From 79e99400ca5fa31162d48688903aeb56d5eda37b Mon Sep 17 00:00:00 2001 From: TL Date: Wed, 20 Nov 2024 18:43:37 +0800 Subject: [PATCH 1/2] Check possible overflow in aot memory boundary check --- core/iwasm/compilation/aot_emit_memory.c | 40 +++++++++++++++++++++--- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/core/iwasm/compilation/aot_emit_memory.c b/core/iwasm/compilation/aot_emit_memory.c index 869a1dbb27..a89d0a652b 100644 --- a/core/iwasm/compilation/aot_emit_memory.c +++ b/core/iwasm/compilation/aot_emit_memory.c @@ -273,10 +273,24 @@ aot_check_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx, } /* offset1 = offset + addr; */ - /* TODO: check whether integer overflow occurs when memory is 64-bit - and boundary check is enabled */ BUILD_OP(Add, offset_const, addr, offset1, "offset1"); + if (is_target_64bit && comp_ctx->enable_bound_check) { + /* Check whether integer overflow occurs in offset + addr */ + LLVMBasicBlockRef check_integer_overflow_end; + ADD_BASIC_BLOCK(check_integer_overflow_end, + "check_integer_overflow_end"); + LLVMMoveBasicBlockAfter(check_integer_overflow_end, block_curr); + + BUILD_ICMP(LLVMIntULT, offset1, offset_const, cmp1, "cmp1"); + if (!aot_emit_exception(comp_ctx, func_ctx, + EXCE_OUT_OF_BOUNDS_MEMORY_ACCESS, true, cmp1, + check_integer_overflow_end)) { + goto fail; + } + SET_BUILD_POS(check_integer_overflow_end); + } + if (comp_ctx->enable_shared_heap /* TODO: && mem_idx == 0 */) { LLVMBasicBlockRef app_addr_in_shared_heap, app_addr_in_linear_mem; LLVMValueRef is_in_shared_heap, shared_heap_check_bound = NULL; @@ -303,7 +317,7 @@ aot_check_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx, LLVMPositionBuilderAtEnd(comp_ctx->builder, block_curr); if (!is_target_64bit) { - /* Check whether interger overflow occurs in addr + offset */ + /* Check whether integer overflow occurs in addr + offset */ LLVMBasicBlockRef check_integer_overflow_end; ADD_BASIC_BLOCK(check_integer_overflow_end, "check_integer_overflow_end"); @@ -1141,11 +1155,13 @@ check_bulk_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx, LLVMBasicBlockRef block_curr = LLVMGetInsertBlock(comp_ctx->builder); LLVMBasicBlockRef check_succ, block_maddr_phi = NULL; LLVMValueRef mem_size; + bool is_target_64bit; #if WASM_ENABLE_MEMORY64 == 0 bool is_memory64 = false; #else bool is_memory64 = IS_MEMORY64; #endif + is_target_64bit = (comp_ctx->pointer_size == sizeof(uint64)) ? true : false; /* Get memory base address and memory data size */ #if WASM_ENABLE_SHARED_MEMORY != 0 @@ -1215,10 +1231,24 @@ check_bulk_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx, goto fail; } - /* TODO: check whether integer overflow occurs when memory is 64-bit - and boundary check is enabled */ BUILD_OP(Add, offset, bytes, max_addr, "max_addr"); + if (is_target_64bit && comp_ctx->enable_bound_check) { + /* Check whether integer overflow occurs in offset + addr */ + LLVMBasicBlockRef check_integer_overflow_end; + ADD_BASIC_BLOCK(check_integer_overflow_end, + "check_integer_overflow_end"); + LLVMMoveBasicBlockAfter(check_integer_overflow_end, block_curr); + + BUILD_ICMP(LLVMIntULT, max_addr, offset, cmp, "cmp"); + if (!aot_emit_exception(comp_ctx, func_ctx, + EXCE_OUT_OF_BOUNDS_MEMORY_ACCESS, true, cmp, + check_integer_overflow_end)) { + goto fail; + } + SET_BUILD_POS(check_integer_overflow_end); + } + if (comp_ctx->enable_shared_heap /* TODO: && mem_idx == 0 */) { LLVMBasicBlockRef app_addr_in_shared_heap, app_addr_in_linear_mem; LLVMValueRef shared_heap_start_off, shared_heap_check_bound; From 6c1d3c821205701418c4288d786a96937c9793b6 Mon Sep 17 00:00:00 2001 From: TL Date: Fri, 22 Nov 2024 10:47:28 +0800 Subject: [PATCH 2/2] cr suggestions --- core/iwasm/compilation/aot_emit_memory.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/core/iwasm/compilation/aot_emit_memory.c b/core/iwasm/compilation/aot_emit_memory.c index a89d0a652b..9adf96ac52 100644 --- a/core/iwasm/compilation/aot_emit_memory.c +++ b/core/iwasm/compilation/aot_emit_memory.c @@ -275,7 +275,7 @@ aot_check_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx, /* offset1 = offset + addr; */ BUILD_OP(Add, offset_const, addr, offset1, "offset1"); - if (is_target_64bit && comp_ctx->enable_bound_check) { + if (is_memory64 && comp_ctx->enable_bound_check) { /* Check whether integer overflow occurs in offset + addr */ LLVMBasicBlockRef check_integer_overflow_end; ADD_BASIC_BLOCK(check_integer_overflow_end, @@ -1155,13 +1155,11 @@ check_bulk_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx, LLVMBasicBlockRef block_curr = LLVMGetInsertBlock(comp_ctx->builder); LLVMBasicBlockRef check_succ, block_maddr_phi = NULL; LLVMValueRef mem_size; - bool is_target_64bit; #if WASM_ENABLE_MEMORY64 == 0 bool is_memory64 = false; #else bool is_memory64 = IS_MEMORY64; #endif - is_target_64bit = (comp_ctx->pointer_size == sizeof(uint64)) ? true : false; /* Get memory base address and memory data size */ #if WASM_ENABLE_SHARED_MEMORY != 0 @@ -1233,7 +1231,7 @@ check_bulk_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx, BUILD_OP(Add, offset, bytes, max_addr, "max_addr"); - if (is_target_64bit && comp_ctx->enable_bound_check) { + if (is_memory64 && comp_ctx->enable_bound_check) { /* Check whether integer overflow occurs in offset + addr */ LLVMBasicBlockRef check_integer_overflow_end; ADD_BASIC_BLOCK(check_integer_overflow_end,