From bbe775b260014d456e329092be19d332224e1f4c Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Mon, 16 Jul 2012 11:15:02 -0400
Subject: [PATCH 1/1] Filter: validate range overflow with end of insn

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
 liblttng-ust/lttng-filter.c | 182 +++++++++++++++++++++++++++++++++++-
 1 file changed, 181 insertions(+), 1 deletion(-)

diff --git a/liblttng-ust/lttng-filter.c b/liblttng-ust/lttng-filter.c
index 19775c30..f9d512c9 100644
--- a/liblttng-ust/lttng-filter.c
+++ b/liblttng-ust/lttng-filter.c
@@ -881,6 +881,186 @@ error_mismatch:
 	return -EINVAL;
 }
 
+/*
+ * Validate bytecode range overflow within the validation pass.
+ * Called for each instruction encountered.
+ */
+static
+int bytecode_validate_overflow(struct bytecode_runtime *bytecode,
+			void *start_pc, void *pc)
+{
+	int ret = 0;
+
+	switch (*(filter_opcode_t *) pc) {
+	case FILTER_OP_UNKNOWN:
+	default:
+	{
+		ERR("unknown bytecode op %u\n",
+			(unsigned int) *(filter_opcode_t *) pc);
+		ret = -EINVAL;
+		break;
+	}
+
+	case FILTER_OP_RETURN:
+	{
+		if (unlikely(pc + sizeof(struct return_op)
+				> start_pc + bytecode->len)) {
+			ret = -EINVAL;
+		}
+		break;
+	}
+
+	/* binary */
+	case FILTER_OP_MUL:
+	case FILTER_OP_DIV:
+	case FILTER_OP_MOD:
+	case FILTER_OP_PLUS:
+	case FILTER_OP_MINUS:
+	case FILTER_OP_RSHIFT:
+	case FILTER_OP_LSHIFT:
+	case FILTER_OP_BIN_AND:
+	case FILTER_OP_BIN_OR:
+	case FILTER_OP_BIN_XOR:
+	{
+		ERR("unsupported bytecode op %u\n",
+			(unsigned int) *(filter_opcode_t *) pc);
+		ret = -EINVAL;
+		break;
+	}
+
+	case FILTER_OP_EQ:
+	case FILTER_OP_NE:
+	case FILTER_OP_GT:
+	case FILTER_OP_LT:
+	case FILTER_OP_GE:
+	case FILTER_OP_LE:
+	case FILTER_OP_EQ_STRING:
+	case FILTER_OP_NE_STRING:
+	case FILTER_OP_GT_STRING:
+	case FILTER_OP_LT_STRING:
+	case FILTER_OP_GE_STRING:
+	case FILTER_OP_LE_STRING:
+	case FILTER_OP_EQ_S64:
+	case FILTER_OP_NE_S64:
+	case FILTER_OP_GT_S64:
+	case FILTER_OP_LT_S64:
+	case FILTER_OP_GE_S64:
+	case FILTER_OP_LE_S64:
+	case FILTER_OP_EQ_DOUBLE:
+	case FILTER_OP_NE_DOUBLE:
+	case FILTER_OP_GT_DOUBLE:
+	case FILTER_OP_LT_DOUBLE:
+	case FILTER_OP_GE_DOUBLE:
+	case FILTER_OP_LE_DOUBLE:
+	{
+		if (unlikely(pc + sizeof(struct binary_op)
+				> start_pc + bytecode->len)) {
+			ret = -EINVAL;
+		}
+		break;
+	}
+
+	/* unary */
+	case FILTER_OP_UNARY_PLUS:
+	case FILTER_OP_UNARY_MINUS:
+	case FILTER_OP_UNARY_NOT:
+	case FILTER_OP_UNARY_PLUS_S64:
+	case FILTER_OP_UNARY_MINUS_S64:
+	case FILTER_OP_UNARY_NOT_S64:
+	case FILTER_OP_UNARY_PLUS_DOUBLE:
+	case FILTER_OP_UNARY_MINUS_DOUBLE:
+	case FILTER_OP_UNARY_NOT_DOUBLE:
+	{
+		if (unlikely(pc + sizeof(struct unary_op)
+				> start_pc + bytecode->len)) {
+			ret = -EINVAL;
+		}
+		break;
+	}
+
+	/* logical */
+	case FILTER_OP_AND:
+	case FILTER_OP_OR:
+	{
+		if (unlikely(pc + sizeof(struct logical_op)
+				> start_pc + bytecode->len)) {
+			ret = -EINVAL;
+		}
+		break;
+	}
+
+	/* load */
+	case FILTER_OP_LOAD_FIELD_REF:
+	{
+		ERR("Unknown field ref type\n");
+		ret = -EINVAL;
+		break;
+	}
+	case FILTER_OP_LOAD_FIELD_REF_STRING:
+	case FILTER_OP_LOAD_FIELD_REF_SEQUENCE:
+	case FILTER_OP_LOAD_FIELD_REF_S64:
+	case FILTER_OP_LOAD_FIELD_REF_DOUBLE:
+	{
+		if (unlikely(pc + sizeof(struct load_op) + sizeof(struct field_ref)
+				> start_pc + bytecode->len)) {
+			ret = -EINVAL;
+		}
+		break;
+	}
+
+	case FILTER_OP_LOAD_STRING:
+	{
+		struct load_op *insn = (struct load_op *) pc;
+		uint32_t str_len, maxlen;
+
+		if (unlikely(pc + sizeof(struct load_op)
+				> start_pc + bytecode->len)) {
+			ret = -EINVAL;
+			break;
+		}
+
+		maxlen = start_pc + bytecode->len - pc - sizeof(struct load_op);
+		str_len = strnlen(insn->data, maxlen);
+		if (unlikely(str_len >= maxlen)) {
+			/* Final '\0' not found within range */
+			ret = -EINVAL;
+		}
+		break;
+	}
+
+	case FILTER_OP_LOAD_S64:
+	{
+		if (unlikely(pc + sizeof(struct load_op) + sizeof(struct literal_numeric)
+				> start_pc + bytecode->len)) {
+			ret = -EINVAL;
+		}
+		break;
+	}
+
+	case FILTER_OP_LOAD_DOUBLE:
+	{
+		if (unlikely(pc + sizeof(struct load_op) + sizeof(struct literal_double)
+				> start_pc + bytecode->len)) {
+			ret = -EINVAL;
+		}
+		break;
+	}
+
+	case FILTER_OP_CAST_TO_S64:
+	case FILTER_OP_CAST_DOUBLE_TO_S64:
+	case FILTER_OP_CAST_NOP:
+	{
+		if (unlikely(pc + sizeof(struct cast_op)
+				> start_pc + bytecode->len)) {
+			ret = -EINVAL;
+		}
+		break;
+	}
+	}
+
+	return ret;
+}
+
 static
 int lttng_filter_validate_bytecode(struct bytecode_runtime *bytecode)
 {
@@ -897,7 +1077,7 @@ int lttng_filter_validate_bytecode(struct bytecode_runtime *bytecode)
 	start_pc = &bytecode->data[0];
 	for (pc = next_pc = start_pc; pc - start_pc < bytecode->len;
 			pc = next_pc) {
-		if (unlikely(pc >= start_pc + bytecode->len)) {
+		if (bytecode_validate_overflow(bytecode, start_pc, pc) != 0) {
 			ERR("filter bytecode overflow\n");
 			ret = -EINVAL;
 			goto end;
-- 
2.34.1