Fix out-of-bounds read in objdump reloc section handling#2691
Fix out-of-bounds read in objdump reloc section handling#2691sumleo wants to merge 1 commit intoWebAssembly:mainfrom
Conversation
sumleo
force-pushed
the
fix/objdump-reloc-oob-read
branch
from
46086b3 to
796adde
Compare
BinaryReaderObjdump::OnRelocCount ignored the error returned by BinaryReaderObjdumpBase::OnRelocCount when the section_index was invalid. This caused the function to proceed to GetSectionName which called GetSectionStart with BinarySection::Invalid (~0), resulting in an out-of-bounds read on the stack-allocated section_starts_ array of size kBinarySectionCount (14). Propagate the error via CHECK_RESULT so that the out-of-bounds access is never reached. Add a regression test with a crafted wasm binary containing a reloc custom section that references a non-existent section index.
sumleo
force-pushed
the
fix/objdump-reloc-oob-read
branch
from
796adde to
ee56af2
Compare
|
This patch looks valid. Binary tests usually uses this file format: |
|
|
||
| Custom: | ||
| - name: "reloc.BAD" | ||
| - relocations for section: 99 () [0] |
There was a problem hiding this comment.
It seems like this existing test should already have triggered the OOB access since there is no section 99 right?
Maybe a better fix would be to have GetSectionName check its argument and return the string <INVALID_SECTION>?
In any case, I would hope that it would be enough to modify this existing test which seems like it already covers the invalid section index case
There was a problem hiding this comment.
You're right — the existing bad-relocs.txt test already covers the invalid section index case. I've rebased onto main, dropped the C++ unit test, and simplified the fix to just the one-line CHECK_RESULT change plus updating the existing test expectation. The relocation details line is now suppressed for invalid indices since the error is properly propagated.
| magic | ||
| version | ||
| section("reloc.BAD") { | ||
| reloc_section[99] |
There was a problem hiding this comment.
Would changing the 99 to 0xff here not make this test basically the same as the new one added above?
3 participants
Summary
BinaryReaderObjdump::OnRelocCountignored the error returned byBinaryReaderObjdumpBase::OnRelocCountwhen thesection_indexwas invalid, causing it to proceed toGetSectionName→GetSectionStartwithBinarySection::Invalid(~0), resulting in an out-of-bounds read on the stack-allocatedsection_starts_array of sizekBinarySectionCount(14).CHECK_RESULTso the out-of-bounds access is never reached.Details
In
binary-reader-objdump.cc,BinaryReaderObjdump::OnRelocCountcalls the base class method but discards its return value:The base class returns
Result::Errorfor out-of-range indices and setsreloc_section_ = BinarySection::Invalid. Later,OnReloccallsGetSectionStart(reloc_section_)which indexessection_starts_[~0]— far past the 14-element array.Test plan
test/binary/bad-relocs.txtcovers the invalid section index case — updated expected output to reflect that the relocation details line is no longer printed