[llvm] [llvm-objdump][ELF] Ensure offset to verdaux entry array does not go past size (PR #115284)
via llvm-commits
llvm-commits at lists.llvm.org
Thu Nov 7 01:36:33 PST 2024
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-llvm-binary-utilities
@llvm/pr-subscribers-objectyaml
Author: Antonio Frighetto (antoniofrighetto)
<details>
<summary>Changes</summary>
Validate `vd_aux` while parsing `Elf_Verdef` structure.
Fixes: https://github.com/llvm/llvm-project/issues/86611.
---
Full diff: https://github.com/llvm/llvm-project/pull/115284.diff
5 Files Affected:
- (modified) llvm/include/llvm/ObjectYAML/ELFYAML.h (+1)
- (modified) llvm/lib/ObjectYAML/ELFEmitter.cpp (+6-6)
- (modified) llvm/lib/ObjectYAML/ELFYAML.cpp (+1)
- (added) llvm/test/tools/llvm-objdump/ELF/invalid-verdef.test (+29)
- (modified) llvm/tools/llvm-objdump/ELFDump.cpp (+13-4)
``````````diff
diff --git a/llvm/include/llvm/ObjectYAML/ELFYAML.h b/llvm/include/llvm/ObjectYAML/ELFYAML.h
index 8f045d6383623b..5383037582124c 100644
--- a/llvm/include/llvm/ObjectYAML/ELFYAML.h
+++ b/llvm/include/llvm/ObjectYAML/ELFYAML.h
@@ -582,6 +582,7 @@ struct VerdefEntry {
std::optional<uint16_t> Flags;
std::optional<uint16_t> VersionNdx;
std::optional<uint32_t> Hash;
+ std::optional<uint16_t> AuxVOffset;
std::vector<StringRef> VerNames;
};
diff --git a/llvm/lib/ObjectYAML/ELFEmitter.cpp b/llvm/lib/ObjectYAML/ELFEmitter.cpp
index fc234581a45a70..a379a3e0d4a596 100644
--- a/llvm/lib/ObjectYAML/ELFEmitter.cpp
+++ b/llvm/lib/ObjectYAML/ELFEmitter.cpp
@@ -1655,7 +1655,7 @@ void ELFState<ELFT>::writeSectionContent(Elf_Shdr &SHeader,
VerDef.vd_flags = E.Flags.value_or(0);
VerDef.vd_ndx = E.VersionNdx.value_or(0);
VerDef.vd_hash = E.Hash.value_or(0);
- VerDef.vd_aux = sizeof(Elf_Verdef);
+ VerDef.vd_aux = E.AuxVOffset.value_or(sizeof(Elf_Verdef));
VerDef.vd_cnt = E.VerNames.size();
if (I == Section.Entries->size() - 1)
VerDef.vd_next = 0;
@@ -1665,13 +1665,13 @@ void ELFState<ELFT>::writeSectionContent(Elf_Shdr &SHeader,
CBA.write((const char *)&VerDef, sizeof(Elf_Verdef));
for (size_t J = 0; J < E.VerNames.size(); ++J, ++AuxCnt) {
- Elf_Verdaux VernAux;
- VernAux.vda_name = DotDynstr.getOffset(E.VerNames[J]);
+ Elf_Verdaux VerdAux;
+ VerdAux.vda_name = DotDynstr.getOffset(E.VerNames[J]);
if (J == E.VerNames.size() - 1)
- VernAux.vda_next = 0;
+ VerdAux.vda_next = 0;
else
- VernAux.vda_next = sizeof(Elf_Verdaux);
- CBA.write((const char *)&VernAux, sizeof(Elf_Verdaux));
+ VerdAux.vda_next = sizeof(Elf_Verdaux);
+ CBA.write((const char *)&VerdAux, sizeof(Elf_Verdaux));
}
}
diff --git a/llvm/lib/ObjectYAML/ELFYAML.cpp b/llvm/lib/ObjectYAML/ELFYAML.cpp
index e97248cbcf5682..821f48723b35e5 100644
--- a/llvm/lib/ObjectYAML/ELFYAML.cpp
+++ b/llvm/lib/ObjectYAML/ELFYAML.cpp
@@ -1921,6 +1921,7 @@ void MappingTraits<ELFYAML::VerdefEntry>::mapping(IO &IO,
IO.mapOptional("Flags", E.Flags);
IO.mapOptional("VersionNdx", E.VersionNdx);
IO.mapOptional("Hash", E.Hash);
+ IO.mapOptional("AuxVOffset", E.AuxVOffset);
IO.mapRequired("Names", E.VerNames);
}
diff --git a/llvm/test/tools/llvm-objdump/ELF/invalid-verdef.test b/llvm/test/tools/llvm-objdump/ELF/invalid-verdef.test
new file mode 100644
index 00000000000000..abf9a2829f248c
--- /dev/null
+++ b/llvm/test/tools/llvm-objdump/ELF/invalid-verdef.test
@@ -0,0 +1,29 @@
+# RUN: yaml2obj %s -o %t
+# RUN: llvm-objdump -p %t 2>&1 | FileCheck --check-prefix=BROKEN-VERDEF -DFILE=%t %s
+
+# BROKEN-VERDEF: Version definitions:
+# BROKEN-VERDEF-NEXT: warning: '[[FILE]]': out-of-bound while parsing verdaux entries, corrupted verdef section
+
+--- !ELF
+FileHeader:
+ Class: ELFCLASS64
+ Data: ELFDATA2LSB
+ Type: ET_DYN
+ Machine: EM_X86_64
+ Entry: 0x0000000000001000
+Sections:
+ - Name: .gnu.version_d
+ Type: SHT_GNU_verdef
+ Flags: [ SHF_ALLOC ]
+ Address: 0x0000000000000230
+ AddressAlign: 0x0000000000000004
+ Entries:
+ - Version: 1
+ Flags: 44
+ VersionNdx: 0
+ Hash: 12345
+ AuxVOffset: 0x45
+ Names:
+ - VERSION_1
+DynamicSymbols: []
+...
diff --git a/llvm/tools/llvm-objdump/ELFDump.cpp b/llvm/tools/llvm-objdump/ELFDump.cpp
index 5ac13495662faf..3c5d11ef8ba751 100644
--- a/llvm/tools/llvm-objdump/ELFDump.cpp
+++ b/llvm/tools/llvm-objdump/ELFDump.cpp
@@ -39,6 +39,9 @@ template <typename ELFT> class ELFDumper : public Dumper {
void printProgramHeaders();
void printSymbolVersion();
void printSymbolVersionDependency(const typename ELFT::Shdr &Sec);
+ void printSymbolVersionDefinition(const typename ELFT::Shdr &Shdr,
+ ArrayRef<uint8_t> Contents,
+ StringRef StrTab);
};
} // namespace
@@ -380,9 +383,9 @@ void ELFDumper<ELFT>::printSymbolVersionDependency(
}
template <class ELFT>
-static void printSymbolVersionDefinition(const typename ELFT::Shdr &Shdr,
- ArrayRef<uint8_t> Contents,
- StringRef StrTab) {
+void ELFDumper<ELFT>::printSymbolVersionDefinition(
+ const typename ELFT::Shdr &Shdr, ArrayRef<uint8_t> Contents,
+ StringRef StrTab) {
outs() << "\nVersion definitions:\n";
const uint8_t *Buf = Contents.data();
@@ -398,6 +401,12 @@ static void printSymbolVersionDefinition(const typename ELFT::Shdr &Shdr,
<< format("0x%08" PRIx32 " ", (uint32_t)Verdef->vd_hash);
const uint8_t *BufAux = Buf + Verdef->vd_aux;
+ if (BufAux > Contents.end()) {
+ reportWarning("out-of-bound while parsing verdaux entries, corrupted "
+ "verdef section",
+ Obj.getFileName());
+ break;
+ }
uint16_t VerdauxIndex = 0;
while (BufAux) {
auto *Verdaux = reinterpret_cast<const typename ELFT::Verdaux *>(BufAux);
@@ -430,7 +439,7 @@ template <class ELFT> void ELFDumper<ELFT>::printSymbolVersion() {
if (Shdr.sh_type == ELF::SHT_GNU_verneed)
printSymbolVersionDependency(Shdr);
else
- printSymbolVersionDefinition<ELFT>(Shdr, Contents, StrTab);
+ printSymbolVersionDefinition(Shdr, Contents, StrTab);
}
}
``````````
</details>
https://github.com/llvm/llvm-project/pull/115284
More information about the llvm-commits
mailing list