From bfcc34bc8a06339e2f5c1a38e23ce8453679a5cd Mon Sep 17 00:00:00 2001 From: Kevin Enderby Date: Tue, 27 Sep 2016 23:24:13 +0000 Subject: [PATCH] Next set of additional error checks for invalid Mach-O files for the other load commands that use the MachO::dylinker_command type but not used in llvm libObject code but used in llvm tool code. This includes LC_ID_DYLINKER, LC_LOAD_DYLINKER and LC_DYLD_ENVIRONMENT load commands. llvm-svn: 282553 --- lib/Object/MachOObjectFile.cpp | 38 ++++++++++++++++++ .../macho-invalid-dyld-name_offset-toobig | Bin 0 -> 40 bytes .../Inputs/macho-invalid-dyld-name_toobig | Bin 0 -> 44 bytes test/Object/Inputs/macho-invalid-dyld-small | Bin 0 -> 44 bytes test/Object/macho-invalid.test | 9 +++++ 5 files changed, 47 insertions(+) create mode 100644 test/Object/Inputs/macho-invalid-dyld-name_offset-toobig create mode 100644 test/Object/Inputs/macho-invalid-dyld-name_toobig create mode 100644 test/Object/Inputs/macho-invalid-dyld-small diff --git a/lib/Object/MachOObjectFile.cpp b/lib/Object/MachOObjectFile.cpp index 8fa4cd4fe27..fa00561a65c 100644 --- a/lib/Object/MachOObjectFile.cpp +++ b/lib/Object/MachOObjectFile.cpp @@ -625,6 +625,35 @@ static Error checkDylibIdCommand(const MachOObjectFile *Obj, return Error::success(); } +static Error checkDyldCommand(const MachOObjectFile *Obj, + const MachOObjectFile::LoadCommandInfo &Load, + uint32_t LoadCommandIndex, const char *CmdName) { + if (Load.C.cmdsize < sizeof(MachO::dylinker_command)) + return malformedError("load command " + Twine(LoadCommandIndex) + " " + + CmdName + " cmdsize too small"); + MachO::dylinker_command D = getStruct(Obj, Load.Ptr); + if (D.name < sizeof(MachO::dylinker_command)) + return malformedError("load command " + Twine(LoadCommandIndex) + " " + + CmdName + " name.offset field too small, not past " + "the end of the dylinker_command struct"); + if (D.name >= D.cmdsize) + return malformedError("load command " + Twine(LoadCommandIndex) + " " + + CmdName + " name.offset field extends past the end " + "of the load command"); + // Make sure there is a null between the starting offset of the name and + // the end of the load command. + uint32_t i; + const char *P = (const char *)Load.Ptr; + for (i = D.name; i < D.cmdsize; i++) + if (P[i] == '\0') + break; + if (i >= D.cmdsize) + return malformedError("load command " + Twine(LoadCommandIndex) + " " + + CmdName + " dyld name extends past the end of the " + "load command"); + return Error::success(); +} + Expected> MachOObjectFile::create(MemoryBufferRef Object, bool IsLittleEndian, bool Is64Bits) { @@ -777,6 +806,15 @@ MachOObjectFile::MachOObjectFile(MemoryBufferRef Object, bool IsLittleEndian, if ((Err = checkDylibCommand(this, Load, I, "LC_LOAD_UPWARD_DYLIB"))) return; Libraries.push_back(Load.Ptr); + } else if (Load.C.cmd == MachO::LC_ID_DYLINKER) { + if ((Err = checkDyldCommand(this, Load, I, "LC_ID_DYLINKER"))) + return; + } else if (Load.C.cmd == MachO::LC_LOAD_DYLINKER) { + if ((Err = checkDyldCommand(this, Load, I, "LC_LOAD_DYLINKER"))) + return; + } else if (Load.C.cmd == MachO::LC_DYLD_ENVIRONMENT) { + if ((Err = checkDyldCommand(this, Load, I, "LC_DYLD_ENVIRONMENT"))) + return; } if (I < LoadCommandCount - 1) { if (auto LoadOrErr = getNextLoadCommandInfo(this, I, Load)) diff --git a/test/Object/Inputs/macho-invalid-dyld-name_offset-toobig b/test/Object/Inputs/macho-invalid-dyld-name_offset-toobig new file mode 100644 index 0000000000000000000000000000000000000000..531e00e67525478fd2ab38a5a988eb237182c627 GIT binary patch literal 40 fcmX^2>+L^w1_lOZAZCPO9v}?@d_W9hO93$el0pOk literal 0 HcmV?d00001 diff --git a/test/Object/Inputs/macho-invalid-dyld-name_toobig b/test/Object/Inputs/macho-invalid-dyld-name_toobig new file mode 100644 index 0000000000000000000000000000000000000000..1a8382dd5242950f595a1db8615b75f14d95b77d GIT binary patch literal 44 jcmX^2>+L^w1_lOZAZCPO9v}?@>Od?2#2|iRQgR9ar)CA2 literal 0 HcmV?d00001 diff --git a/test/Object/Inputs/macho-invalid-dyld-small b/test/Object/Inputs/macho-invalid-dyld-small new file mode 100644 index 0000000000000000000000000000000000000000..2dc80892af901048abca8279c326b0666f7ae615 GIT binary patch literal 44 hcmX^2>+L^w1_lOZAZCPO4j>Hz{6Gw1vw%22005y91LFVy literal 0 HcmV?d00001 diff --git a/test/Object/macho-invalid.test b/test/Object/macho-invalid.test index b1689b6b12d..09928a143ab 100644 --- a/test/Object/macho-invalid.test +++ b/test/Object/macho-invalid.test @@ -298,3 +298,12 @@ INVALID-SPLITINFO-DATAOFF-DATASIZE: macho-invalid-splitinfo-dataoff-datasize': t RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib_code_sign_drs-bad-size 2>&1 | FileCheck -check-prefix INVALID-DYLIB_CODE_SIGN_DRS-BAD-SIZE %s INVALID-DYLIB_CODE_SIGN_DRS-BAD-SIZE: macho-invalid-dylib_code_sign_drs-bad-size': truncated or malformed object (LC_DYLIB_CODE_SIGN_DRS command 0 has incorrect cmdsize) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dyld-small 2>&1 | FileCheck -check-prefix INVALID-DYLD-SMALL %s +INVALID-DYLD-SMALL: macho-invalid-dyld-small': truncated or malformed object (load command 0 LC_ID_DYLINKER cmdsize too small) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dyld-name_offset-toobig 2>&1 | FileCheck -check-prefix INVALID-DYLD-NAME_OFFSET-TOOBIG %s +INVALID-DYLD-NAME_OFFSET-TOOBIG: macho-invalid-dyld-name_offset-toobig': truncated or malformed object (load command 0 LC_LOAD_DYLINKER name.offset field extends past the end of the load command) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dyld-name_toobig 2>&1 | FileCheck -check-prefix INVALID-DYLD-NAME_TOOBIG %s +INVALID-DYLD-NAME_TOOBIG: macho-invalid-dyld-name_toobig': truncated or malformed object (load command 0 LC_DYLD_ENVIRONMENT dyld name extends past the end of the load command)