Skip to content

Commit

Permalink
tools: address possible non-null terminated filenames
Browse files Browse the repository at this point in the history
If a filename is a multiple of 18 characters, there will be no null-terminator.
This will result in an invalid access by the constructed StringRef.  Add a test
case to exercise this and fix that handling.  Address this same vulnerability in
llvm-readobj as well.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@206145 91177308-0d34-0410-b5e6-96231b3b80d8
  • Loading branch information
compnerd committed Apr 14, 2014
1 parent aa827a5 commit 67635a7
Show file tree
Hide file tree
Showing 6 changed files with 78 additions and 16 deletions.
21 changes: 21 additions & 0 deletions test/tools/llvm-objdump/Inputs/file-aux-record.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
header: !Header
Machine: IMAGE_FILE_MACHINE_I386 # (0x14c)
Characteristics: [ IMAGE_FILE_DEBUG_STRIPPED ]
sections:
symbols:
- !Symbol
Name: .file
Value: 0
SectionNumber: 65534
SimpleType: IMAGE_SYM_TYPE_NULL
ComplexType: IMAGE_SYM_DTYPE_NULL
StorageClass: IMAGE_SYM_CLASS_FILE
File: eighteen-chars.obj
- !Symbol
Name: '@comp.id'
Value: 13485607
SectionNumber: 65535
SimpleType: IMAGE_SYM_TYPE_NULL
ComplexType: IMAGE_SYM_DTYPE_NULL
StorageClass: IMAGE_SYM_CLASS_STATIC

5 changes: 5 additions & 0 deletions test/tools/llvm-objdump/coff-non-null-terminated-file.test
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
RUN: yaml2obj %p/Inputs/file-aux-record.yaml | llvm-objdump -t - | FileCheck %s

CHECK: .file
CHECK: AUX eighteen-chars.obj{{$}}

21 changes: 21 additions & 0 deletions test/tools/llvm-readobj/Inputs/file-aux-record.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
header: !Header
Machine: IMAGE_FILE_MACHINE_I386 # (0x14c)
Characteristics: [ IMAGE_FILE_DEBUG_STRIPPED ]
sections:
symbols:
- !Symbol
Name: .file
Value: 0
SectionNumber: 65534
SimpleType: IMAGE_SYM_TYPE_NULL
ComplexType: IMAGE_SYM_DTYPE_NULL
StorageClass: IMAGE_SYM_CLASS_FILE
File: eighteen-chars.obj
- !Symbol
Name: '@comp.id'
Value: 13485607
SectionNumber: 65535
SimpleType: IMAGE_SYM_TYPE_NULL
ComplexType: IMAGE_SYM_DTYPE_NULL
StorageClass: IMAGE_SYM_CLASS_STATIC

20 changes: 20 additions & 0 deletions test/tools/llvm-readobj/coff-non-null-terminated-file.test
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
RUN: yaml2obj %p/Inputs/file-aux-record.yaml | llvm-readobj -t - | FileCheck %s

CHECK: Symbols [
CHECK: Symbol {
CHECK: Name: .file
CHECK: Value: 0
CHECK: StorageClass: File
CHECK: AuxSymbolCount: 1
CHECK: AuxFileRecord {
CHECK: FileName: eighteen-chars.obj{{$}}
CHECK: }
CHECK: }
CHECK: Symbol {
CHECK: Name: @comp.id
CHECK: Value: 13485607
CHECK: StorageClass: Static
CHECK: AuxSymbolCount: 0
CHECK: }
CHECK: ]

22 changes: 7 additions & 15 deletions tools/llvm-objdump/llvm-objdump.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -669,17 +669,7 @@ static void PrintCOFFSymbolTable(const COFFObjectFile *coff) {
const coff_symbol *symbol = 0;
for (int i = 0, e = header->NumberOfSymbols; i != e; ++i) {
if (aux_count--) {
switch (symbol->StorageClass) {
default: outs() << "AUX Unknown\n";
case COFF::IMAGE_SYM_CLASS_STATIC:
// Section definition. Follows a symbol-table record that defines a
// section. Such a record has a symbol name that is the name of a
// section and has storage class STATIC (3).
if (symbol->Value) {
errs() << "invalid entry in Symbol Table";
break;
}

if (symbol->isSectionDefinition()) {
const coff_aux_section_definition *asd;
if (error(coff->getAuxSymbol<coff_aux_section_definition>(i, asd)))
return;
Expand All @@ -693,15 +683,17 @@ static void PrintCOFFSymbolTable(const COFFObjectFile *coff) {
<< format("assoc %d comdat %d\n"
, unsigned(asd->Number)
, unsigned(asd->Selection));
break;
case COFF::IMAGE_SYM_CLASS_FILE:
} else if (symbol->isFileRecord()) {
const coff_aux_file *AF;
if (error(coff->getAuxSymbol<coff_aux_file>(i, AF)))
return;
outs() << "AUX " << StringRef(AF->FileName) << '\n';

StringRef Name(AF->FileName, (aux_count + 1) * COFF::SymbolSize);
outs() << "AUX " << Name.rtrim(StringRef("\0", 1)) << '\n';
i = i + aux_count;
aux_count = 0;
break;
} else {
outs() << "AUX Unknown\n";
}
} else {
StringRef name;
Expand Down
5 changes: 4 additions & 1 deletion tools/llvm-readobj/COFFDumper.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -977,7 +977,10 @@ void COFFDumper::printSymbol(const SymbolRef &Sym) {
break;

DictScope AS(W, "AuxFileRecord");
W.printString("FileName", StringRef(Aux->FileName));

StringRef Name(Aux->FileName,
Symbol->NumberOfAuxSymbols * COFF::SymbolSize);
W.printString("FileName", Name.rtrim(StringRef("\0", 1)));
} else if (Symbol->isSectionDefinition()) {
const coff_aux_section_definition *Aux;
if (error(getSymbolAuxData(Obj, Symbol + I, Aux)))
Expand Down

0 comments on commit 67635a7

Please sign in to comment.