[readobj][ELF][AArch64] Handle misformed AArch64 build attribute section (#134888)

Report an error when the .ARM.attributes section for AArch64 is
malformed or violates expected format.

Author: sivan-shani

llvm/lib/Support/ELFAttrParserExtended.cpp

@@ -103,26 +103,48 @@ Error ELFExtendedAttrParser::parse(ArrayRef<uint8_t> Section,
 
   // Get format-version
   uint8_t FormatVersion = De.getU8(Cursor);
+  if (!Cursor)
+    return Cursor.takeError();
   if (ELFAttrs::Format_Version != FormatVersion)
     return createStringError(errc::invalid_argument,
                              "unrecognized format-version: 0x" +
                                  utohexstr(FormatVersion));
 
   while (!De.eof(Cursor)) {
     uint32_t ExtBASubsectionLength = De.getU32(Cursor);
-    // Minimal valid Extended Build Attributes subsection header size is at
+    if (!Cursor)
+      return Cursor.takeError();
+    // Minimal valid Extended Build Attributes subsection size is at
     // least 8: length(4) name(at least a single char + null) optionality(1) and
     // type(1)
-    if (ExtBASubsectionLength < 8)
+    // Extended Build Attributes subsection has to fit inside the section.
+    if (ExtBASubsectionLength < 8 ||
+        ExtBASubsectionLength > (Section.size() - Cursor.tell() + 4))
       return createStringError(
           errc::invalid_argument,
           "invalid Extended Build Attributes subsection size at offset: " +
               utohexstr(Cursor.tell() - 4));
 
     StringRef VendorName = De.getCStrRef(Cursor);
+    if (!Cursor)
+      return Cursor.takeError();
     uint8_t IsOptional = De.getU8(Cursor);
+    if (!Cursor)
+      return Cursor.takeError();
+    if (!(0 == IsOptional || 1 == IsOptional))
+      return createStringError(
+          errc::invalid_argument,
+          "\ninvalid Optionality at offset " + utohexstr(Cursor.tell() - 4) +
+              ": " + utohexstr(IsOptional) + " (Options are 1|0)");
     StringRef IsOptionalStr = IsOptional ? "optional" : "required";
     uint8_t Type = De.getU8(Cursor);
+    if (!Cursor)
+      return Cursor.takeError();
+    if (!(0 == Type || 1 == Type))
+      return createStringError(errc::invalid_argument,
+                               "\ninvalid Type at offset " +
+                                   utohexstr(Cursor.tell() - 4) + ": " +
+                                   utohexstr(Type) + " (Options are 1|0)");
     StringRef TypeStr = Type ? "ntbs" : "uleb128";
 
     BuildAttributeSubSection BASubSection;
@@ -144,23 +166,29 @@ Error ELFExtendedAttrParser::parse(ArrayRef<uint8_t> Section,
     // Offset in Section
     uint64_t OffsetInSection = Cursor.tell();
     // Size: 4 bytes, Vendor Name: VendorName.size() + 1 (null termination),
-    // optionality: 1, size: 1
+    // optionality: 1, type: 1
     uint32_t BytesAllButAttributes = 4 + (VendorName.size() + 1) + 1 + 1;
     while (Cursor.tell() <
            (OffsetInSection + ExtBASubsectionLength - BytesAllButAttributes)) {
 
       uint64_t Tag = De.getULEB128(Cursor);
+      if (!Cursor)
+        return Cursor.takeError();
 
       StringRef TagName = getTagName(VendorName, Tag);
 
       uint64_t ValueInt = 0;
       std::string ValueStr = "";
       if (Type) { // type==1 --> ntbs
         ValueStr = De.getCStrRef(Cursor);
+        if (!Cursor)
+          return Cursor.takeError();
         if (Sw)
           Sw->printString("" != TagName ? TagName : utostr(Tag), ValueStr);
       } else { // type==0 --> uleb128
         ValueInt = De.getULEB128(Cursor);
+        if (!Cursor)
+          return Cursor.takeError();
         if (Sw)
           Sw->printNumber("" != TagName ? TagName : utostr(Tag), ValueInt);
       }

llvm/test/tools/llvm-readobj/ELF/AArch64/build-attributes-melformed-long.s

@@ -0,0 +1,24 @@
+# RUN: yaml2obj %s -o %t.o
+# RUN: not llvm-readobj --arch-specific %t.o %null 2>&1 | FileCheck %s
+
+# CHECK: unable to dump attributes from the Unknown section with index 1: invalid Extended Build Attributes subsection size at offset: 1A
+
+# Indicated size is longer than actual size.
+# The size is indicated by the '99' in the sequence '...0101020199...' should be 23
+--- !ELF
+FileHeader:
+  Class: ELFCLASS64
+  Data: ELFDATA2LSB
+  OSABI: ELFOSABI_NONE
+  Type: ET_REL
+  Machine: EM_AARCH64
+  Entry: 0x0
+
+Sections:
+  - Name: .ARM.attributes
+    Type: 0x70000003  # SHT_LOPROC + 3
+    AddressAlign: 1
+    Offset: 0x40
+    Size: 0x3d
+    Content: "411900000061656162695f7061757468616269000000010102019900000061656162695f666561747572655f616e645f62697473000100000101010201"
+...

llvm/test/tools/llvm-readobj/ELF/AArch64/build-attributes-melformed-short.s

@@ -0,0 +1,24 @@
+# RUN: yaml2obj %s -o %t.o
+# RUN: not llvm-readobj --arch-specific %t.o %null 2>&1 | FileCheck %s
+
+# CHECK: unable to dump attributes from the Unknown section with index 1: invalid Extended Build Attributes subsection size at offset: 3B
+
+# Indicated size is shorter than actual size.
+# The size is indicated by the '20' in the sequence '...0101020120...' should be 23
+--- !ELF
+FileHeader:
+  Class: ELFCLASS64
+  Data: ELFDATA2LSB
+  OSABI: ELFOSABI_NONE
+  Type: ET_REL
+  Machine: EM_AARCH64
+  Entry: 0x0
+
+Sections:
+  - Name: .ARM.attributes
+    Type: 0x70000003  # SHT_LOPROC + 3
+    AddressAlign: 1
+    Offset: 0x40
+    Size: 0x41
+    Content: "411900000061656162695f7061757468616269000000010102012000000061656162695f666561747572655f616e645f6269747300010000010101020000"
+...

llvm/test/tools/llvm-readobj/ELF/AArch64/build-attributes-melformed-type.s

@@ -0,0 +1,27 @@
+# RUN: yaml2obj %s -o %t.o
+# RUN: not llvm-readobj --arch-specific %t.o %null 2>&1 | FileCheck %s
+
+# CHECK: BuildAttributes {
+# CHECK-NEXT: FormatVersion: 0x41
+# CHECK-NEXT: unable to dump attributes from the Unknown section with index 1: 
+# CHECK-NEXT: invalid Type at offset 12: 9 (Options are 1|0)
+
+# Type are not 0 or 1
+# Type is indicated by the '09' in the sequence '...69000109...' should be 00 or 01
+--- !ELF
+FileHeader:
+  Class: ELFCLASS64
+  Data: ELFDATA2LSB
+  OSABI: ELFOSABI_NONE
+  Type: ET_REL
+  Machine: EM_AARCH64
+  Entry: 0x0
+
+Sections:
+  - Name: .ARM.attributes
+    Type: 0x70000003  # SHT_LOPROC + 3
+    AddressAlign: 1
+    Offset: 0x40
+    Size: 0x3d
+    Content: "411900000061656162695f7061757468616269000109010102012300000061656162695f666561747572655f616e645f62697473000100000101010201"
+...

llvm/test/tools/llvm-readobj/ELF/AArch64/build-attributes-melformed-values.s

@@ -0,0 +1,24 @@
+# RUN: yaml2obj %s -o %t.o
+# RUN: not llvm-readobj --arch-specific %t.o %null 2>&1 | FileCheck %s
+
+# CHECK: unable to dump attributes from the Unknown section with index 1: invalid Extended Build Attributes subsection size at offset: 3D
+
+# ULEB values are overflowing.
+# Those are the trailing '000' in the sequence '...00010101020000' should be '...000101010201'
+--- !ELF
+FileHeader:
+  Class: ELFCLASS64
+  Data: ELFDATA2LSB
+  OSABI: ELFOSABI_NONE
+  Type: ET_REL
+  Machine: EM_AARCH64
+  Entry: 0x0
+
+Sections:
+  - Name: .ARM.attributes
+    Type: 0x70000003  # SHT_LOPROC + 3
+    AddressAlign: 1
+    Offset: 0x40
+    Size: 0x41
+    Content: "411900000061656162695f7061757468616269000000010102012300000061656162695f666561747572655f616e645f6269747300010000010101020000"
+...

llvm/test/tools/llvm-readobj/ELF/AArch64/build-attributes-melformed-ver.s

@@ -0,0 +1,23 @@
+# RUN: yaml2obj %s -o %t.o
+# RUN: not llvm-readobj --arch-specific %t.o %null 2>&1 | FileCheck %s
+
+# CHECK:  unable to dump attributes from the Unknown section with index 1: unrecognized format-version: 0x37
+
+# Version is 37 instead of 41, this is the first byte.
+--- !ELF
+FileHeader:
+  Class: ELFCLASS64
+  Data: ELFDATA2LSB
+  OSABI: ELFOSABI_NONE
+  Type: ET_REL
+  Machine: EM_AARCH64
+  Entry: 0x0
+
+Sections:
+  - Name: .ARM.attributes
+    Type: 0x70000003  # SHT_LOPROC + 3
+    AddressAlign: 1
+    Offset: 0x40
+    Size: 0x3d
+    Content: "371900000061656162695f7061757468616269000000010102012300000061656162695f666561747572655f616e645f62697473000100000101010201"
+...