From: Mark Wielaard <mark@klomp.org>
To: vvvvvv@google.com
Cc: elfutils-devel@sourceware.org, kernel-team@android.com,
maennich@google.com
Subject: Re: [PATCH] libdw: check memory access in get_(u|s)leb128
Date: Thu, 26 Jan 2023 22:05:39 +0100 [thread overview]
Message-ID: <20230126210539.GC2781@gnu.wildebeest.org> (raw)
In-Reply-To: <20230125160530.949622-1-vvvvvv@google.com>
Hi Aleksei,
On Wed, Jan 25, 2023 at 04:05:30PM +0000, Aleksei Vetrov via Elfutils-devel wrote:
> From: Aleksei Vetrov <vvvvvv@google.com>
>
> __libdw_get_uleb128 and __libdw_get_sleb128 should check if addrp has
> already reached the end before unrolling the first step. It is done by
> moving __libdw_max_len to the beginning of the function, which already
> has all the checks.
I understand why you might want to add these extra safeguards. But
when the bounds checking and unrolling for get_uleb128/get_sleb128 was
introduced the idea was that they should only be called with addrp <
endp. Precisely so at least one byte could be read without needing to
bounds check.
See the following commits:
commit 7a053473c7bedd22e3db39c444a4cd8f97eace25
Author: Mark Wielaard <mjw@redhat.com>
Date: Sun Dec 14 21:48:23 2014 +0100
libdw: Add get_uleb128 and get_sleb128 bounds checking.
Both get_uleb128 and get_sleb128 now take an end pointer to prevent
reading too much data. Adjust all callers to provide the end pointer.
There are still two exceptions. "Raw" dwarf_getabbrevattr and
read_encoded_valued don't have a end pointer associated yet.
They will have to be provided in the future.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
commit 54662f13d14d59d44943543c48bdb21d50dd008d
Author: Josh Stone <jistone@redhat.com>
Date: Mon Dec 15 12:18:25 2014 -0800
libdw: pre-compute leb128 loop limits
Signed-off-by: Josh Stone <jistone@redhat.com>
commit 1b5477ddf360af0f6262c6f15a590448b4e1a65a
Author: Mark Wielaard <mjw@redhat.com>
Date: Tue Dec 16 10:53:22 2014 +0100
libdw: Unroll the first get_sleb128 step to help the compiler optimize.
The common case is a single-byte. So no extra (max len) calculation is
necessary then.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
Now this was 8 years ago and might have been too optimistic. Maybe we
missed some checks? Did you actually find situations where these
functions were called with addrp >= endp?
It turns out that get_[su]leb128 dominates some operations and really
does have to be as fast as possible. So I do like to know what the
impact is of this change.
Thanks,
Mark
next prev parent reply other threads:[~2023-01-26 21:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-25 16:05 vvvvvv
2023-01-26 21:05 ` Mark Wielaard [this message]
2023-02-07 16:17 ` Aleksei Vetrov
2023-02-07 17:17 ` Mark Wielaard
2023-02-11 23:42 ` Mark Wielaard
2023-02-13 20:03 ` Aleksei Vetrov
2023-02-13 20:10 ` [PATCH v2] " vvvvvv
2023-02-14 15:44 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230126210539.GC2781@gnu.wildebeest.org \
--to=mark@klomp.org \
--cc=elfutils-devel@sourceware.org \
--cc=kernel-team@android.com \
--cc=maennich@google.com \
--cc=vvvvvv@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).