Next set of additional error checks for invalid Mach-O files for bad load commands

that use the Mach::linkedit_data_command type for the load commands that are currently used in the MachOObjectFile constructor. This contains the missing checks for LC_DATA_IN_CODE and LC_LINKER_OPTIMIZATION_HINT load commands and the fields for the Mach::linkedit_data_command type. Checking for other load commands that use this type will be added later. Also fixed a couple of places that was using sizeof(MachOObjectFile::LoadCommandInfo) that should have been using sizeof(MachO::load_command). llvm-svn: 280267
author: Kevin Enderby <enderby@apple.com> 2016-08-31 17:57:46 +0000
committer: Kevin Enderby <enderby@apple.com> 2016-08-31 17:57:46 +0000
commit: 9d0c945ad6de0aa94d40e48f9cd6a5622fa814f9 (patch)
tree: 846d79930947bd6b0083a59a8eae2b2027d7d9db /llvm
parent: 2700bd831ac56a3fc8212968d37f210021264e51 (diff)
download: bcm5719-llvm-9d0c945ad6de0aa94d40e48f9cd6a5622fa814f9.tar.gz
bcm5719-llvm-9d0c945ad6de0aa94d40e48f9cd6a5622fa814f9.zip
7 files changed, 52 insertions, 12 deletions
diff --git a/llvm/lib/Object/MachOObjectFile.cpp b/llvm/lib/Object/MachOObjectFile.cpp
index b5ca95add73..2435340b66e 100644
--- a/llvm/lib/Object/MachOObjectFile.cpp
+++ b/llvm/lib/Object/MachOObjectFile.cpp
@@ -184,7 +184,7 @@ static Expected<MachOObjectFile::LoadCommandInfo>
 getFirstLoadCommandInfo(const MachOObjectFile *Obj) {
   unsigned HeaderSize = Obj->is64Bit() ? sizeof(MachO::mach_header_64)
                                        : sizeof(MachO::mach_header);
-  if (sizeof(MachOObjectFile::LoadCommandInfo) > Obj->getHeader().sizeofcmds)
+  if (sizeof(MachO::load_command) > Obj->getHeader().sizeofcmds)
     return malformedError("load command 0 extends past the end all load "
                           "commands in the file");
   return getLoadCommandInfo(Obj, getPtr(Obj, HeaderSize), 0);
@@ -195,7 +195,7 @@ getNextLoadCommandInfo(const MachOObjectFile *Obj, uint32_t LoadCommandIndex,
                        const MachOObjectFile::LoadCommandInfo &L) {
   unsigned HeaderSize = Obj->is64Bit() ? sizeof(MachO::mach_header_64)
                                        : sizeof(MachO::mach_header);
-  if (L.Ptr + L.C.cmdsize + sizeof(MachOObjectFile::LoadCommandInfo) >
+  if (L.Ptr + L.C.cmdsize + sizeof(MachO::load_command) >
       Obj->getData().data() + HeaderSize + Obj->getHeader().sizeofcmds)
     return malformedError("load command " + Twine(LoadCommandIndex + 1) +
                           " extends past the end all load commands in the file");
@@ -474,6 +474,36 @@ static Error checkDysymtabCommand(const MachOObjectFile *Obj,
   return Error::success();
 }
 
+static Error checkLinkeditDataCommand(const MachOObjectFile *Obj,
+                                 const MachOObjectFile::LoadCommandInfo &Load,
+                                 uint32_t LoadCommandIndex,
+                                 const char **LoadCmd, const char *CmdName) {
+  if (Load.C.cmdsize < sizeof(MachO::linkedit_data_command))
+    return malformedError("load command " + Twine(LoadCommandIndex) + " " +
+                          CmdName + " cmdsize too small");
+  if (*LoadCmd != nullptr)
+    return malformedError("more than one " + Twine(CmdName) + " command");
+  MachO::linkedit_data_command LinkData =
+    getStruct<MachO::linkedit_data_command>(Obj, Load.Ptr);
+  if (LinkData.cmdsize != sizeof(MachO::linkedit_data_command))
+    return malformedError(Twine(CmdName) + " command " +
+                          Twine(LoadCommandIndex) + " has incorrect cmdsize");
+  uint64_t FileSize = Obj->getData().size();
+  if (LinkData.dataoff > FileSize)
+    return malformedError("dataoff field of " + Twine(CmdName) + " command " +
+                          Twine(LoadCommandIndex) + " extends past the end of "
+                          "the file");
+  uint64_t BigSize = LinkData.dataoff;
+  BigSize += LinkData.datasize;
+  if (BigSize > FileSize)
+    return malformedError("dataoff field plus datasize field of " +
+                          Twine(CmdName) + " command " +
+                          Twine(LoadCommandIndex) + " extends past the end of "
+                          "the file");
+  *LoadCmd = Load.Ptr;
+  return Error::success();
+}
+
 Expected<std::unique_ptr<MachOObjectFile>>
 MachOObjectFile::create(MemoryBufferRef Object, bool IsLittleEndian,
                         bool Is64Bits) {
@@ -550,19 +580,13 @@ MachOObjectFile::MachOObjectFile(MemoryBufferRef Object, bool IsLittleEndian,
       if ((Err = checkDysymtabCommand(this, Load, I, &DysymtabLoadCmd)))
         return;
     } else if (Load.C.cmd == MachO::LC_DATA_IN_CODE) {
-      // Multiple data in code tables
-      if (DataInCodeLoadCmd) {
-        Err = malformedError("Multiple data-in-code tables");
+      if ((Err = checkLinkeditDataCommand(this, Load, I, &DataInCodeLoadCmd,
+                                          "LC_DATA_IN_CODE")))
         return;
-      }
-      DataInCodeLoadCmd = Load.Ptr;
     } else if (Load.C.cmd == MachO::LC_LINKER_OPTIMIZATION_HINT) {
-      // Multiple linker optimization hint tables
-      if (LinkOptHintsLoadCmd) {
-        Err = malformedError("Multiple linker optimization hint tables");
+      if ((Err = checkLinkeditDataCommand(this, Load, I, &LinkOptHintsLoadCmd,
+                                          "LC_LINKER_OPTIMIZATION_HINT")))
         return;
-      }
-      LinkOptHintsLoadCmd = Load.Ptr;
     } else if (Load.C.cmd == MachO::LC_DYLD_INFO ||
                Load.C.cmd == MachO::LC_DYLD_INFO_ONLY) {
       // Multiple dyldinfo load commands
diff --git a/llvm/test/Object/Inputs/macho-invalid-dataincode-bad-size b/llvm/test/Object/Inputs/macho-invalid-dataincode-bad-size
new file mode 100644
index 00000000000..c0ea110bc6e
--- /dev/null
+++ b/llvm/test/Object/Inputs/macho-invalid-dataincode-bad-size
diff --git a/llvm/test/Object/Inputs/macho-invalid-dataincode-dataoff-datasize b/llvm/test/Object/Inputs/macho-invalid-dataincode-dataoff-datasize
new file mode 100644
index 00000000000..fd3ab6dc5dc
--- /dev/null
+++ b/llvm/test/Object/Inputs/macho-invalid-dataincode-dataoff-datasize
diff --git a/llvm/test/Object/Inputs/macho-invalid-dataincode-more-than-one b/llvm/test/Object/Inputs/macho-invalid-dataincode-more-than-one
new file mode 100644
index 00000000000..383d0ec2a09
--- /dev/null
+++ b/llvm/test/Object/Inputs/macho-invalid-dataincode-more-than-one
diff --git a/llvm/test/Object/Inputs/macho-invalid-linkopthint-dataoff b/llvm/test/Object/Inputs/macho-invalid-linkopthint-dataoff
new file mode 100644
index 00000000000..1b2b3d84f9a
--- /dev/null
+++ b/llvm/test/Object/Inputs/macho-invalid-linkopthint-dataoff
diff --git a/llvm/test/Object/Inputs/macho-invalid-linkopthint-small b/llvm/test/Object/Inputs/macho-invalid-linkopthint-small
new file mode 100644
index 00000000000..5fe69198246
--- /dev/null
+++ b/llvm/test/Object/Inputs/macho-invalid-linkopthint-small
diff --git a/llvm/test/Object/macho-invalid.test b/llvm/test/Object/macho-invalid.test
index 2162a88a52f..91a325ad7d1 100644
--- a/llvm/test/Object/macho-invalid.test
+++ b/llvm/test/Object/macho-invalid.test
@@ -208,3 +208,19 @@ INVALID-DYSYMTAB-TOCOFF-LOCRELOFF: macho-invalid-dysymtab-locreloff': truncated
 
 RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dysymtab-locreloff-nlocrel 2>&1 | FileCheck -check-prefix INVALID-DYSYMTAB-TOCOFF-LOCRELOFF-NLOCREL %s
 INVALID-DYSYMTAB-TOCOFF-LOCRELOFF-NLOCREL: macho-invalid-dysymtab-locreloff-nlocrel': truncated or malformed object (locreloff field plus nlocrel field times sizeof(struct relocation_info) of LC_DYSYMTAB command 0 extends past the end of the file)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dataincode-more-than-one 2>&1 | FileCheck -check-prefix INVALID-DATAINCODE-MORE-THAN-ONE %s
+INVALID-DATAINCODE-MORE-THAN-ONE: macho-invalid-dataincode-more-than-one': truncated or malformed object (more than one LC_DATA_IN_CODE command)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-linkopthint-small 2>&1 | FileCheck -check-prefix INVALID-LINKOPTHINT-SMALL %s
+INVALID-LINKOPTHINT-SMALL: macho-invalid-linkopthint-small': truncated or malformed object (load command 0 LC_LINKER_OPTIMIZATION_HINT cmdsize too small)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dataincode-bad-size 2>&1 | FileCheck -check-prefix INVALID-DATAINCODE-BAD-SIZE %s
+INVALID-DATAINCODE-BAD-SIZE: macho-invalid-dataincode-bad-size': truncated or malformed object (LC_DATA_IN_CODE command 0 has incorrect cmdsize)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-linkopthint-dataoff 2>&1 | FileCheck -check-prefix INVALID-LINKOPTHINT-DATAOFF %s
+INVALID-LINKOPTHINT-DATAOFF: macho-invalid-linkopthint-dataoff': truncated or malformed object (dataoff field of LC_LINKER_OPTIMIZATION_HINT command 0 extends past the end of the file)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dataincode-dataoff-datasize 2>&1 | FileCheck -check-prefix INVALID-DATAINCODE-DATAOFF-DATASIZE %s
+INVALID-DATAINCODE-DATAOFF-DATASIZE: macho-invalid-dataincode-dataoff-datasize': truncated or malformed object (dataoff field plus datasize field of LC_DATA_IN_CODE command 0 extends past the end of the file)
+
author	Kevin Enderby <enderby@apple.com>	2016-08-31 17:57:46 +0000
committer	Kevin Enderby <enderby@apple.com>	2016-08-31 17:57:46 +0000
commit	9d0c945ad6de0aa94d40e48f9cd6a5622fa814f9 (patch)
tree	846d79930947bd6b0083a59a8eae2b2027d7d9db /llvm
parent	2700bd831ac56a3fc8212968d37f210021264e51 (diff)
download	bcm5719-llvm-9d0c945ad6de0aa94d40e48f9cd6a5622fa814f9.tar.gz bcm5719-llvm-9d0c945ad6de0aa94d40e48f9cd6a5622fa814f9.zip