languages/dart-sdk
languages/dart-sdk
1
0
Fork 0
mirror of https://github.com/dart-lang/sdk synced 2024-10-14 15:47:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

[vm] Guard against bad brand strings in CPUID

Browse source 
Brand string is supposed to be NULL-terminated.

However we are seeing cases in the wild where
this string is not null-terminated which
causes buffer overrun when trying to print it.

Add trailing '\0' to the brand string to guard
against such cases.

Fixes https://github.com/flutter/flutter/issues/114346

TEST=manually

Change-Id: I21e545bd2fb52336a1fcd7edacb0b867740e8d61
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/269720
Reviewed-by: Martin Kustermann <kustermann@google.com>
Commit-Queue: Slava Egorov <vegorov@google.com>
This commit is contained in:
Vyacheslav Egorov 2022-11-14 15:42:52 +00:00 committed by Commit Queue
parent 3e00be7c1c
commit c55f2924fe
2 changed files with 11 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
runtime/vm/cpuid.cc
View file

@ -27,7 +27,7 @@ const char* CpuId::brand_string_ = nullptr;
#if defined(HOST_ARCH_IA32) || defined(HOST_ARCH_X64)
void CpuId::GetCpuId(int32_t level, uint32_t info[4]) {
static void GetCpuId(int32_t level, uint32_t info[4]) {
#if defined(DART_HOST_OS_WINDOWS)
// The documentation for __cpuid is at:
// http://msdn.microsoft.com/en-us/library/hskdteyh(v=vs.90).aspx
@ -57,15 +57,16 @@ void CpuId::Init() {
GetCpuId(0x80000001, info);
CpuId::abm_ = (info[2] & (1 << 5)) != 0;
char* brand_string =
reinterpret_cast<char*>(malloc(3 * 4 * sizeof(uint32_t)));
for (uint32_t i = 0x80000002; i <= 0x80000004; i++) {
uint32_t off = (i - 0x80000002U) * 4 * sizeof(uint32_t);
GetCpuId(i, info);
*reinterpret_cast<int32_t*>(brand_string + off) = info[0];
*reinterpret_cast<int32_t*>(brand_string + off + 4) = info[1];
*reinterpret_cast<int32_t*>(brand_string + off + 8) = info[2];
*reinterpret_cast<int32_t*>(brand_string + off + 12) = info[3];
// Brand string returned by CPUID is expected to be NULL-terminated,
// however we have seen cases in the wild which violate this assumption.
// To avoid going out of bounds when trying to print this string
// we add null-terminator ourselves, just in case.
//
// See https://github.com/flutter/flutter/issues/114346
char* brand_string = reinterpret_cast<char*>(calloc(3 * sizeof(info) + 1, 1));
for (uint32_t i = 0; i < 2; i++) {
GetCpuId(0x80000002U + i, info);
memmove(&brand_string[i * sizeof(info)], &info, sizeof(info));
}
CpuId::brand_string_ = brand_string;
}

2
runtime/vm/cpuid.h
View file

@ -42,8 +42,6 @@ class CpuId : public AllStatic {
static bool abm_;
static const char* id_string_;
static const char* brand_string_;
static void GetCpuId(int32_t level, uint32_t info[4]);
};
} // namespace dart