[wasm] Check segment bounds beforehand

src/wasm/wasm-module.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <memory>
 
 #include "src/assembler-inl.h"
 #include "src/base/adapters.h"
 #include "src/base/atomic-utils.h"
 #include "src/code-stubs.h"
@@ skipping 1256 matching lines @@
     //--------------------------------------------------------------------------
     int num_imported_functions = ProcessImports(code_table, instance);
     if (num_imported_functions < 0) return nothing;
 
     //--------------------------------------------------------------------------
     // Process the initialization for the module's globals.
     //--------------------------------------------------------------------------
     InitGlobals();
 
     //--------------------------------------------------------------------------
+    // Set up the indirect function tables for the new instance.
+    //--------------------------------------------------------------------------
+    if (function_table_count > 0) InitializeTables(code_table, instance);
+
+    //--------------------------------------------------------------------------
     // Set up the memory for the new instance.
     //--------------------------------------------------------------------------
     MaybeHandle<JSArrayBuffer> old_memory;
 
     uint32_t min_mem_pages = module_->min_mem_pages;
     isolate_->counters()->wasm_min_mem_pages_count()->AddSample(min_mem_pages);
 
     if (!memory_.is_null()) {
       // Set externally passed ArrayBuffer non neuterable.
       memory_->set_is_neuterable(false);
 
       DCHECK_IMPLIES(EnableGuardRegions(), module_->origin == kAsmJsOrigin ||
                                                memory_->has_guard_region());
     } else if (min_mem_pages > 0) {
       memory_ = AllocateMemory(min_mem_pages);
       if (memory_.is_null()) return nothing;  // failed to allocate memory
     }
 
+    //--------------------------------------------------------------------------
+    // Check that indirect function table segments are within bounds.
+    //--------------------------------------------------------------------------
+    for (WasmTableInit& table_init : module_->table_inits) {
+      DCHECK(table_init.table_index < table_instances_.size());
+      uint32_t base = EvalUint32InitExpr(table_init.offset);
+      uint32_t table_size =
+          table_instances_[table_init.table_index].function_table->length();
+      if (!in_bounds(base, static_cast<uint32_t>(table_init.entries.size()),
+                     table_size)) {
+        thrower_->LinkError("table initializer is out of bounds");
+        return nothing;
+      }
+    }
+
+    //--------------------------------------------------------------------------
+    // Check that memory segments are within bounds.
+    //--------------------------------------------------------------------------
+    for (WasmDataSegment& seg : module_->data_segments) {
+      uint32_t base = EvalUint32InitExpr(seg.dest_addr);
+      uint32_t mem_size = memory_.is_null()
+          ? 0 : static_cast<uint32_t>(memory_->byte_length()->Number());
+      if (!in_bounds(base, seg.source_size, mem_size)) {
+        thrower_->LinkError("data segment is out of bounds");
+        return nothing;
+      }
+    }
+
+    //--------------------------------------------------------------------------
+    // Initialize memory.
+    //--------------------------------------------------------------------------
     if (!memory_.is_null()) {
       instance->set_memory_buffer(*memory_);
       Address mem_start = static_cast<Address>(memory_->backing_store());
       uint32_t mem_size =
           static_cast<uint32_t>(memory_->byte_length()->Number());
-      if (!LoadDataSegments(mem_start, mem_size)) return nothing;
+      LoadDataSegments(mem_start, mem_size);
 
       uint32_t old_mem_size = compiled_module_->mem_size();
       Address old_mem_start =
           compiled_module_->has_memory()
               ? static_cast<Address>(
                     compiled_module_->memory()->backing_store())
               : nullptr;
       RelocateMemoryReferencesInCode(code_table, old_mem_start, mem_start,
                                      old_mem_size, mem_size);
       compiled_module_->set_memory(memory_);
-    } else {
-      if (!LoadDataSegments(nullptr, 0)) return nothing;
     }
 
     //--------------------------------------------------------------------------
     // Set up the runtime support for the new instance.
     //--------------------------------------------------------------------------
     Handle<WeakCell> weak_link = factory->NewWeakCell(instance);
 
     for (int i = num_imported_functions + FLAG_skip_compiling_wasm_funcs;
          i < code_table->length(); ++i) {
       Handle<Code> code = code_table->GetValueChecked<Code>(isolate_, i);
@@ skipping 13 matching lines @@
 
     //--------------------------------------------------------------------------
     // Add instance to Memory object
     //--------------------------------------------------------------------------
     DCHECK(wasm::IsWasmInstance(*instance));
     if (instance->has_memory_object()) {
       instance->memory_object()->AddInstance(isolate_, instance);
     }
 
     //--------------------------------------------------------------------------
-    // Set up the indirect function tables for the new instance.
+    // Initialize the indirect function tables.
     //--------------------------------------------------------------------------
-    if (function_table_count > 0) InitializeTables(code_table, instance);
+    if (function_table_count > 0) LoadTableSegments(code_table, instance);
 
     // Patch new call sites and the context.
     PatchDirectCallsAndContext(code_table, compiled_module_, module_,
                                num_imported_functions);
 
     FlushICache(isolate_, code_table);
 
     //--------------------------------------------------------------------------
     // Unpack and notify signal handler of protected instructions.
     //--------------------------------------------------------------------------
@@ skipping 182 matching lines @@
       case WasmInitExpr::kGlobalIndex: {
         uint32_t offset = module_->globals[expr.val.global_index].offset;
         return *reinterpret_cast<uint32_t*>(raw_buffer_ptr(globals_, offset));
       }
       default:
         UNREACHABLE();
         return 0;
     }
   }
 
+  bool in_bounds(uint32_t offset, uint32_t size, uint32_t upper) {
+    return offset + size <= upper && offset + size >= offset;
+  }
+
   // Load data segments into the memory.
-  bool LoadDataSegments(Address mem_addr, size_t mem_size) {
+  void LoadDataSegments(Address mem_addr, size_t mem_size) {
     Handle<SeqOneByteString> module_bytes(compiled_module_->module_bytes(),
                                           isolate_);
     for (const WasmDataSegment& segment : module_->data_segments) {
       uint32_t source_size = segment.source_size;
       // Segments of size == 0 are just nops.
       if (source_size == 0) continue;
       uint32_t dest_offset = EvalUint32InitExpr(segment.dest_addr);
-      if (dest_offset + source_size > mem_size ||
-          dest_offset + source_size < dest_offset) {
-        thrower_->LinkError("data segment (start = %" PRIu32 ", size = %" PRIu32
-                            ") does not fit into memory (size = %" PRIuS ")",
-                            dest_offset, source_size, mem_size);
-        return false;
-      }
+      DCHECK(in_bounds(dest_offset, source_size,
+                       static_cast<uint32_t>(mem_size)));
       byte* dest = mem_addr + dest_offset;
       const byte* src = reinterpret_cast<const byte*>(
           module_bytes->GetCharsAddress() + segment.source_offset);
       memcpy(dest, src, source_size);
     }
-    return true;
   }
 
   void WriteGlobalValue(WasmGlobal& global, Handle<Object> value) {
     double num = 0;
     if (value->IsSmi()) {
       num = Smi::cast(*value)->value();
     } else if (value->IsHeapNumber()) {
       num = HeapNumber::cast(*value)->value();
     } else {
       UNREACHABLE();
@@ skipping 443 matching lines @@
     if (module_->origin == kWasmOrigin) {
       v8::Maybe<bool> success = JSReceiver::SetIntegrityLevel(
           exports_object, FROZEN, Object::DONT_THROW);
       DCHECK(success.FromMaybe(false));
       USE(success);
     }
   }
 
   void InitializeTables(Handle<FixedArray> code_table,
                         Handle<WasmInstanceObject> instance) {
-    Handle<FixedArray> old_function_tables =
-        compiled_module_->function_tables();
-    Handle<FixedArray> old_signature_tables =
-        compiled_module_->signature_tables();
     int function_table_count =
         static_cast<int>(module_->function_tables.size());
     Handle<FixedArray> new_function_tables =
         isolate_->factory()->NewFixedArray(function_table_count);
     Handle<FixedArray> new_signature_tables =
         isolate_->factory()->NewFixedArray(function_table_count);
     for (int index = 0; index < function_table_count; ++index) {
       WasmIndirectFunctionTable& table = module_->function_tables[index];
       TableInstance& table_instance = table_instances_[index];
       int table_size = static_cast<int>(table.min_size);
 
       if (table_instance.function_table.is_null()) {
         // Create a new dispatch table if necessary.
         table_instance.function_table =
             isolate_->factory()->NewFixedArray(table_size);
         table_instance.signature_table =
             isolate_->factory()->NewFixedArray(table_size);
         for (int i = 0; i < table_size; ++i) {
           // Fill the table with invalid signature indexes so that
           // uninitialized entries will always fail the signature check.
           table_instance.signature_table->set(i,
                                               Smi::FromInt(kInvalidSigIndex));
         }
       }
 
       new_function_tables->set(static_cast<int>(index),
                                *table_instance.function_table);
       new_signature_tables->set(static_cast<int>(index),
                                 *table_instance.signature_table);
+    }
+
+    // Patch all code that has references to the old indirect tables.
+    Handle<FixedArray> old_function_tables =
+        compiled_module_->function_tables();
+    Handle<FixedArray> old_signature_tables =
+        compiled_module_->signature_tables();
+    for (int i = 0; i < code_table->length(); ++i) {
+      if (!code_table->get(i)->IsCode()) continue;
+      Handle<Code> code(Code::cast(code_table->get(i)), isolate_);
+      for (int j = 0; j < function_table_count; ++j) {
+        ReplaceReferenceInCode(
+            code, Handle<Object>(old_function_tables->get(j), isolate_),
+            Handle<Object>(new_function_tables->get(j), isolate_));
+        ReplaceReferenceInCode(
+            code, Handle<Object>(old_signature_tables->get(j), isolate_),
+            Handle<Object>(new_signature_tables->get(j), isolate_));
+      }
+    }
+    compiled_module_->set_function_tables(new_function_tables);
+    compiled_module_->set_signature_tables(new_signature_tables);
+  }
+
+  void LoadTableSegments(Handle<FixedArray> code_table,
+                         Handle<WasmInstanceObject> instance) {
+    int function_table_count =
+        static_cast<int>(module_->function_tables.size());
+    for (int index = 0; index < function_table_count; ++index) {
+      WasmIndirectFunctionTable& table = module_->function_tables[index];
+      TableInstance& table_instance = table_instances_[index];
 
       Handle<FixedArray> all_dispatch_tables;
       if (!table_instance.table_object.is_null()) {
         // Get the existing dispatch table(s) with the WebAssembly.Table object.
         all_dispatch_tables = WasmTableObject::AddDispatchTable(
             isolate_, table_instance.table_object,
             Handle<WasmInstanceObject>::null(), index,
             Handle<FixedArray>::null(), Handle<FixedArray>::null());
       }
 
       // TODO(titzer): this does redundant work if there are multiple tables,
       // since initializations are not sorted by table index.
       for (auto table_init : module_->table_inits) {
         uint32_t base = EvalUint32InitExpr(table_init.offset);
-        if (base > static_cast<uint32_t>(table_size) ||
-            (base + table_init.entries.size() >
-             static_cast<uint32_t>(table_size))) {
-          thrower_->LinkError("table initializer is out of bounds");
-          continue;
-        }
+        DCHECK(in_bounds(base, static_cast<uint32_t>(table_init.entries.size()),
+                         table_instance.function_table->length()));
         for (int i = 0; i < static_cast<int>(table_init.entries.size()); ++i) {
           uint32_t func_index = table_init.entries[i];
           WasmFunction* function = &module_->functions[func_index];
           int table_index = static_cast<int>(i + base);
           int32_t sig_index = table.map.Find(function->sig);
           DCHECK_GE(sig_index, 0);
           table_instance.signature_table->set(table_index,
                                               Smi::FromInt(sig_index));
           table_instance.function_table->set(table_index,
                                              code_table->get(func_index));
@@ skipping 42 matching lines @@
       // TODO(titzer): we add the new dispatch table at the end to avoid
       // redundant work and also because the new instance is not yet fully
       // initialized.
       if (!table_instance.table_object.is_null()) {
         // Add the new dispatch table to the WebAssembly.Table object.
         all_dispatch_tables = WasmTableObject::AddDispatchTable(
             isolate_, table_instance.table_object, instance, index,
             table_instance.function_table, table_instance.signature_table);
       }
     }
-    // Patch all code that has references to the old indirect tables.
-    for (int i = 0; i < code_table->length(); ++i) {
-      if (!code_table->get(i)->IsCode()) continue;
-      Handle<Code> code(Code::cast(code_table->get(i)), isolate_);
-      for (int j = 0; j < function_table_count; ++j) {
-        ReplaceReferenceInCode(
-            code, Handle<Object>(old_function_tables->get(j), isolate_),
-            Handle<Object>(new_function_tables->get(j), isolate_));
-        ReplaceReferenceInCode(
-            code, Handle<Object>(old_signature_tables->get(j), isolate_),
-            Handle<Object>(new_signature_tables->get(j), isolate_));
-      }
-    }
-    compiled_module_->set_function_tables(new_function_tables);
-    compiled_module_->set_signature_tables(new_signature_tables);
   }
 };
 
 // Instantiates a WASM module, creating a WebAssembly.Instance from a
 // WebAssembly.Module.
 MaybeHandle<WasmInstanceObject> WasmModule::Instantiate(
     Isolate* isolate, ErrorThrower* thrower,
     Handle<WasmModuleObject> wasm_module, Handle<JSReceiver> ffi,
     Handle<JSArrayBuffer> memory) {
   WasmInstanceBuilder builder(isolate, thrower, wasm_module, ffi, memory);
@@ skipping 466 matching lines @@
 
     JSObject::AddProperty(entry, name_string, export_name.ToHandleChecked(),
                           NONE);
     JSObject::AddProperty(entry, kind_string, export_kind, NONE);
 
     storage->set(index, *entry);
   }
 
   return array_object;
 }