[PATCH] D93799: [obj2yaml] - Dump the content of a broken hash table properly.

George Rimar via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Thu Dec 24 02:07:25 PST 2020 

grimar created this revision.
grimar added reviewers: jhenderson, MaskRay.
Herald added a subscriber: emaste.
Herald added a reviewer: espindola.
grimar requested review of this revision.
Herald added a project: LLVM.

This is similar to D93760 <https://reviews.llvm.org/D93760>.

When something is wrong with the hash table header we dump
its context as a raw data.

Currently we have the calculation overflow issue and it is possible to
bypass the validation we have (and crash).

The patch fixes it.


https://reviews.llvm.org/D93799

Files:
  llvm/test/tools/obj2yaml/ELF/hash-section.yaml
  llvm/tools/obj2yaml/elf2yaml.cpp


Index: llvm/tools/obj2yaml/elf2yaml.cpp
===================================================================
--- llvm/tools/obj2yaml/elf2yaml.cpp
+++ llvm/tools/obj2yaml/elf2yaml.cpp
@@ -1232,8 +1232,8 @@
 
   DataExtractor::Cursor Cur(0);
   DataExtractor Data(Content, Obj.isLE(), /*AddressSize=*/0);
-  uint32_t NBucket = Data.getU32(Cur);
-  uint32_t NChain = Data.getU32(Cur);
+  uint64_t NBucket = Data.getU32(Cur);
+  uint64_t NChain = Data.getU32(Cur);
   if (Content.size() != (2 + NBucket + NChain) * 4) {
     S->Content = yaml::BinaryRef(Content);
     if (Cur)
Index: llvm/test/tools/obj2yaml/ELF/hash-section.yaml
===================================================================
--- llvm/test/tools/obj2yaml/ELF/hash-section.yaml
+++ llvm/test/tools/obj2yaml/ELF/hash-section.yaml
@@ -49,6 +49,13 @@
 # CONTENT-NEXT: - Name:    .oversized
 # CONTENT-NEXT:   Type:    SHT_HASH
 # CONTENT-NEXT:   Content: '0100000002000000030000000400000000'
+# CONTENT-NEXT: - Name:    .overflow1
+# CONTENT-NEXT:   Type:    SHT_HASH
+# CONTENT-NEXT:   Content: 01000000FFFFFFFF{{$}}
+# CONTENT-NEXT: - Name:    .overflow2
+# CONTENT-NEXT:   Type:    SHT_HASH
+# CONTENT-NEXT:   Content: FFFFFFFF01000000{{$}}
+# CONTENT-NEXT: ...
 
 --- !ELF
 FileHeader:
@@ -74,6 +81,20 @@
   - Name:    .oversized
     Type:    SHT_HASH
     Content: '0100000002000000030000000400000000'
+## Case 5, 6: NChain/NBucket are incorrect and causing 32-bit
+##            unsigned overflows of intermediate expressions.
+  - Name:    .overflow1
+    Type:    SHT_HASH
+    Bucket:  [ ]
+    Chain:   [ ]
+    NBucket: 0x1
+    NChain:  0xffffffff
+  - Name:    .overflow2
+    Type:    SHT_HASH
+    Bucket:  [ ]
+    Chain:   [ ]
+    NBucket: 0xffffffff
+    NChain:  0x1
 
 ## Check how we dump the "EntSize" field. When the sh_entsize is 4,
 ## we don't print it, because it is the default value for the SHT_HASH section.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D93799.313676.patch
Type: text/x-patch
Size: 1905 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20201224/91fc2c20/attachment.bin>

More information about the llvm-commits mailing list