Next set of additional error checks for invalid Mach-O files for bad load commands

that use the Mach::dylib_command type for the load commands that are
currently used in the MachOObjectFile constructor.

This contains the missing checks for LC_ID_DYLIB, LC_ID_DYLIB, etc.
load commands and the fields for the Mach::dylib_command type.

Also checks that only an MH_DYLIB or MH_STUB_DYLIB has an
LC_ID_DYLIB load command (and others filetype don’t) and there
is not more than one of these load commands.

llvm-svn: 282008

diff --git a/llvm/lib/Object/MachOObjectFile.cpp b/llvm/lib/Object/MachOObjectFile.cpp
index b57955b..1592e49 100644 (file)
--- a/llvm/lib/Object/MachOObjectFile.cpp
+++ b/llvm/lib/Object/MachOObjectFile.cpp
@@ -579,6 +579,52 @@ static Error checkDyldInfoCommand(const MachOObjectFile *Obj,
   return Error::success();
 }
 
+static Error checkDylibCommand(const MachOObjectFile *Obj,
+                               const MachOObjectFile::LoadCommandInfo &Load,
+                               uint32_t LoadCommandIndex, const char *CmdName) {
+  if (Load.C.cmdsize < sizeof(MachO::dylib_command))
+    return malformedError("load command " + Twine(LoadCommandIndex) + " " +
+                          CmdName + " cmdsize too small");
+  MachO::dylib_command D = getStruct<MachO::dylib_command>(Obj, Load.Ptr);
+  if (D.dylib.name < sizeof(MachO::dylib_command))
+    return malformedError("load command " + Twine(LoadCommandIndex) + " " +
+                          CmdName + " name.offset field too small, not past "
+                          "the end of the dylib_command struct");
+  if (D.dylib.name >= D.cmdsize)
+    return malformedError("load command " + Twine(LoadCommandIndex) + " " +
+                          CmdName + " name.offset field extends past the end "
+                          "of the load command");
+  // Make sure there is a null between the starting offset of the name and
+  // the end of the load command.
+  uint32_t i;
+  const char *P = (const char *)Load.Ptr;
+  for (i = D.dylib.name; i < D.cmdsize; i++)
+    if (P[i] == '\0')
+      break;
+  if (i >= D.cmdsize)
+    return malformedError("load command " + Twine(LoadCommandIndex) + " " +
+                          CmdName + " library name extends past the end of the "
+                          "load command");
+  return Error::success();
+}
+
+static Error checkDylibIdCommand(const MachOObjectFile *Obj,
+                                 const MachOObjectFile::LoadCommandInfo &Load,
+                                 uint32_t LoadCommandIndex,
+                                 const char **LoadCmd) {
+  if (Error Err = checkDylibCommand(Obj, Load, LoadCommandIndex,
+                                     "LC_ID_DYLIB"))
+    return Err;
+  if (*LoadCmd != nullptr)
+    return malformedError("more than one LC_ID_DYLIB command");
+  if (Obj->getHeader().filetype != MachO::MH_DYLIB &&
+      Obj->getHeader().filetype != MachO::MH_DYLIB_STUB)
+    return malformedError("LC_ID_DYLIB load command in non-dynamic library "
+                          "file type");
+  *LoadCmd = Load.Ptr;
+  return Error::success();
+}
+
 Expected<std::unique_ptr<MachOObjectFile>>
 MachOObjectFile::create(MemoryBufferRef Object, bool IsLittleEndian,
                         bool Is64Bits) {
@@ -616,17 +662,17 @@ MachOObjectFile::MachOObjectFile(MemoryBufferRef Object, bool IsLittleEndian,
   }
 
   uint32_t LoadCommandCount = getHeader().ncmds;
-  if (LoadCommandCount == 0)
-    return;
-
   LoadCommandInfo Load;
-  if (auto LoadOrErr = getFirstLoadCommandInfo(this))
-    Load = *LoadOrErr;
-  else {
-    Err = LoadOrErr.takeError();
-    return;
+  if (LoadCommandCount != 0) {
+    if (auto LoadOrErr = getFirstLoadCommandInfo(this))
+      Load = *LoadOrErr;
+    else {
+      Err = LoadOrErr.takeError();
+      return;
+    }
   }
 
+  const char *DyldIdLoadCmd = nullptr;
   for (unsigned I = 0; I < LoadCommandCount; ++I) {
     if (is64Bit()) {
       if (Load.C.cmdsize % 8 != 0) {
@@ -689,11 +735,28 @@ MachOObjectFile::MachOObjectFile(MemoryBufferRef Object, bool IsLittleEndian,
                    this, Load, Sections, HasPageZeroSegment, I,
                    "LC_SEGMENT", SizeOfHeaders)))
         return;
-    } else if (Load.C.cmd == MachO::LC_LOAD_DYLIB ||
-               Load.C.cmd == MachO::LC_LOAD_WEAK_DYLIB ||
-               Load.C.cmd == MachO::LC_LAZY_LOAD_DYLIB ||
-               Load.C.cmd == MachO::LC_REEXPORT_DYLIB ||
-               Load.C.cmd == MachO::LC_LOAD_UPWARD_DYLIB) {
+    } else if (Load.C.cmd == MachO::LC_ID_DYLIB) {
+      if ((Err = checkDylibIdCommand(this, Load, I, &DyldIdLoadCmd)))
+        return;
+    } else if (Load.C.cmd == MachO::LC_LOAD_DYLIB) {
+      if ((Err = checkDylibCommand(this, Load, I, "LC_LOAD_DYLIB")))
+        return;
+      Libraries.push_back(Load.Ptr);
+    } else if (Load.C.cmd == MachO::LC_LOAD_WEAK_DYLIB) {
+      if ((Err = checkDylibCommand(this, Load, I, "LC_LOAD_WEAK_DYLIB")))
+        return;
+      Libraries.push_back(Load.Ptr);
+    } else if (Load.C.cmd == MachO::LC_LAZY_LOAD_DYLIB) {
+      if ((Err = checkDylibCommand(this, Load, I, "LC_LAZY_LOAD_DYLIB")))
+        return;
+      Libraries.push_back(Load.Ptr);
+    } else if (Load.C.cmd == MachO::LC_REEXPORT_DYLIB) {
+      if ((Err = checkDylibCommand(this, Load, I, "LC_REEXPORT_DYLIB")))
+        return;
+      Libraries.push_back(Load.Ptr);
+    } else if (Load.C.cmd == MachO::LC_LOAD_UPWARD_DYLIB) {
+      if ((Err = checkDylibCommand(this, Load, I, "LC_LOAD_UPWARD_DYLIB")))
+        return;
       Libraries.push_back(Load.Ptr);
     }
     if (I < LoadCommandCount - 1) {
@@ -754,6 +817,13 @@ MachOObjectFile::MachOObjectFile(MemoryBufferRef Object, bool IsLittleEndian,
       return;
     }
   }
+  if ((getHeader().filetype == MachO::MH_DYLIB ||
+       getHeader().filetype == MachO::MH_DYLIB_STUB) &&
+       DyldIdLoadCmd == nullptr) {
+    Err = malformedError("no LC_ID_DYLIB load command in dynamic library "
+                         "filetype");
+    return;
+  }
   assert(LoadCommands.size() == LoadCommandCount);
 
   Err = Error::success();

diff --git a/llvm/test/Object/Inputs/macho-invalid-dylib-id-more-than-one b/llvm/test/Object/Inputs/macho-invalid-dylib-id-more-than-one
new file mode 100644 (file)
index 0000000..3fcefdb
Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dylib-id-more-than-one differ

diff --git a/llvm/test/Object/Inputs/macho-invalid-dylib-name_offset-toobig b/llvm/test/Object/Inputs/macho-invalid-dylib-name_offset-toobig
new file mode 100644 (file)
index 0000000..3a5f0c7
Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dylib-name_offset-toobig differ

diff --git a/llvm/test/Object/Inputs/macho-invalid-dylib-name_offset-toosmall b/llvm/test/Object/Inputs/macho-invalid-dylib-name_offset-toosmall
new file mode 100644 (file)
index 0000000..fb3aa3b
Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dylib-name_offset-toosmall differ

diff --git a/llvm/test/Object/Inputs/macho-invalid-dylib-name_toobig b/llvm/test/Object/Inputs/macho-invalid-dylib-name_toobig
new file mode 100644 (file)
index 0000000..11ef928
Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dylib-name_toobig differ

diff --git a/llvm/test/Object/Inputs/macho-invalid-dylib-no-id b/llvm/test/Object/Inputs/macho-invalid-dylib-no-id
new file mode 100644 (file)
index 0000000..3715e8c
Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dylib-no-id differ

diff --git a/llvm/test/Object/Inputs/macho-invalid-dylib-small b/llvm/test/Object/Inputs/macho-invalid-dylib-small
new file mode 100644 (file)
index 0000000..6aca91e
Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dylib-small differ

diff --git a/llvm/test/Object/Inputs/macho-invalid-dylib-wrong-filetype b/llvm/test/Object/Inputs/macho-invalid-dylib-wrong-filetype
new file mode 100644 (file)
index 0000000..c9c862c
Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dylib-wrong-filetype differ

diff --git a/llvm/test/Object/macho-invalid.test b/llvm/test/Object/macho-invalid.test
index 8868b88..b8a1e10 100644 (file)
--- a/llvm/test/Object/macho-invalid.test
+++ b/llvm/test/Object/macho-invalid.test
@@ -262,3 +262,24 @@ INVALID-DYLDINFO-EXPORT_OFF-EXPORT_SIZE: macho-invalid-dyldinfo-export_off-expor
 
 RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dyldinfo-more-than-one  2>&1 | FileCheck -check-prefix INVALID-DYLDINFO-MORE-THAN-ONE %s
 INVALID-DYLDINFO-MORE-THAN-ONE: macho-invalid-dyldinfo-more-than-one': truncated or malformed object (more than one LC_DYLD_INFO and or LC_DYLD_INFO_ONLY command)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-small  2>&1 | FileCheck -check-prefix INVALID-DYLIB-SMALL %s
+INVALID-DYLIB-SMALL: macho-invalid-dylib-small': truncated or malformed object (load command 0 LC_LOAD_DYLIB cmdsize too small)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-name_offset-toobig  2>&1 | FileCheck -check-prefix INVALID-DYLIB-NAME_OFFSET-TOOBIG %s
+INVALID-DYLIB-NAME_OFFSET-TOOBIG: macho-invalid-dylib-name_offset-toobig': truncated or malformed object (load command 0 LC_LOAD_WEAK_DYLIB name.offset field extends past the end of the load command)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-name_toobig  2>&1 | FileCheck -check-prefix INVALID-DYLIB-NAME_TOOBIG %s
+INVALID-DYLIB-NAME_TOOBIG: macho-invalid-dylib-name_toobig': truncated or malformed object (load command 0 LC_LAZY_LOAD_DYLIB library name extends past the end of the load command)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-name_offset-toosmall  2>&1 | FileCheck -check-prefix INVALID-DYLIB-NAME_OFFSET-TOOSMALL %s
+INVALID-DYLIB-NAME_OFFSET-TOOSMALL: macho-invalid-dylib-name_offset-toosmall': truncated or malformed object (load command 0 LC_LOAD_UPWARD_DYLIB name.offset field too small, not past the end of the dylib_command struct)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-id-more-than-one  2>&1 | FileCheck -check-prefix INVALID-DYLIB-ID-MORE-THAN-ONE %s
+INVALID-DYLIB-ID-MORE-THAN-ONE: macho-invalid-dylib-id-more-than-one': truncated or malformed object (more than one LC_ID_DYLIB command)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-wrong-filetype  2>&1 | FileCheck -check-prefix INVALID-DYLIB-WRONG-FILETYPE %s
+INVALID-DYLIB-WRONG-FILETYPE: macho-invalid-dylib-wrong-filetype': truncated or malformed object (LC_ID_DYLIB load command in non-dynamic library file type)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-no-id  2>&1 | FileCheck -check-prefix INVALID-DYLIB-NO-ID %s
+INVALID-DYLIB-NO-ID: macho-invalid-dylib-no-id': truncated or malformed object (no LC_ID_DYLIB load command in dynamic library filetype)