From c7ef2e7d2442e0620e439ddaa71c596437a5804c Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Thu, 29 Sep 2022 15:37:47 -0400
Subject: [PATCH] Fix: bytecode validator: reject specialized load instructions

Reject specialized load instructions so a bytecode crafted with
nefarious intent cannot read a memory area larger than the memory
targeted by the instrumentation.

This prevents bytecode received from the session daemon from performing
out of bound memory accesses and from disclosing the content of
application memory beyond what has been targeted by the instrumentation.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I1f90379455699cf0ad09159c11a12dcd53070f6a
---
 src/lib/lttng-ust/lttng-bytecode-validator.c | 52 ++++----------------
 1 file changed, 10 insertions(+), 42 deletions(-)

diff --git a/src/lib/lttng-ust/lttng-bytecode-validator.c b/src/lib/lttng-ust/lttng-bytecode-validator.c
index 1a3649c1..d727270a 100644
--- a/src/lib/lttng-ust/lttng-bytecode-validator.c
+++ b/src/lib/lttng-ust/lttng-bytecode-validator.c
@@ -1104,60 +1104,28 @@ int validate_instruction_context(
 		dbg_printf("Validate load field\n");
 		break;
 	}
+
+	/*
+	 * Disallow already specialized bytecode op load field instructions to
+	 * ensure that the received bytecode does not read a memory area larger
+	 * than the memory targeted by the instrumentation.
+	 */
 	case BYTECODE_OP_LOAD_FIELD_S8:
-	{
-		dbg_printf("Validate load field s8\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_S16:
-	{
-		dbg_printf("Validate load field s16\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_S32:
-	{
-		dbg_printf("Validate load field s32\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_S64:
-	{
-		dbg_printf("Validate load field s64\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_U8:
-	{
-		dbg_printf("Validate load field u8\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_U16:
-	{
-		dbg_printf("Validate load field u16\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_U32:
-	{
-		dbg_printf("Validate load field u32\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_U64:
-	{
-		dbg_printf("Validate load field u64\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_STRING:
-	{
-		dbg_printf("Validate load field string\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_SEQUENCE:
-	{
-		dbg_printf("Validate load field sequence\n");
-		break;
-	}
 	case BYTECODE_OP_LOAD_FIELD_DOUBLE:
 	{
-		dbg_printf("Validate load field double\n");
-		break;
+		dbg_printf("Validate load field, reject specialized load instruction (%d)\n",
+				(int) opcode);
+		ret = -EINVAL;
+		goto end;
 	}
 
 	case BYTECODE_OP_GET_SYMBOL:
-- 
2.34.1