Latx fix config edge cases#303
Open
LaurenIsACoder wants to merge 1 commit into
Open
Conversation
Fix two non-AOT edge cases in the latx-x86_64 option path. trim() used to walk before the start of an empty or all-whitespace value when parsing entries such as LATX_CLOSE_PARALLEL=. extract_filename() also relied on strncpy() without forcing NUL termination, so long program names could trigger an out-of-bounds read during extension scanning. Add a regression test covering both cases with LATX_AOT=0. Signed-off-by: Hanlu Li <heuleehanlu@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix two LATX string-handling boundary bugs and add a regression test.
Problem
Two boundary bugs can be triggered by ordinary runtime inputs.
target/i386/latx/latx-options.c:trim()skips leading whitespace andthen unconditionally evaluates
s + strlen(s) - 1. If the input isempty or contains only whitespace, this moves the pointer before the
start of the buffer and may cause an out-of-bounds access.
One practical trigger is a configuration entry with an empty value,
for example:
LATX_CLOSE_PARALLEL=or
LATX_CLOSE_PARALLEL=
long file name with strncpy(), but does not explicitly append '\0'.
If the source name is longer than the destination buffer, the later
strchr(buffer, '.') call may continue scanning past the end of the
buffer.
Root Cause
trim() assumes that at least one character remains after leading
whitespace is removed.
extract_filename() assumes that strncpy() always leaves a
NUL-terminated destination string, which is not true for truncated
copies.
Fix
Validation
Build
CC=cc CXX=c++ ./latxbuild/build64-dbg.sh
Build the regression test
cc
-DNEED_CPU_H
-DCONFIG_TARGET='"x86_64-linux-user-config-target.h"'
-DCONFIG_DEVICES='"x86_64-linux-user-config-devices.h"'
-fsanitize=address,undefined
-g -O1
-Ibuild64-dbg -I. -Iinclude -Itarget/i386/latx/include
$(pkg-config --cflags glib-2.0)
tests/latx-x86_64/latx-config-regression.c
-o build64-dbg/latx-config-regression
$(pkg-config --libs glib-2.0)
Run
LATX_AOT=0 ASAN_OPTIONS=detect_leaks=0
./build64-dbg/latx-config-regression
Result:
Before the fix
Running the same regression binary against the pre-fix tree reports an
AddressSanitizer stack-buffer-underflow in trim().
Note on LATX_AOT=0 and ASAN_OPTIONS
LATX_AOT=0 keeps the validation on the runtime LATX path touched by
this change, instead of mixing it with AOT behavior.
ASAN_OPTIONS=detect_leaks=0 only disables LeakSanitizer's leak check.
It does not disable AddressSanitizer's out-of-bounds detection.
This was added because LeakSanitizer may fail in some environments
with a runtime/tooling issue such as ptrace, which is unrelated to
the bugs fixed here. The actual boundary errors are still detected by
AddressSanitizer normally.