafted with a bogus section size can trigger an ASan issue
in the DWARFObjInMemory constructor. Nip the problem in the bud when we
read the wasm section, and fix up the DWARF code to pass up the Error
(this latter bit isn't covered -- I'd appreciate a pointer about how to
do this since I'm unfamiliar with llvm-dwarfdump).
Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3219
https://reviews.llvm.org/D38777
Files:
lib/DebugInfo/DWARF/DWARFContext.cpp
lib/Object/WasmObjectFile.cpp
test/tools/llvm-dwarfdump/X86/Inputs/oss-fuzz-3219
test/tools/llvm-dwarfdump/X86/fuzzer.test
Index: test/tools/llvm-dwarfdump/X86/fuzzer.test
===================================================================
--- /dev/null
+++ test/tools/llvm-dwarfdump/X86/fuzzer.test
@@ -0,0 +1,2 @@
+RUN: not llvm-dwarfdump %S/Inputs/oss-fuzz-3219 2>&1 | FileCheck --check-prefix=FUZZ3219 %s
+FUZZ3219: oss-fuzz-3219: Invalid data was encountered while parsing the file
Index: lib/Object/WasmObjectFile.cpp
===================================================================
--- lib/Object/WasmObjectFile.cpp
+++ lib/Object/WasmObjectFile.cpp
@@ -178,16 +178,18 @@
}
static Error readSection(WasmSection &Section, const uint8_t *&Ptr,
- const uint8_t *Start) {
- // TODO(sbc): Avoid reading past EOF in the case of malformed files.
+ const uint8_t *Start, const uint8_t *Eof) {
Section.Offset = Ptr - Start;
Section.Type = readVaruint7(Ptr);
uint32_t Size = readVaruint32(Ptr);
if (Size == 0)
return make_error<StringError>("Zero length section",
object_error::parse_failed);
Section.Content = ArrayRef<uint8_t>(Ptr, Size);
Ptr += Size;
+ if (Ptr > Eof)
+ return make_error<StringError>("Section too large",
+ object_error::parse_failed);
return Error::success();
}
@@ -221,7 +223,7 @@
WasmSection Sec;
while (Ptr < Eof) {
- if ((Err = readSection(Sec, Ptr, getPtr(0))))
+ if ((Err = readSection(Sec, Ptr, getPtr(0), Eof)))
return;
if ((Err = parseSection(Sec)))
return;
Index: lib/DebugInfo/DWARF/DWARFContext.cpp
===================================================================
--- lib/DebugInfo/DWARF/DWARFContext.cpp
+++ lib/DebugInfo/DWARF/DWARFContext.cpp
@@ -1149,7 +1149,16 @@
StringMap<unsigned> SectionAmountMap;
for (const SectionRef &Section : Obj.sections()) {
StringRef Name;
- Section.getName(Name);
+ auto Err = Section.getName(Name);
+ if (Err) {
+ ErrorPolicy EP = HandleError(
+ createError("could not get section name in " + Obj.getFileName(),
+ errorCodeToError(Err)));
+ if (EP == ErrorPolicy::Halt)
+ return;
+ return;
+ }
+
++SectionAmountMap[Name];
SectionNames.push_back({ Name, true });
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D38777.118524.patch
Type: text/x-patch
Size: 2317 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20171011/bc1a5835/attachment.bin>
More information about the llvm-commits
mailing list