From 9d0c945ad6de0aa94d40e48f9cd6a5622fa814f9 Mon Sep 17 00:00:00 2001 From: Kevin Enderby Date: Wed, 31 Aug 2016 17:57:46 +0000 Subject: [PATCH] Next set of additional error checks for invalid Mach-O files for bad load commands that use the Mach::linkedit_data_command type for the load commands that are currently used in the MachOObjectFile constructor. This contains the missing checks for LC_DATA_IN_CODE and LC_LINKER_OPTIMIZATION_HINT load commands and the fields for the Mach::linkedit_data_command type. Checking for other load commands that use this type will be added later. Also fixed a couple of places that was using sizeof(MachOObjectFile::LoadCommandInfo) that should have been using sizeof(MachO::load_command). llvm-svn: 280267 --- llvm/lib/Object/MachOObjectFile.cpp | 48 +++++++++++++++------ .../Inputs/macho-invalid-dataincode-bad-size | Bin 0 -> 48 bytes .../macho-invalid-dataincode-dataoff-datasize | Bin 0 -> 44 bytes .../Inputs/macho-invalid-dataincode-more-than-one | Bin 0 -> 60 bytes .../Inputs/macho-invalid-linkopthint-dataoff | Bin 0 -> 44 bytes .../Object/Inputs/macho-invalid-linkopthint-small | Bin 0 -> 44 bytes llvm/test/Object/macho-invalid.test | 16 +++++++ 7 files changed, 52 insertions(+), 12 deletions(-) create mode 100644 llvm/test/Object/Inputs/macho-invalid-dataincode-bad-size create mode 100644 llvm/test/Object/Inputs/macho-invalid-dataincode-dataoff-datasize create mode 100644 llvm/test/Object/Inputs/macho-invalid-dataincode-more-than-one create mode 100644 llvm/test/Object/Inputs/macho-invalid-linkopthint-dataoff create mode 100644 llvm/test/Object/Inputs/macho-invalid-linkopthint-small diff --git a/llvm/lib/Object/MachOObjectFile.cpp b/llvm/lib/Object/MachOObjectFile.cpp index b5ca95a..2435340 100644 --- a/llvm/lib/Object/MachOObjectFile.cpp +++ b/llvm/lib/Object/MachOObjectFile.cpp @@ -184,7 +184,7 @@ static Expected getFirstLoadCommandInfo(const MachOObjectFile *Obj) { unsigned HeaderSize = Obj->is64Bit() ? sizeof(MachO::mach_header_64) : sizeof(MachO::mach_header); - if (sizeof(MachOObjectFile::LoadCommandInfo) > Obj->getHeader().sizeofcmds) + if (sizeof(MachO::load_command) > Obj->getHeader().sizeofcmds) return malformedError("load command 0 extends past the end all load " "commands in the file"); return getLoadCommandInfo(Obj, getPtr(Obj, HeaderSize), 0); @@ -195,7 +195,7 @@ getNextLoadCommandInfo(const MachOObjectFile *Obj, uint32_t LoadCommandIndex, const MachOObjectFile::LoadCommandInfo &L) { unsigned HeaderSize = Obj->is64Bit() ? sizeof(MachO::mach_header_64) : sizeof(MachO::mach_header); - if (L.Ptr + L.C.cmdsize + sizeof(MachOObjectFile::LoadCommandInfo) > + if (L.Ptr + L.C.cmdsize + sizeof(MachO::load_command) > Obj->getData().data() + HeaderSize + Obj->getHeader().sizeofcmds) return malformedError("load command " + Twine(LoadCommandIndex + 1) + " extends past the end all load commands in the file"); @@ -474,6 +474,36 @@ static Error checkDysymtabCommand(const MachOObjectFile *Obj, return Error::success(); } +static Error checkLinkeditDataCommand(const MachOObjectFile *Obj, + const MachOObjectFile::LoadCommandInfo &Load, + uint32_t LoadCommandIndex, + const char **LoadCmd, const char *CmdName) { + if (Load.C.cmdsize < sizeof(MachO::linkedit_data_command)) + return malformedError("load command " + Twine(LoadCommandIndex) + " " + + CmdName + " cmdsize too small"); + if (*LoadCmd != nullptr) + return malformedError("more than one " + Twine(CmdName) + " command"); + MachO::linkedit_data_command LinkData = + getStruct(Obj, Load.Ptr); + if (LinkData.cmdsize != sizeof(MachO::linkedit_data_command)) + return malformedError(Twine(CmdName) + " command " + + Twine(LoadCommandIndex) + " has incorrect cmdsize"); + uint64_t FileSize = Obj->getData().size(); + if (LinkData.dataoff > FileSize) + return malformedError("dataoff field of " + Twine(CmdName) + " command " + + Twine(LoadCommandIndex) + " extends past the end of " + "the file"); + uint64_t BigSize = LinkData.dataoff; + BigSize += LinkData.datasize; + if (BigSize > FileSize) + return malformedError("dataoff field plus datasize field of " + + Twine(CmdName) + " command " + + Twine(LoadCommandIndex) + " extends past the end of " + "the file"); + *LoadCmd = Load.Ptr; + return Error::success(); +} + Expected> MachOObjectFile::create(MemoryBufferRef Object, bool IsLittleEndian, bool Is64Bits) { @@ -550,19 +580,13 @@ MachOObjectFile::MachOObjectFile(MemoryBufferRef Object, bool IsLittleEndian, if ((Err = checkDysymtabCommand(this, Load, I, &DysymtabLoadCmd))) return; } else if (Load.C.cmd == MachO::LC_DATA_IN_CODE) { - // Multiple data in code tables - if (DataInCodeLoadCmd) { - Err = malformedError("Multiple data-in-code tables"); + if ((Err = checkLinkeditDataCommand(this, Load, I, &DataInCodeLoadCmd, + "LC_DATA_IN_CODE"))) return; - } - DataInCodeLoadCmd = Load.Ptr; } else if (Load.C.cmd == MachO::LC_LINKER_OPTIMIZATION_HINT) { - // Multiple linker optimization hint tables - if (LinkOptHintsLoadCmd) { - Err = malformedError("Multiple linker optimization hint tables"); + if ((Err = checkLinkeditDataCommand(this, Load, I, &LinkOptHintsLoadCmd, + "LC_LINKER_OPTIMIZATION_HINT"))) return; - } - LinkOptHintsLoadCmd = Load.Ptr; } else if (Load.C.cmd == MachO::LC_DYLD_INFO || Load.C.cmd == MachO::LC_DYLD_INFO_ONLY) { // Multiple dyldinfo load commands diff --git a/llvm/test/Object/Inputs/macho-invalid-dataincode-bad-size b/llvm/test/Object/Inputs/macho-invalid-dataincode-bad-size new file mode 100644 index 0000000000000000000000000000000000000000..c0ea110bc6eed0be9bdd426d87fdd18893e4639a GIT binary patch literal 48 gcmX^2>+L^w1_lOZAZCPO5g-i$nm`O=g9U&D0JMe#5dZ)H literal 0 HcmV?d00001 diff --git a/llvm/test/Object/Inputs/macho-invalid-dataincode-dataoff-datasize b/llvm/test/Object/Inputs/macho-invalid-dataincode-dataoff-datasize new file mode 100644 index 0000000000000000000000000000000000000000..fd3ab6dc5dc4382efe3526b91bdb7452f8360f92 GIT binary patch literal 44 icmX^2>+L^w1_lOZAZCPO0U!+mnm`O<>i{te5CZ_EA_O@A literal 0 HcmV?d00001 diff --git a/llvm/test/Object/Inputs/macho-invalid-dataincode-more-than-one b/llvm/test/Object/Inputs/macho-invalid-dataincode-more-than-one new file mode 100644 index 0000000000000000000000000000000000000000..383d0ec2a096e9620a8af0406be59956c31d065a GIT binary patch literal 60 jcmX^2>+L^w1_lOZAZ7$&CLmS-Vi3>-VgWDOKTh literal 0 HcmV?d00001 diff --git a/llvm/test/Object/Inputs/macho-invalid-linkopthint-dataoff b/llvm/test/Object/Inputs/macho-invalid-linkopthint-dataoff new file mode 100644 index 0000000000000000000000000000000000000000..1b2b3d84f9aedaa420c0cfdd3c9e0d30b841bd63 GIT binary patch literal 44 hcmX^2>+L^w1_lOZAZCPO0U!+mdO!?f8-O@K005)& literal 0 HcmV?d00001 diff --git a/llvm/test/Object/Inputs/macho-invalid-linkopthint-small b/llvm/test/Object/Inputs/macho-invalid-linkopthint-small new file mode 100644 index 0000000000000000000000000000000000000000..5fe691982461ce0100863811cdf27239bdac4850 GIT binary patch literal 44 ecmX^2>+L^w1_lOZAZCPO9v}?@dO!?ggZKcWas&nd literal 0 HcmV?d00001 diff --git a/llvm/test/Object/macho-invalid.test b/llvm/test/Object/macho-invalid.test index 2162a88a5..91a325a 100644 --- a/llvm/test/Object/macho-invalid.test +++ b/llvm/test/Object/macho-invalid.test @@ -208,3 +208,19 @@ INVALID-DYSYMTAB-TOCOFF-LOCRELOFF: macho-invalid-dysymtab-locreloff': truncated RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dysymtab-locreloff-nlocrel 2>&1 | FileCheck -check-prefix INVALID-DYSYMTAB-TOCOFF-LOCRELOFF-NLOCREL %s INVALID-DYSYMTAB-TOCOFF-LOCRELOFF-NLOCREL: macho-invalid-dysymtab-locreloff-nlocrel': truncated or malformed object (locreloff field plus nlocrel field times sizeof(struct relocation_info) of LC_DYSYMTAB command 0 extends past the end of the file) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dataincode-more-than-one 2>&1 | FileCheck -check-prefix INVALID-DATAINCODE-MORE-THAN-ONE %s +INVALID-DATAINCODE-MORE-THAN-ONE: macho-invalid-dataincode-more-than-one': truncated or malformed object (more than one LC_DATA_IN_CODE command) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-linkopthint-small 2>&1 | FileCheck -check-prefix INVALID-LINKOPTHINT-SMALL %s +INVALID-LINKOPTHINT-SMALL: macho-invalid-linkopthint-small': truncated or malformed object (load command 0 LC_LINKER_OPTIMIZATION_HINT cmdsize too small) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dataincode-bad-size 2>&1 | FileCheck -check-prefix INVALID-DATAINCODE-BAD-SIZE %s +INVALID-DATAINCODE-BAD-SIZE: macho-invalid-dataincode-bad-size': truncated or malformed object (LC_DATA_IN_CODE command 0 has incorrect cmdsize) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-linkopthint-dataoff 2>&1 | FileCheck -check-prefix INVALID-LINKOPTHINT-DATAOFF %s +INVALID-LINKOPTHINT-DATAOFF: macho-invalid-linkopthint-dataoff': truncated or malformed object (dataoff field of LC_LINKER_OPTIMIZATION_HINT command 0 extends past the end of the file) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dataincode-dataoff-datasize 2>&1 | FileCheck -check-prefix INVALID-DATAINCODE-DATAOFF-DATASIZE %s +INVALID-DATAINCODE-DATAOFF-DATASIZE: macho-invalid-dataincode-dataoff-datasize': truncated or malformed object (dataoff field plus datasize field of LC_DATA_IN_CODE command 0 extends past the end of the file) + -- 2.7.4