From: Mathieu Desnoyers Date: Mon, 22 Mar 2021 18:23:44 +0000 (-0400) Subject: Fix: bytecode linker: validate event and field array/sequence encoding X-Git-Tag: v2.11.4~7 X-Git-Url: https://git.lttng.org./?a=commitdiff_plain;h=1d7f24e135f4e7442b4aec60db8e9d17a651b8db;p=lttng-ust.git Fix: bytecode linker: validate event and field array/sequence encoding The bytecode linker should only allow linking filter expressions loading fields which are string-encoded arrays and sequence for comparison against a string, and reject arrays and sequences without encoding, so the filter interpreter does not attempt to load non-NULL terminated arrays/sequences as if they were strings. Signed-off-by: Mathieu Desnoyers Change-Id: Ic13fbbb0d601eddbb7d98f4a5e13fe3f45612fd8 --- diff --git a/liblttng-ust/lttng-filter.c b/liblttng-ust/lttng-filter.c index d52658ae..2db388dc 100644 --- a/liblttng-ust/lttng-filter.c +++ b/liblttng-ust/lttng-filter.c @@ -254,9 +254,23 @@ int apply_field_reloc(struct lttng_event *event, op->op = FILTER_OP_LOAD_FIELD_REF_S64; break; case atype_array: + { + const struct lttng_basic_type *elem_type = &field->type.u.array.elem_type; + + if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none) + return -EINVAL; + op->op = FILTER_OP_LOAD_FIELD_REF_SEQUENCE; + break; + } case atype_sequence: + { + const struct lttng_basic_type *elem_type = &field->type.u.sequence.elem_type; + + if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none) + return -EINVAL; op->op = FILTER_OP_LOAD_FIELD_REF_SEQUENCE; break; + } case atype_string: op->op = FILTER_OP_LOAD_FIELD_REF_STRING; break; @@ -329,9 +343,25 @@ int apply_context_reloc(struct lttng_event *event, op->op = FILTER_OP_GET_CONTEXT_REF_S64; break; /* Sequence and array supported as string */ - case atype_string: case atype_array: + { + const struct lttng_basic_type *elem_type = &ctx_field->event_field.type.u.array.elem_type; + + if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none) + return -EINVAL; + op->op = FILTER_OP_GET_CONTEXT_REF_STRING; + break; + } case atype_sequence: + { + const struct lttng_basic_type *elem_type = &ctx_field->event_field.type.u.sequence.elem_type; + + if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none) + return -EINVAL; + op->op = FILTER_OP_GET_CONTEXT_REF_STRING; + break; + } + case atype_string: op->op = FILTER_OP_GET_CONTEXT_REF_STRING; break; case atype_float: