Check possible integer overflow in aot memory boundary check (#3920)

Check possible integer overflow in aot memory boundary check when the wasm memory is 64-bit.
2024-11-26 07:21:54 +00:00 · 2024-11-22 16:01:24 +08:00 · 2024-11-22 16:01:24 +08:00 · 62aca17279
commit 62aca17279
parent f1d03db8e5
1 changed files with 33 additions and 5 deletions
--- a/core/iwasm/compilation/aot_emit_memory.c
+++ b/core/iwasm/compilation/aot_emit_memory.c
@ -273,10 +273,24 @@ aot_check_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx,
    }

    /* offset1 = offset + addr; */
-    /* TODO: check whether integer overflow occurs when memory is 64-bit
-             and boundary check is enabled */
    BUILD_OP(Add, offset_const, addr, offset1, "offset1");

+    if (is_memory64 && comp_ctx->enable_bound_check) {
+        /* Check whether integer overflow occurs in offset + addr */
+        LLVMBasicBlockRef check_integer_overflow_end;
+        ADD_BASIC_BLOCK(check_integer_overflow_end,
+                        "check_integer_overflow_end");
+        LLVMMoveBasicBlockAfter(check_integer_overflow_end, block_curr);
+
+        BUILD_ICMP(LLVMIntULT, offset1, offset_const, cmp1, "cmp1");
+        if (!aot_emit_exception(comp_ctx, func_ctx,
+                                EXCE_OUT_OF_BOUNDS_MEMORY_ACCESS, true, cmp1,
+                                check_integer_overflow_end)) {
+            goto fail;
+        }
+        SET_BUILD_POS(check_integer_overflow_end);
+    }
+
    if (comp_ctx->enable_shared_heap /* TODO: && mem_idx == 0 */) {
        LLVMBasicBlockRef app_addr_in_shared_heap, app_addr_in_linear_mem;
        LLVMValueRef is_in_shared_heap, shared_heap_check_bound = NULL;
@ -303,7 +317,7 @@ aot_check_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx,
        LLVMPositionBuilderAtEnd(comp_ctx->builder, block_curr);

        if (!is_target_64bit) {
-            /* Check whether interger overflow occurs in addr + offset */
+            /* Check whether integer overflow occurs in addr + offset */
            LLVMBasicBlockRef check_integer_overflow_end;
            ADD_BASIC_BLOCK(check_integer_overflow_end,
                            "check_integer_overflow_end");
@ -1215,10 +1229,24 @@ check_bulk_memory_overflow(AOTCompContext *comp_ctx, AOTFuncContext *func_ctx,
        goto fail;
    }

-    /* TODO: check whether integer overflow occurs when memory is 64-bit
-             and boundary check is enabled */
    BUILD_OP(Add, offset, bytes, max_addr, "max_addr");

+    if (is_memory64 && comp_ctx->enable_bound_check) {
+        /* Check whether integer overflow occurs in offset + addr */
+        LLVMBasicBlockRef check_integer_overflow_end;
+        ADD_BASIC_BLOCK(check_integer_overflow_end,
+                        "check_integer_overflow_end");
+        LLVMMoveBasicBlockAfter(check_integer_overflow_end, block_curr);
+
+        BUILD_ICMP(LLVMIntULT, max_addr, offset, cmp, "cmp");
+        if (!aot_emit_exception(comp_ctx, func_ctx,
+                                EXCE_OUT_OF_BOUNDS_MEMORY_ACCESS, true, cmp,
+                                check_integer_overflow_end)) {
+            goto fail;
+        }
+        SET_BUILD_POS(check_integer_overflow_end);
+    }
+
    if (comp_ctx->enable_shared_heap /* TODO: && mem_idx == 0 */) {
        LLVMBasicBlockRef app_addr_in_shared_heap, app_addr_in_linear_mem;
        LLVMValueRef shared_heap_start_off, shared_heap_check_bound;