Fixed buffer overflow in demangler #3624
Conversation
|
💥 @swift-ci please test and merge. |
|
It feels to me that this could and should be done without manually counting the characters in the literal. |
|
@rjmccall There's an overload of |
|
@CodaFi Does that test what we want here; I could just fixup this test to use |
|
Or just make a local helper (or expose a static inline C++ function alongside it?) to call the function with an llvm::StringRef. |
|
@rjmccall There are only 2 callers, and I believe the function needs to be exported to C (so no std::string). I have updated the callers to use |
| swift_typeref_t ErrorTR | ||
| = swift_reflection_typeRefForMangledTypeName(RC, | ||
| "_TtPs5Error_", 21); | ||
| ErrorName, strlen(ErrorName)); |
There was a problem hiding this comment.
@joewillsher strlen is an O(n) operation. Since the string is constant, you can do this to make it a compile-time constant:
static const char ErrorName[] = "_TtPs5Error_";
blahBlah(ErrorName, sizeof(ErrorName) - 1);
There was a problem hiding this comment.
It's a test, it's not a big deal. Also, C compilers generally know how to fold strlen of a constant string.
There was a problem hiding this comment.
I’ve implemented it as Joe suggested, should I keep it or use strlen?
There was a problem hiding this comment.
Using StringRef and passing the string literal as @rjmccall suggested would also do the right thing.
There was a problem hiding this comment.
@jckarter this is a c file, isn't StringRef an llvm/c++ type?
Changing the name of ErrorProtocol to Error broke this runtime test — causing a buffer overflow. The mangled name changed from _TtPs13ErrorProtocol_->_TtPs5Error_ but the strlen didn’t change from 21 to 12; I update the callers to use static string length instead of a literal string & length. Error reported is: ================================================================= ==88865==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001028ba40d at pc 0x000103291a1f bp 0x7fff5d3492c0 sp 0x7fff5d348a80 READ of size 9 at 0x0001028ba40d thread T0 (libclang_rt.asan_osx_dynamic.dylib+0x42a1e) std::__1::char_traits<char>, std::__1::allocator<char> >::__init(char const*, unsigned long) (libc++.1.dylib+0x3f224) swift::Demangle::NodeFactory::create(swift::Demangle::Node::Kind, llvm::StringRef) string:2044 namespace)::Demangler::demangleTopLevel() Demangle.cpp:358 unsigned long, swift::Demangle::DemangleOptions const&) Demangle.cpp:2288 MetadataReader.h:772 0x0001028ba40d is located 51 bytes to the left of global variable '<string literal>' defined in '/Users/buildslave/jenkins/workspace/swift-incremental-asan-RDA/swift/to ols/swift-reflection-test/swift-reflection-test.c:458:19' (0x1028ba440) of size 41 '<string literal>' is ascii string 'swift-reflection-test <binary filename> ' 0x0001028ba40d is located 0 bytes to the right of global variable '<string literal>' defined in '/Users/buildslave/jenkins/workspace/swift-incremental-asan-RDA/swift/to ols/swift-reflection-test/swift-reflection-test.c:435:15' (0x1028ba400) of size 13 '<string literal>' is ascii string '_TtPs5Error_' SUMMARY: AddressSanitizer: global-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x42a1e) in wrap_memmove
|
@swift-ci please test and merge. |
What's in this pull request?
Changing the name of ErrorProtocol to Error broke this runtime test — causing a buffer overflow.
The mangled name changed from
_TtPs13ErrorProtocol_->_TtPs5Error_but the strlen didn’t change from 21 to 12.Error reported is:
Before merging this pull request to apple/swift repository:
Triggering Swift CI
The swift-ci is triggered by writing a comment on this PR addressed to the GitHub user @swift-ci. Different tests will run depending on the specific comment that you use. The currently available comments are:
Smoke Testing
A smoke test on macOS does the following:
device standard libraries are not built.
version of these tests are not run.
A smoke test on Linux does the following:
tests are not run.
Validation Testing
Lint Testing
Note: Only members of the Apple organization can trigger swift-ci.