[PATCH] D59179: Detect malformed LC_LINKER_COMMANDs in Mach-O binaries

Michael Trent via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Sat Mar 9 12:11:07 PST 2019 

mtrent created this revision.
mtrent added reviewers: lhames, pete.
Herald added a subscriber: rupprecht.
Herald added a project: LLVM.

llvm-objdump can be tricked into reading beyond valid memory and
segfaulting if LC_LINKER_COMMAND strings are not null terminated. libObject
does have code to validate the integrity of the LC_LINKER_COMMAND struct,
but this validator improperly assumes linker command strings are null
terminated.

The solution is to report an error if a string extends beyond the end of
the LC_LINKER_COMMAND struct.


Repository:
  rL LLVM

https://reviews.llvm.org/D59179

Files:
  lib/Object/MachOObjectFile.cpp
  test/tools/llvm-objdump/X86/Inputs/macho-invalid-linker-command
  test/tools/llvm-objdump/X86/malformed-machos.test


Index: test/tools/llvm-objdump/X86/malformed-machos.test
===================================================================
--- test/tools/llvm-objdump/X86/malformed-machos.test
+++ test/tools/llvm-objdump/X86/malformed-machos.test
@@ -3,31 +3,31 @@
 // make sure llvm-objdump is robust is what matters.
 # RUN: not llvm-objdump -macho -objc-meta-data \
 # RUN:   %p/Inputs/malformed-machos/mem-crup-0001.macho 2>&1 \
-# RUN:   | FileCheck -check-prefix=m0001 %s 
+# RUN:   | FileCheck -check-prefix=m0001 %s
 
 # m0001: mem-crup-0001.macho': truncated or malformed object (addr field plus size of section 2 in LC_SEGMENT_64 command 0 greater than than the segment's vmaddr plus vmsize)
 
 # RUN: not llvm-objdump -macho -objc-meta-data \
 # RUN:   %p/Inputs/malformed-machos/mem-crup-0006.macho 2>&1 \
-# RUN:   | FileCheck -check-prefix=m0006 %s 
+# RUN:   | FileCheck -check-prefix=m0006 %s
 
 # m0006: malformed-machos/mem-crup-0006.macho': truncated or malformed object (section contents at offset 4128 with a size of 176, overlaps section contents at offset 4128 with a size of 8)
 
 # RUN: not llvm-objdump -macho -objc-meta-data \
 # RUN:   %p/Inputs/malformed-machos/mem-crup-0010.macho 2>&1 \
-# RUN:   | FileCheck -check-prefix=m0010 %s 
+# RUN:   | FileCheck -check-prefix=m0010 %s
 
 # m0010: mem-crup-0010.macho': truncated or malformed object (section contents at offset 4320 with a size of 80, overlaps section contents at offset 4320 with a size of 8)
 
 # RUN: not llvm-objdump -macho -objc-meta-data \
 # RUN:   %p/Inputs/malformed-machos/mem-crup-0040.macho 2>&1 \
-# RUN:   | FileCheck -check-prefix=m0040 %s 
+# RUN:   | FileCheck -check-prefix=m0040 %s
 
 # m0040: mem-crup-0040.macho': truncated or malformed object (offset field plus size field of section 2 in LC_SEGMENT_64 command 1 extends past the end of the file)
 
 # RUN: not llvm-objdump -macho -objc-meta-data \
 # RUN:   %p/Inputs/malformed-machos/mem-crup-0080.macho 2>&1 \
-# RUN:   | FileCheck -check-prefix=m0080 %s 
+# RUN:   | FileCheck -check-prefix=m0080 %s
 
 # m0080: mem-crup-0080.macho': truncated or malformed object (addr field plus size of section 2 in LC_SEGMENT_64 command 1 greater than than the segment's vmaddr plus vmsize)
 
@@ -36,7 +36,7 @@
 
 # RUN: not llvm-objdump -macho -disassemble \
 # RUN:   %p/Inputs/malformed-machos/mem-crup-0337.macho 2>&1 \
-# RUN:   | FileCheck -check-prefix=m0337 %s 
+# RUN:   | FileCheck -check-prefix=m0337 %s
 
 # m0337: mem-crup-0337.macho': truncated or malformed object (section relocation entries at offset 0 with a size of 512, overlaps Mach-O headers at offset 0 with a size of 2048)
 
@@ -67,5 +67,8 @@
 RUN: not llvm-objdump -macho -objc-meta-data %p/Inputs/macho-invalid-bind-entry 2>&1 | FileCheck -check-prefix INVALID-BIND-ENTRY %s
 INVALID-BIND-ENTRY: macho-invalid-bind-entry': truncated or malformed object (for BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB bad library ordinal: 83 (max 0) for opcode at: 0x0)
 
-RUN: llvm-objdump -macho -r -arch x86_64 %p/Inputs/macho-invalid-reloc-section-index | FileCheck -check-prefix INVALID-RELOC-SECTION-INDEX %s
+RUN: llvm-objdump -macho -r -arch x86_64 %p/Inputs/macho-invalid-reloc-section-index 2>&1 | FileCheck -check-prefix INVALID-RELOC-SECTION-INDEX %s
 INVALID-RELOC-SECTION-INDEX: 00000021 False byte   False  UNSIGND False     8388613 (?,?)
+
+RUN: not llvm-objdump -bind -g -macho -r -rebase -s -section-headers -t -unwind-info %p/Inputs/macho-invalid-linker-command 2>&1 | FileCheck -check-prefix INVALID-LINKCMD %s
+INVALID-LINKCMD: truncated or malformed object (load command 4 LC_LINKER_OPTION string #2 is not NULL terminated)
Index: lib/Object/MachOObjectFile.cpp
===================================================================
--- lib/Object/MachOObjectFile.cpp
+++ lib/Object/MachOObjectFile.cpp
@@ -918,6 +918,10 @@
     if (left > 0) {
       i++;
       uint32_t NullPos = StringRef(string, left).find('\0');
+      if (0xffffffff == NullPos)
+        return malformedError("load command " + Twine(LoadCommandIndex) +
+                              " LC_LINKER_OPTION string #" + Twine(i) +
+                              " is not NULL terminated");
       uint32_t len = std::min(NullPos, left) + 1;
       string += len;
       left -= len;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D59179.189992.patch
Type: text/x-patch
Size: 4261 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190309/8daa5692/attachment.bin>

More information about the llvm-commits mailing list