[llvm] r341686 - [RISCV] Fix AddressSanitizer heap-buffer-overflow in disassembling
Ana Pazos via llvm-commits
llvm-commits at lists.llvm.org
Fri Sep 7 11:23:20 PDT 2018
Author: apazos
Date: Fri Sep 7 11:23:19 2018
New Revision: 341686
URL: http://llvm.org/viewvc/llvm-project?rev=341686&view=rev
Log:
[RISCV] Fix AddressSanitizer heap-buffer-overflow in disassembling
Summary:
RISCVDisassembler should check number of bytes available before reading them.
Crash noticed when enabling -DLLVM_USE_SANITIZER=Address.
This bug was uncovered by a LLVM MC Disassembler Protocol Buffer Fuzzer for the RISC-V assembly language.
Reviewers: asb
Reviewed By: asb
Subscribers: rbar, johnrusso, simoncook, sabuasal, niosHD, kito-cheng, shiva0217, zzheng, edward-jones, mgrang, rogfer01, MartinMosbeck, brucehoult, the_o, rkruppe, PkmX, jocewei, asb
Differential Revision: https://reviews.llvm.org/D51708
Added:
llvm/trunk/test/MC/Disassembler/RISCV/
llvm/trunk/test/MC/Disassembler/RISCV/fuzzer-invalid.txt
llvm/trunk/test/MC/Disassembler/RISCV/lit.local.cfg
Modified:
llvm/trunk/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp
Modified: llvm/trunk/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp?rev=341686&r1=341685&r2=341686&view=diff
==============================================================================
--- llvm/trunk/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp (original)
+++ llvm/trunk/lib/Target/RISCV/Disassembler/RISCVDisassembler.cpp Fri Sep 7 11:23:19 2018
@@ -257,11 +257,19 @@ DecodeStatus RISCVDisassembler::getInstr
// It's a 32 bit instruction if bit 0 and 1 are 1.
if ((Bytes[0] & 0x3) == 0x3) {
+ if (Bytes.size() < 4) {
+ Size = 0;
+ return MCDisassembler::Fail;
+ }
Insn = support::endian::read32le(Bytes.data());
LLVM_DEBUG(dbgs() << "Trying RISCV32 table :\n");
Result = decodeInstruction(DecoderTable32, MI, Insn, Address, this, STI);
Size = 4;
} else {
+ if (Bytes.size() < 2) {
+ Size = 0;
+ return MCDisassembler::Fail;
+ }
Insn = support::endian::read16le(Bytes.data());
if (!STI.getFeatureBits()[RISCV::Feature64Bit]) {
Added: llvm/trunk/test/MC/Disassembler/RISCV/fuzzer-invalid.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/MC/Disassembler/RISCV/fuzzer-invalid.txt?rev=341686&view=auto
==============================================================================
--- llvm/trunk/test/MC/Disassembler/RISCV/fuzzer-invalid.txt (added)
+++ llvm/trunk/test/MC/Disassembler/RISCV/fuzzer-invalid.txt Fri Sep 7 11:23:19 2018
@@ -0,0 +1,8 @@
+# RUN: not llvm-mc -disassemble -triple=riscv32 < %s 2>&1 | FileCheck %s
+# RUN: not llvm-mc -disassemble -triple=riscv64 < %s 2>&1 | FileCheck %s
+#
+# Test generated by a LLVM MC Disassembler Protocol Buffer Fuzzer
+# for the RISC-V assembly language.
+
+[0xf9 0x95 0xab 0x99]
+# CHECK: warning: invalid instruction encoding
Added: llvm/trunk/test/MC/Disassembler/RISCV/lit.local.cfg
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/MC/Disassembler/RISCV/lit.local.cfg?rev=341686&view=auto
==============================================================================
--- llvm/trunk/test/MC/Disassembler/RISCV/lit.local.cfg (added)
+++ llvm/trunk/test/MC/Disassembler/RISCV/lit.local.cfg Fri Sep 7 11:23:19 2018
@@ -0,0 +1,3 @@
+if not 'RISCV' in config.root.targets:
+ config.unsupported = True
+
More information about the llvm-commits
mailing list