[llvm] [WebAssembly] Limit increase of Ctx.End (PR #76676)
via llvm-commits
llvm-commits at lists.llvm.org
Fri Jan 5 08:37:01 PST 2024
https://github.com/DavidKorczynski updated https://github.com/llvm/llvm-project/pull/76676
>From 1aa5a9d1d2b9bc825eb1325cef5f864adf65965d Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Mon, 1 Jan 2024 04:56:29 -0800
Subject: [PATCH 1/2] [WebAssembly] Limit increase of Ctx.End
Extending `Ctx.End` beyond the original buffer leads to buffer
overflows. This limits extending Ctx.End beyond OrigEnd to prevent these
overflows.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65432
Signed-off-by: David Korczynski <david at adalogics.com>
---
llvm/lib/Object/WasmObjectFile.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp
index 40665d686cf939..6f89e183118d63 100644
--- a/llvm/lib/Object/WasmObjectFile.cpp
+++ b/llvm/lib/Object/WasmObjectFile.cpp
@@ -546,6 +546,9 @@ Error WasmObjectFile::parseLinkingSection(ReadContext &Ctx) {
uint32_t Size = readVaruint32(Ctx);
LLVM_DEBUG(dbgs() << "readSubsection type=" << int(Type) << " size=" << Size
<< "\n");
+ if ((const uint8_t *)(Ctx.Ptr + Size) > OrigEnd)
+ return make_error<GenericBinaryError>("invalid segment size",
+ object_error::parse_failed);
Ctx.End = Ctx.Ptr + Size;
switch (Type) {
case wasm::WASM_SYMBOL_TABLE:
>From 9fe0eb2c16e250078e1a1564931af5eddc4f9f3d Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Fri, 5 Jan 2024 08:35:09 -0800
Subject: [PATCH 2/2] Add OSSFuzz regression test
Signed-off-by: David Korczynski <david at adalogics.com>
---
llvm/unittests/Object/CMakeLists.txt | 1 +
.../Object/ObjectFuzzRegressions.cpp | 32 +++++++++++++++++++
2 files changed, 33 insertions(+)
create mode 100644 llvm/unittests/Object/ObjectFuzzRegressions.cpp
diff --git a/llvm/unittests/Object/CMakeLists.txt b/llvm/unittests/Object/CMakeLists.txt
index 81bc4a5577e681..399334b0e599e0 100644
--- a/llvm/unittests/Object/CMakeLists.txt
+++ b/llvm/unittests/Object/CMakeLists.txt
@@ -19,6 +19,7 @@ add_llvm_unittest(ObjectTests
SymbolSizeTest.cpp
SymbolicFileTest.cpp
XCOFFObjectFileTest.cpp
+ ObjectFuzzRegressions.cpp
)
target_link_libraries(ObjectTests PRIVATE LLVMTestingSupport)
diff --git a/llvm/unittests/Object/ObjectFuzzRegressions.cpp b/llvm/unittests/Object/ObjectFuzzRegressions.cpp
new file mode 100644
index 00000000000000..761557426a3d4f
--- /dev/null
+++ b/llvm/unittests/Object/ObjectFuzzRegressions.cpp
@@ -0,0 +1,32 @@
+//===-- ObjectFuzzRegressions.cpp - Fuzz regression checking -------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "llvm/Object/ObjectFile.h"
+#include "llvm/Testing/Support/Error.h"
+#include "gtest/gtest.h"
+
+using namespace llvm;
+using namespace llvm::object;
+
+TEST(ObjectFuzzRegressions, OSSFUZZ30308) {
+ // Regression test for
+ // https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30308
+ const uint8_t data[47] = {
+ 0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x07, 0x6c,
+ 0x69, 0x6e, 0x6b, 0x69, 0x6e, 0x67, 0x02, 0x08, 0xe2, 0x29, 0x01, 0x01,
+ 0x02, 0xea, 0x06, 0xf9, 0xee, 0x28, 0xe1, 0x2b, 0x2f, 0x09, 0x00, 0xef,
+ 0xbf, 0xbf, 0x00, 0x00, 0xdd, 0x73, 0x66, 0x83, 0x7b, 0x00, 0x55};
+
+ std::string Payload(reinterpret_cast<const char *>(data), 47);
+ std::unique_ptr<MemoryBuffer> Buff = MemoryBuffer::getMemBuffer(Payload);
+ Expected<std::unique_ptr<ObjectFile>> ObjOrErr =
+ ObjectFile::createObjectFile(Buff->getMemBufferRef());
+ if (auto E = ObjOrErr.takeError()) {
+ consumeError(std::move(E));
+ }
+}
More information about the llvm-commits
mailing list