Fix: bytecode linker: validate event and field array/sequence encoding

The bytecode linker should only allow linking filter expressions loading
fields which are string-encoded arrays and sequence for comparison
against a string, and reject arrays and sequences without encoding, so
the filter interpreter does not attempt to load non-NULL terminated
arrays/sequences as if they were strings.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I61213b736b2e41b55ad8d6b32a6db0f50494e316

diff --git a/lttng-filter.c b/lttng-filter.c
index 325ae7bbc0538c975ca00bcd305f9ba4cc4fd063..c33fa5f281c77be6714be9ecbfe85b2a2c0787cc 100644 (file)
--- a/lttng-filter.c
+++ b/lttng-filter.c
@@ -241,12 +241,29 @@ int apply_field_reloc(struct lttng_event *event,
                        op->op = FILTER_OP_LOAD_FIELD_REF_S64;
                        break;
                case atype_array:
+               {
+                       const struct lttng_basic_type *elem_type = &field->type.u.array.elem_type;
+
+                       if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none)
+                               return -EINVAL;
+                       if (field->user)
+                               op->op = FILTER_OP_LOAD_FIELD_REF_USER_SEQUENCE;
+                       else
+                               op->op = FILTER_OP_LOAD_FIELD_REF_SEQUENCE;
+                       break;
+               }
                case atype_sequence:
+               {
+                       const struct lttng_basic_type *elem_type = &field->type.u.sequence.elem_type;
+
+                       if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none)
+                               return -EINVAL;
                        if (field->user)
                                op->op = FILTER_OP_LOAD_FIELD_REF_USER_SEQUENCE;
                        else
                                op->op = FILTER_OP_LOAD_FIELD_REF_SEQUENCE;
                        break;
+               }
                case atype_string:
                        if (field->user)
                                op->op = FILTER_OP_LOAD_FIELD_REF_USER_STRING;
@@ -311,9 +328,27 @@ int apply_context_reloc(struct lttng_event *event,
                        op->op = FILTER_OP_GET_CONTEXT_REF_S64;
                        break;
                        /* Sequence and array supported as string */
-               case atype_string:
                case atype_array:
+               {
+                       const struct lttng_basic_type *elem_type = &ctx_field->event_field.type.u.array.elem_type;
+
+                       if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none)
+                               return -EINVAL;
+                       BUG_ON(ctx_field->event_field.user);
+                       op->op = FILTER_OP_GET_CONTEXT_REF_STRING;
+                       break;
+               }
                case atype_sequence:
+               {
+                       const struct lttng_basic_type *elem_type = &ctx_field->event_field.type.u.sequence.elem_type;
+
+                       if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none)
+                               return -EINVAL;
+                       BUG_ON(ctx_field->event_field.user);
+                       op->op = FILTER_OP_GET_CONTEXT_REF_STRING;
+                       break;
+               }
+               case atype_string:
                        BUG_ON(ctx_field->event_field.user);
                        op->op = FILTER_OP_GET_CONTEXT_REF_STRING;
                        break;