Print this page
12786 fix CTF pointer overrun
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Robert Mustacchi <rm@fingolfin.org>
Approved by: Dan McDonald <danmcd@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/common/ctf/ctf_lookup.c
+++ new/usr/src/common/ctf/ctf_lookup.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License, Version 1.0 only
6 6 * (the "License"). You may not use this file except in compliance
7 7 * with the License.
8 8 *
9 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 10 * or http://www.opensolaris.org/os/licensing.
11 11 * See the License for the specific language governing permissions
12 12 * and limitations under the License.
13 13 *
14 14 * When distributing Covered Code, include this CDDL HEADER in each
15 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 16 * If applicable, add the following below this CDDL HEADER, with the
17 17 * fields enclosed by brackets "[]" replaced with your own identifying
18 18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 19 *
20 20 * CDDL HEADER END
21 21 */
22 22
23 23 /*
24 24 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
25 25 * Use is subject to license terms.
26 26 */
27 27
28 28 /*
29 29 * Copyright 2019, Joyent, Inc.
30 30 */
31 31
32 32 #include <sys/sysmacros.h>
33 33 #include <ctf_impl.h>
34 34
35 35 /*
36 36 * Compare the given input string and length against a table of known C storage
37 37 * qualifier keywords. We just ignore these in ctf_lookup_by_name, below. To
38 38 * do this quickly, we use a pre-computed Perfect Hash Function similar to the
39 39 * technique originally described in the classic paper:
40 40 *
41 41 * R.J. Cichelli, "Minimal Perfect Hash Functions Made Simple",
42 42 * Communications of the ACM, Volume 23, Issue 1, January 1980, pp. 17-19.
43 43 *
44 44 * For an input string S of length N, we use hash H = S[N - 1] + N - 105, which
45 45 * for the current set of qualifiers yields a unique H in the range [0 .. 20].
46 46 * The hash can be modified when the keyword set changes as necessary. We also
47 47 * store the length of each keyword and check it prior to the final strcmp().
48 48 */
49 49 static int
50 50 isqualifier(const char *s, size_t len)
51 51 {
52 52 static const struct qual {
53 53 const char *q_name;
54 54 size_t q_len;
55 55 } qhash[] = {
56 56 { "static", 6 }, { "", 0 }, { "", 0 }, { "", 0 },
57 57 { "volatile", 8 }, { "", 0 }, { "", 0 }, { "", 0 }, { "", 0 },
58 58 { "", 0 }, { "auto", 4 }, { "extern", 6 }, { "", 0 }, { "", 0 },
59 59 { "", 0 }, { "", 0 }, { "const", 5 }, { "register", 8 },
60 60 { "", 0 }, { "restrict", 8 }, { "_Restrict", 9 }
61 61 };
62 62
63 63 int h = s[len - 1] + (int)len - 105;
64 64 const struct qual *qp = &qhash[h];
65 65
66 66 return (h >= 0 && h < sizeof (qhash) / sizeof (qhash[0]) &&
67 67 len == qp->q_len && strncmp(qp->q_name, s, qp->q_len) == 0);
68 68 }
69 69
70 70 /*
71 71 * Attempt to convert the given C type name into the corresponding CTF type ID.
72 72 * It is not possible to do complete and proper conversion of type names
73 73 * without implementing a more full-fledged parser, which is necessary to
74 74 * handle things like types that are function pointers to functions that
75 75 * have arguments that are function pointers, and fun stuff like that.
76 76 * Instead, this function implements a very simple conversion algorithm that
77 77 * finds the things that we actually care about: structs, unions, enums,
78 78 * integers, floats, typedefs, and pointers to any of these named types.
79 79 */
80 80 ctf_id_t
81 81 ctf_lookup_by_name(ctf_file_t *fp, const char *name)
82 82 {
83 83 static const char delimiters[] = " \t\n\r\v\f*";
84 84
85 85 const ctf_lookup_t *lp;
86 86 const ctf_helem_t *hp;
87 87 const char *p, *q, *end;
88 88 ctf_id_t type = 0;
89 89 ctf_id_t ntype, ptype;
90 90
91 91 if (name == NULL)
92 92 return (ctf_set_errno(fp, EINVAL));
93 93
94 94 for (p = name, end = name + strlen(name); *p != '\0'; p = q) {
95 95 while (isspace(*p))
96 96 p++; /* skip leading ws */
97 97
98 98 if (p == end)
99 99 break;
100 100
101 101 if ((q = strpbrk(p + 1, delimiters)) == NULL)
102 102 q = end; /* compare until end */
103 103
104 104 if (*p == '*') {
105 105 /*
106 106 * Find a pointer to type by looking in fp->ctf_ptrtab.
107 107 * If we can't find a pointer to the given type, see if
108 108 * we can compute a pointer to the type resulting from
109 109 * resolving the type down to its base type and use
110 110 * that instead. This helps with cases where the CTF
111 111 * data includes "struct foo *" but not "foo_t *" and
112 112 * the user tries to access "foo_t *" in the debugger.
113 113 */
114 114 ntype = fp->ctf_ptrtab[CTF_TYPE_TO_INDEX(type)];
115 115 if (ntype == 0) {
116 116 ntype = ctf_type_resolve(fp, type);
117 117 if (ntype == CTF_ERR || (ntype = fp->ctf_ptrtab[
118 118 CTF_TYPE_TO_INDEX(ntype)]) == 0) {
119 119 (void) ctf_set_errno(fp, ECTF_NOTYPE);
120 120 goto err;
121 121 }
122 122 }
123 123
124 124 type = CTF_INDEX_TO_TYPE(ntype,
125 125 (fp->ctf_flags & LCTF_CHILD));
|
↓ open down ↓ |
125 lines elided |
↑ open up ↑ |
126 126
127 127 q = p + 1;
128 128 continue;
129 129 }
130 130
131 131 if (isqualifier(p, (size_t)(q - p)))
132 132 continue; /* skip qualifier keyword */
133 133
134 134 for (lp = fp->ctf_lookups; lp->ctl_prefix != NULL; lp++) {
135 135 if (lp->ctl_prefix[0] == '\0' ||
136 - strncmp(p, lp->ctl_prefix, (size_t)(q - p)) == 0) {
136 + ((size_t)(q - p) >= lp->ctl_len && strncmp(p,
137 + lp->ctl_prefix, (size_t)(q - p)) == 0)) {
137 138 for (p += lp->ctl_len; isspace(*p); p++)
138 139 continue; /* skip prefix and next ws */
139 140
140 141 if ((q = strchr(p, '*')) == NULL)
141 142 q = end; /* compare until end */
142 143
143 144 while (isspace(q[-1]))
144 145 q--; /* exclude trailing ws */
145 146
146 147 if ((hp = ctf_hash_lookup(lp->ctl_hash, fp, p,
147 148 (size_t)(q - p))) == NULL) {
148 149 (void) ctf_set_errno(fp, ECTF_NOTYPE);
149 150 goto err;
150 151 }
151 152
152 153 type = hp->h_type;
153 154 break;
154 155 }
155 156 }
156 157
157 158 if (lp->ctl_prefix == NULL) {
158 159 (void) ctf_set_errno(fp, ECTF_NOTYPE);
159 160 goto err;
160 161 }
161 162 }
162 163
163 164 if (*p != '\0' || type == 0)
164 165 return (ctf_set_errno(fp, ECTF_SYNTAX));
165 166
166 167 return (type);
167 168
168 169 err:
169 170 if (fp->ctf_parent != NULL &&
170 171 (ptype = ctf_lookup_by_name(fp->ctf_parent, name)) != CTF_ERR)
171 172 return (ptype);
172 173
173 174 return (CTF_ERR);
174 175 }
175 176
176 177 /*
177 178 * Given a symbol table index, return the type of the data object described
178 179 * by the corresponding entry in the symbol table.
179 180 */
180 181 ctf_id_t
181 182 ctf_lookup_by_symbol(ctf_file_t *fp, ulong_t symidx)
182 183 {
183 184 const ctf_sect_t *sp = &fp->ctf_symtab;
184 185 ctf_id_t type;
185 186
186 187 if (sp->cts_data == NULL)
187 188 return (ctf_set_errno(fp, ECTF_NOSYMTAB));
188 189
189 190 if (symidx >= fp->ctf_nsyms)
190 191 return (ctf_set_errno(fp, EINVAL));
191 192
192 193 if (sp->cts_entsize == sizeof (Elf32_Sym)) {
193 194 const Elf32_Sym *symp = (Elf32_Sym *)sp->cts_data + symidx;
194 195 if (ELF32_ST_TYPE(symp->st_info) != STT_OBJECT)
195 196 return (ctf_set_errno(fp, ECTF_NOTDATA));
196 197 } else {
197 198 const Elf64_Sym *symp = (Elf64_Sym *)sp->cts_data + symidx;
198 199 if (ELF64_ST_TYPE(symp->st_info) != STT_OBJECT)
199 200 return (ctf_set_errno(fp, ECTF_NOTDATA));
200 201 }
201 202
202 203 if (fp->ctf_sxlate[symidx] == -1u)
203 204 return (ctf_set_errno(fp, ECTF_NOTYPEDAT));
204 205
205 206 type = *(ushort_t *)((uintptr_t)fp->ctf_buf + fp->ctf_sxlate[symidx]);
206 207 if (type == 0)
207 208 return (ctf_set_errno(fp, ECTF_NOTYPEDAT));
208 209
209 210 return (type);
210 211 }
211 212
212 213 /*
213 214 * Return the pointer to the internal CTF type data corresponding to the
214 215 * given type ID. If the ID is invalid, the function returns NULL.
215 216 * This function is not exported outside of the library.
216 217 */
217 218 const ctf_type_t *
218 219 ctf_lookup_by_id(ctf_file_t **fpp, ctf_id_t type)
219 220 {
220 221 ctf_file_t *fp = *fpp; /* caller passes in starting CTF container */
221 222
222 223 if ((fp->ctf_flags & LCTF_CHILD) && CTF_TYPE_ISPARENT(type) &&
223 224 (fp = fp->ctf_parent) == NULL) {
224 225 (void) ctf_set_errno(*fpp, ECTF_NOPARENT);
225 226 return (NULL);
226 227 }
227 228
228 229 type = CTF_TYPE_TO_INDEX(type);
229 230 if (type > 0 && type <= fp->ctf_typemax) {
230 231 *fpp = fp; /* function returns ending CTF container */
231 232 return (LCTF_INDEX_TO_TYPEPTR(fp, type));
232 233 }
233 234
234 235 (void) ctf_set_errno(fp, ECTF_BADID);
235 236 return (NULL);
236 237 }
237 238
238 239 /*
239 240 * Given a symbol table index, return the info for the function described
240 241 * by the corresponding entry in the symbol table.
241 242 */
242 243 int
243 244 ctf_func_info(ctf_file_t *fp, ulong_t symidx, ctf_funcinfo_t *fip)
244 245 {
245 246 const ctf_sect_t *sp = &fp->ctf_symtab;
246 247 const ushort_t *dp;
247 248 ushort_t info, kind, n;
248 249
249 250 if (sp->cts_data == NULL)
250 251 return (ctf_set_errno(fp, ECTF_NOSYMTAB));
251 252
252 253 if (symidx >= fp->ctf_nsyms)
253 254 return (ctf_set_errno(fp, EINVAL));
254 255
255 256 if (sp->cts_entsize == sizeof (Elf32_Sym)) {
256 257 const Elf32_Sym *symp = (Elf32_Sym *)sp->cts_data + symidx;
257 258 if (ELF32_ST_TYPE(symp->st_info) != STT_FUNC)
258 259 return (ctf_set_errno(fp, ECTF_NOTFUNC));
259 260 } else {
260 261 const Elf64_Sym *symp = (Elf64_Sym *)sp->cts_data + symidx;
261 262 if (ELF64_ST_TYPE(symp->st_info) != STT_FUNC)
262 263 return (ctf_set_errno(fp, ECTF_NOTFUNC));
263 264 }
264 265
265 266 if (fp->ctf_sxlate[symidx] == -1u)
266 267 return (ctf_set_errno(fp, ECTF_NOFUNCDAT));
267 268
268 269 dp = (ushort_t *)((uintptr_t)fp->ctf_buf + fp->ctf_sxlate[symidx]);
269 270
270 271 info = *dp++;
271 272 kind = LCTF_INFO_KIND(fp, info);
272 273 n = LCTF_INFO_VLEN(fp, info);
273 274
274 275 if (kind == CTF_K_UNKNOWN && n == 0)
275 276 return (ctf_set_errno(fp, ECTF_NOFUNCDAT));
276 277
277 278 if (kind != CTF_K_FUNCTION)
278 279 return (ctf_set_errno(fp, ECTF_CORRUPT));
279 280
280 281 fip->ctc_return = *dp++;
281 282 fip->ctc_argc = n;
282 283 fip->ctc_flags = 0;
283 284
284 285 if (n != 0 && dp[n - 1] == 0) {
285 286 fip->ctc_flags |= CTF_FUNC_VARARG;
286 287 fip->ctc_argc--;
287 288 }
288 289
289 290 return (0);
290 291 }
291 292
292 293 /*
293 294 * Given a symbol table index, return the arguments for the function described
294 295 * by the corresponding entry in the symbol table.
295 296 */
296 297 int
297 298 ctf_func_args(ctf_file_t *fp, ulong_t symidx, uint_t argc, ctf_id_t *argv)
298 299 {
299 300 const ushort_t *dp;
300 301 ctf_funcinfo_t f;
301 302
302 303 if (ctf_func_info(fp, symidx, &f) == CTF_ERR)
303 304 return (CTF_ERR); /* errno is set for us */
304 305
305 306 /*
306 307 * The argument data is two ushort_t's past the translation table
307 308 * offset: one for the function info, and one for the return type.
308 309 */
309 310 dp = (ushort_t *)((uintptr_t)fp->ctf_buf + fp->ctf_sxlate[symidx]) + 2;
310 311
311 312 for (argc = MIN(argc, f.ctc_argc); argc != 0; argc--)
312 313 *argv++ = *dp++;
313 314
314 315 return (0);
315 316 }
316 317
317 318 /*
318 319 * Unlike the normal lookup routines, ctf_dyn_*() variants consult both the
319 320 * processed CTF contents of a ctf_file_t as well as the dynamic types in the
320 321 * dtdef list.
321 322 */
322 323
323 324 const ctf_type_t *
324 325 ctf_dyn_lookup_by_id(ctf_file_t *fp, ctf_id_t id)
325 326 {
326 327 ctf_file_t **fpp = &fp;
327 328 const ctf_type_t *t;
328 329 ctf_dtdef_t *dtd;
329 330
330 331 if ((t = ctf_lookup_by_id(fpp, id)) != NULL)
331 332 return (t);
332 333
333 334 if ((dtd = ctf_dtd_lookup(fp, id)) == NULL)
334 335 return (NULL);
335 336
336 337 return (&dtd->dtd_data);
337 338 }
338 339
339 340 int
340 341 ctf_dyn_array_info(ctf_file_t *infp, ctf_id_t id, ctf_arinfo_t *arinfop)
341 342 {
342 343 ctf_file_t *fp = infp;
343 344 const ctf_type_t *t;
344 345 ctf_dtdef_t *dtd;
345 346
346 347 if ((t = ctf_lookup_by_id(&fp, id)) != NULL) {
347 348
348 349 if (LCTF_INFO_KIND(fp, t->ctt_info) != CTF_K_ARRAY)
349 350 return (ctf_set_errno(infp, ECTF_NOTARRAY));
350 351
351 352 return (ctf_array_info(fp, id, arinfop));
352 353 }
353 354
354 355 if ((dtd = ctf_dtd_lookup(fp, id)) == NULL)
355 356 return (ctf_set_errno(infp, ENOENT));
356 357
357 358 if (LCTF_INFO_KIND(fp, dtd->dtd_data.ctt_info) != CTF_K_ARRAY)
358 359 return (ctf_set_errno(infp, ECTF_NOTARRAY));
359 360
360 361 bcopy(&dtd->dtd_u.dtu_arr, arinfop, sizeof (*arinfop));
361 362 return (0);
362 363 }
|
↓ open down ↓ |
216 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX