ARCHIVE/xahaud
3
0
Fork 0
mirror of https://github.com/Xahau/xahaud.git synced 2025-11-20 10:35:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix for #31 and #32

Browse Source
This commit is contained in:
Richard Holland
2023-02-28 08:31:28 +00:00
parent e5840f67e5
commit 8a62a613ec
1 changed files with 57 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
src/ripple/app/hook/Guard.h
View File

@@ -95,7 +95,7 @@ parseSignedLeb128(
// this macro will return temMALFORMED if i ever exceeds the end of the hook // this macro will return temMALFORMED if i ever exceeds the end of the hook
#define CHECK_SHORT_HOOK()\ #define CHECK_SHORT_HOOK()\
{\ {\
if (i >= hook.size())\ if (i >= wasm.size())\
{\ {\
\ \
GUARDLOG(hook::log::SHORT_HOOK) \ GUARDLOG(hook::log::SHORT_HOOK) \
@@ -108,7 +108,7 @@ parseSignedLeb128(
#define REQUIRE(x)\ #define REQUIRE(x)\
{\ {\
if (i + (x) > hook.size())\ if (i + (x) > wasm.size())\
{\ {\
\ \
GUARDLOG(hook::log::SHORT_HOOK) \ GUARDLOG(hook::log::SHORT_HOOK) \
@@ -124,10 +124,10 @@ parseSignedLeb128(
} }
#define LEB()\ #define LEB()\
parseLeb128(hook, i, &i) parseLeb128(wasm, i, &i)
#define SIGNED_LEB()\ #define SIGNED_LEB()\
parseSignedLeb128(hook, i, &i) parseSignedLeb128(wasm, i, &i)
#define GUARD_ERROR(msg)\ #define GUARD_ERROR(msg)\
{\ {\
@@ -177,20 +177,10 @@ struct WasmBlkInf
return child; return child;
} }
void free_children(WasmBlkInf* blk)
{
for (WasmBlkInf* child : blk->children)
free_children(child);
delete blk;
}
~WasmBlkInf() ~WasmBlkInf()
{ {
// only the root is responsible for freeing for (WasmBlkInf* child : children)
if (is_root) delete child;
for (WasmBlkInf* child : children)
free_children(child);
} }
}; };
@@ -272,7 +262,7 @@ uint64_t compute_wce (const WasmBlkInf* blk, int level, bool* recursion_limit_re
inline inline
std::optional<uint64_t> std::optional<uint64_t>
check_guard( check_guard(
std::vector<uint8_t> const& hook, std::vector<uint8_t> const& wasm,
int codesec, int codesec,
int start_offset, int start_offset,
int end_offset, int end_offset,
@@ -290,7 +280,7 @@ check_guard(
"codesec=%d start_offset=%d end_offset=%d guard_func_idx=%d last_import_idx=%d\n", "codesec=%d start_offset=%d end_offset=%d guard_func_idx=%d last_import_idx=%d\n",
codesec, start_offset, end_offset, guard_func_idx, last_import_idx); codesec, start_offset, end_offset, guard_func_idx, last_import_idx);
if (end_offset <= 0) end_offset = hook.size(); if (end_offset <= 0) end_offset = wasm.size();
int block_depth = 0; int block_depth = 0;
// the root node is constructed in a unique ptr, which will cause its destructor to be called // the root node is constructed in a unique ptr, which will cause its destructor to be called
@@ -311,12 +301,12 @@ check_guard(
{ {
printf("->"); printf("->");
for (int z = i; z < 16 + i && z < end_offset; ++z) for (int z = i; z < 16 + i && z < end_offset; ++z)
printf("%02X", hook[z]); printf("%02X", wasm[z]);
printf("\n"); printf("\n");
} }
REQUIRE(1); REQUIRE(1);
uint8_t instr = hook[i]; uint8_t instr = wasm[i];
ADVANCE(1); ADVANCE(1);
current->instruction_count++; current->instruction_count++;
@@ -339,7 +329,7 @@ check_guard(
REQUIRE(1); REQUIRE(1);
// discard the block return type // discard the block return type
uint8_t block_type = hook[i]; uint8_t block_type = wasm[i];
if ((block_type >= 0x7CU && block_type <= 0x7FU) || if ((block_type >= 0x7CU && block_type <= 0x7FU) ||
block_type == 0x7BU || block_type == 0x70U || block_type == 0x7BU || block_type == 0x70U ||
block_type == 0x7BU || block_type == 0x40U) block_type == 0x7BU || block_type == 0x40U)
@@ -362,21 +352,21 @@ check_guard(
// first i32 // first i32
REQUIRE(1); REQUIRE(1);
if (hook[i] != 0x41U) if (wasm[i] != 0x41U)
GUARD_ERROR("Missing first i32.const after loop instruction"); GUARD_ERROR("Missing first i32.const after loop instruction");
ADVANCE(1); ADVANCE(1);
SIGNED_LEB(); // this is the ID, we don't need it here SIGNED_LEB(); // this is the ID, we don't need it here
// second i32 // second i32
REQUIRE(1); REQUIRE(1);
if (hook[i] != 0x41U) if (wasm[i] != 0x41U)
GUARD_ERROR("Missing second i32.const after loop instruction"); GUARD_ERROR("Missing second i32.const after loop instruction");
ADVANCE(1); ADVANCE(1);
iteration_bound = LEB(); // second param is the iteration bound, which is important here iteration_bound = LEB(); // second param is the iteration bound, which is important here
// guard call // guard call
REQUIRE(1); REQUIRE(1);
if (hook[i] != 0x10U) if (wasm[i] != 0x10U)
GUARD_ERROR("Missing call to _g after first and second i32.const at loop start"); GUARD_ERROR("Missing call to _g after first and second i32.const at loop start");
ADVANCE(1); ADVANCE(1);
uint64_t call_func_idx = LEB(); // the function being called *must* be the _g function uint64_t call_func_idx = LEB(); // the function being called *must* be the _g function
@@ -501,7 +491,7 @@ check_guard(
{ {
REQUIRE(1); REQUIRE(1);
// if it's a ref type it's a single byte // if it's a ref type it's a single byte
if (!(hook[i] == 0x70U || hook[i] == 0x6FU)) if (!(wasm[i] == 0x70U || wasm[i] == 0x6FU))
GUARD_ERROR("Invalid reftype in 0xD0 instruction"); GUARD_ERROR("Invalid reftype in 0xD0 instruction");
ADVANCE(1); ADVANCE(1);
} }
@@ -530,7 +520,7 @@ check_guard(
for (uint64_t n = 0; n < vec_count; ++n) for (uint64_t n = 0; n < vec_count; ++n)
{ {
REQUIRE(1); REQUIRE(1);
uint8_t v = hook[i]; uint8_t v = wasm[i];
if ((v >= 0x7BU && v <= 0x7FU) || v == 0x70U || v == 0x6FU) if ((v >= 0x7BU && v <= 0x7FU) || v == 0x70U || v == 0x6FU)
{ {
// fine // fine
@@ -766,11 +756,11 @@ std::pair<
uint64_t // max instruction count for cbak() uint64_t // max instruction count for cbak()
>> >>
validateGuards( validateGuards(
std::vector<uint8_t> const& hook, std::vector<uint8_t> const& wasm,
GuardLog guardLog, GuardLog guardLog,
std::string guardLogAccStr) std::string guardLogAccStr)
{ {
uint64_t byteCount = hook.size(); uint64_t byteCount = wasm.size();
// 63 bytes is the smallest possible valid hook wasm // 63 bytes is the smallest possible valid hook wasm
if (byteCount < 63U) if (byteCount < 63U)
@@ -784,7 +774,7 @@ validateGuards(
unsigned char header[8] = { 0x00U, 0x61U, 0x73U, 0x6DU, 0x01U, 0x00U, 0x00U, 0x00U }; unsigned char header[8] = { 0x00U, 0x61U, 0x73U, 0x6DU, 0x01U, 0x00U, 0x00U, 0x00U };
for (int i = 0; i < 8; ++i) for (int i = 0; i < 8; ++i)
{ {
if (hook[i] != header[i]) if (wasm[i] != header[i])
{ {
GUARDLOG(hook::log::WASM_BAD_MAGIC) GUARDLOG(hook::log::WASM_BAD_MAGIC)
<< "Malformed transaction: Hook was not valid webassembly binary. " << "Malformed transaction: Hook was not valid webassembly binary. "
@@ -808,7 +798,7 @@ validateGuards(
int last_import_number = -1; int last_import_number = -1;
int import_count = 0; int import_count = 0;
int last_section_type = 0; int last_section_type = 0;
for (int i = 8, j = 0; i < hook.size();) for (int i = 8, j = 0; i < wasm.size();)
{ {
if (j == i) if (j == i)
@@ -823,7 +813,7 @@ validateGuards(
j = i; j = i;
// each web assembly section begins with a single byte section type followed by an leb128 length // each web assembly section begins with a single byte section type followed by an leb128 length
int section_type = hook[i++]; int section_type = wasm[i++];
if (section_type == 0) if (section_type == 0)
{ {
@@ -843,7 +833,7 @@ validateGuards(
int section_length = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int section_length = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
//int section_start = i; //int section_start = i;
if (DEBUG_GUARD_VERBOSE) if (DEBUG_GUARD_VERBOSE)
@@ -855,7 +845,7 @@ validateGuards(
if (section_type == 2) // import section if (section_type == 2) // import section
{ {
// we are interested in the import section... we need to know if _g is imported and which import# it is // we are interested in the import section... we need to know if _g is imported and which import# it is
import_count = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); import_count = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (import_count <= 0) if (import_count <= 0)
{ {
GUARDLOG(hook::log::IMPORTS_MISSING) GUARDLOG(hook::log::IMPORTS_MISSING)
@@ -870,8 +860,8 @@ validateGuards(
for (int j = 0; j < import_count; ++j) for (int j = 0; j < import_count; ++j)
{ {
// first check module name // first check module name
int mod_length = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int mod_length = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (mod_length < 1 || mod_length > (hook.size() - i)) if (mod_length < 1 || mod_length > (wasm.size() - i))
{ {
GUARDLOG(hook::log::IMPORT_MODULE_BAD) GUARDLOG(hook::log::IMPORT_MODULE_BAD)
<< "Malformed transaction. " << "Malformed transaction. "
@@ -879,7 +869,7 @@ validateGuards(
return {}; return {};
} }
if (std::string_view( (const char*)(hook.data() + i), (size_t)mod_length ) != "env") if (std::string_view( (const char*)(wasm.data() + i), (size_t)mod_length ) != "env")
{ {
GUARDLOG(hook::log::IMPORT_MODULE_ENV) GUARDLOG(hook::log::IMPORT_MODULE_ENV)
<< "Malformed transaction. " << "Malformed transaction. "
@@ -890,8 +880,8 @@ validateGuards(
i += mod_length; CHECK_SHORT_HOOK(); i += mod_length; CHECK_SHORT_HOOK();
// next get import name // next get import name
int name_length = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int name_length = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (name_length < 1 || name_length > (hook.size() - i)) if (name_length < 1 || name_length > (wasm.size() - i))
{ {
GUARDLOG(hook::log::IMPORT_NAME_BAD) GUARDLOG(hook::log::IMPORT_NAME_BAD)
<< "Malformed transaction. " << "Malformed transaction. "
@@ -899,12 +889,12 @@ validateGuards(
return {}; return {};
} }
std::string import_name { (const char*)(hook.data() + i), (size_t)name_length }; std::string import_name { (const char*)(wasm.data() + i), (size_t)name_length };
i += name_length; CHECK_SHORT_HOOK(); i += name_length; CHECK_SHORT_HOOK();
// next get import type // next get import type
if (hook[i] > 0x00) if (wasm[i] > 0x00)
{ {
// not a function import // not a function import
GUARDLOG(hook::log::IMPORT_ILLEGAL) GUARDLOG(hook::log::IMPORT_ILLEGAL)
@@ -916,7 +906,7 @@ validateGuards(
// execution to here means it's a function import // execution to here means it's a function import
i++; CHECK_SHORT_HOOK(); i++; CHECK_SHORT_HOOK();
int type_idx = int type_idx =
parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (import_name == "_g") if (import_name == "_g")
{ {
@@ -958,7 +948,7 @@ validateGuards(
} else } else
if (section_type == 7) // export section if (section_type == 7) // export section
{ {
int export_count = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int export_count = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (export_count <= 0) if (export_count <= 0)
{ {
GUARDLOG(hook::log::EXPORTS_MISSING) GUARDLOG(hook::log::EXPORTS_MISSING)
@@ -970,14 +960,14 @@ validateGuards(
for (int j = 0; j < export_count; ++j) for (int j = 0; j < export_count; ++j)
{ {
int name_len = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int name_len = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (name_len == 4) if (name_len == 4)
{ {
if (hook[i] == 'h' && hook[i+1] == 'o' && hook[i+2] == 'o' && hook[i+3] == 'k') if (wasm[i] == 'h' && wasm[i+1] == 'o' && wasm[i+2] == 'o' && wasm[i+3] == 'k')
{ {
i += name_len; CHECK_SHORT_HOOK(); i += name_len; CHECK_SHORT_HOOK();
if (hook[i] != 0) if (wasm[i] != 0)
{ {
GUARDLOG(hook::log::EXPORT_HOOK_FUNC) GUARDLOG(hook::log::EXPORT_HOOK_FUNC)
<< "Malformed transaction. " << "Malformed transaction. "
@@ -986,14 +976,14 @@ validateGuards(
} }
i++; CHECK_SHORT_HOOK(); i++; CHECK_SHORT_HOOK();
hook_func_idx = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); hook_func_idx = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
continue; continue;
} }
if (hook[i] == 'c' && hook[i+1] == 'b' && hook[i+2] == 'a' && hook[i+3] == 'k') if (wasm[i] == 'c' && wasm[i+1] == 'b' && wasm[i+2] == 'a' && wasm[i+3] == 'k')
{ {
i += name_len; CHECK_SHORT_HOOK(); i += name_len; CHECK_SHORT_HOOK();
if (hook[i] != 0) if (wasm[i] != 0)
{ {
GUARDLOG(hook::log::EXPORT_CBAK_FUNC) GUARDLOG(hook::log::EXPORT_CBAK_FUNC)
<< "Malformed transaction. " << "Malformed transaction. "
@@ -1001,13 +991,13 @@ validateGuards(
return {}; return {};
} }
i++; CHECK_SHORT_HOOK(); i++; CHECK_SHORT_HOOK();
cbak_func_idx = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); cbak_func_idx = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
continue; continue;
} }
} }
i += name_len + 1; i += name_len + 1;
parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
} }
// execution to here means export section was parsed // execution to here means export section was parsed
@@ -1022,7 +1012,7 @@ validateGuards(
} }
else if (section_type == 3) // function section else if (section_type == 3) // function section
{ {
int function_count = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int function_count = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (function_count <= 0) if (function_count <= 0)
{ {
GUARDLOG(hook::log::FUNCS_MISSING) GUARDLOG(hook::log::FUNCS_MISSING)
@@ -1034,7 +1024,7 @@ validateGuards(
for (int j = 0; j < function_count; ++j) for (int j = 0; j < function_count; ++j)
{ {
int type_idx = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int type_idx = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (DEBUG_GUARD) if (DEBUG_GUARD)
printf("Function map: func %d -> type %d\n", j, type_idx); printf("Function map: func %d -> type %d\n", j, type_idx);
func_type_map[j] = type_idx; func_type_map[j] = type_idx;
@@ -1078,20 +1068,20 @@ validateGuards(
// second pass... where we check all the guard function calls follow the guard rules // second pass... where we check all the guard function calls follow the guard rules
// minimal other validation in this pass because first pass caught most of it // minimal other validation in this pass because first pass caught most of it
for (int i = 8; i < hook.size();) for (int i = 8; i < wasm.size();)
{ {
int section_type = hook[i++]; int section_type = wasm[i++];
int section_length = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int section_length = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
//int section_start = i; //int section_start = i;
int next_section = i + section_length; int next_section = i + section_length;
if (section_type == 1) // type section if (section_type == 1) // type section
{ {
int type_count = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int type_count = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
for (int j = 0; j < type_count; ++j) for (int j = 0; j < type_count; ++j)
{ {
if (hook[i++] != 0x60) if (wasm[i++] != 0x60)
{ {
GUARDLOG(hook::log::FUNC_TYPE_INVALID) GUARDLOG(hook::log::FUNC_TYPE_INVALID)
<< "Invalid function type. " << "Invalid function type. "
@@ -1147,7 +1137,7 @@ validateGuards(
return {}; return {};
} }
int param_count = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int param_count = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (j == hook_type_idx) if (j == hook_type_idx)
{ {
if (param_count != 1) if (param_count != 1)
@@ -1169,7 +1159,7 @@ validateGuards(
for (int k = 0; k < param_count; ++k) for (int k = 0; k < param_count; ++k)
{ {
int param_type = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int param_type = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (param_type == 0x7FU || param_type == 0x7EU || if (param_type == 0x7FU || param_type == 0x7EU ||
param_type == 0x7DU || param_type == 0x7CU) param_type == 0x7DU || param_type == 0x7CU)
{ {
@@ -1211,7 +1201,7 @@ validateGuards(
} }
} }
int result_count = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int result_count = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
// this needs a reliable hook cleaner otherwise it will catch most compilers out // this needs a reliable hook cleaner otherwise it will catch most compilers out
if (result_count != 1) if (result_count != 1)
@@ -1226,7 +1216,7 @@ validateGuards(
// so for completeness this loop is here but can be taken out in prod // so for completeness this loop is here but can be taken out in prod
for (int k = 0; k < result_count; ++k) for (int k = 0; k < result_count; ++k)
{ {
int result_type = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int result_type = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (result_type == 0x7F || result_type == 0x7E || if (result_type == 0x7F || result_type == 0x7E ||
result_type == 0x7D || result_type == 0x7C) result_type == 0x7D || result_type == 0x7C)
{ {
@@ -1278,19 +1268,19 @@ validateGuards(
{ {
// RH TODO: parse anywhere else an expr is allowed in wasm and enforce rules there too // RH TODO: parse anywhere else an expr is allowed in wasm and enforce rules there too
// these are the functions // these are the functions
int func_count = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int func_count = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
for (int j = 0; j < func_count; ++j) for (int j = 0; j < func_count; ++j)
{ {
// parse locals // parse locals
int code_size = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int code_size = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
int code_end = i + code_size; int code_end = i + code_size;
int local_count = parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); int local_count = parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
for (int k = 0; k < local_count; ++k) for (int k = 0; k < local_count; ++k)
{ {
/*int array_size = */ /*int array_size = */
parseLeb128(hook, i, &i); CHECK_SHORT_HOOK(); parseLeb128(wasm, i, &i); CHECK_SHORT_HOOK();
if (!(hook[i] >= 0x7C && hook[i] <= 0x7F)) if (!(wasm[i] >= 0x7C && wasm[i] <= 0x7F))
{ {
GUARDLOG(hook::log::TYPE_INVALID) GUARDLOG(hook::log::TYPE_INVALID)
<< "Invalid local type. " << "Invalid local type. "
@@ -1309,7 +1299,7 @@ validateGuards(
auto valid = auto valid =
check_guard( check_guard(
hook, wasm,
j, j,
i, i,
code_end, code_end,