From 05f403d70515741afdc6c82243f8fc8351f213ac Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Mon, 22 Mar 2021 13:33:54 -0400
Subject: [PATCH] Fix: bytecode linker: validate event and field array/sequence
 encoding

The bytecode linker should only allow linking filter expressions loading
fields which are string-encoded arrays and sequence for comparison
against a string, and reject arrays and sequences without encoding, so
the filter interpreter does not attempt to load non-NULL terminated
arrays/sequences as if they were strings.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: Ia5f33ed036e310d66aee6b682ef0a17eb5b99982
---
 src/lttng-bytecode.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/src/lttng-bytecode.c b/src/lttng-bytecode.c
index 343e5380..38c2d183 100644
--- a/src/lttng-bytecode.c
+++ b/src/lttng-bytecode.c
@@ -244,12 +244,29 @@ int apply_field_reloc(const struct lttng_event_desc *event_desc,
 			op->op = BYTECODE_OP_LOAD_FIELD_REF_S64;
 			break;
 		case atype_array_nestable:
+		{
+			const struct lttng_type *elem_type = field->type.u.array_nestable.elem_type;
+
+			if (!lttng_is_bytewise_integer(elem_type) || elem_type->u.integer.encoding == lttng_encode_none)
+				return -EINVAL;
+			if (field->user)
+				op->op = BYTECODE_OP_LOAD_FIELD_REF_USER_SEQUENCE;
+			else
+				op->op = BYTECODE_OP_LOAD_FIELD_REF_SEQUENCE;
+			break;
+		}
 		case atype_sequence_nestable:
+		{
+			const struct lttng_type *elem_type = field->type.u.sequence_nestable.elem_type;
+
+			if (!lttng_is_bytewise_integer(elem_type) || elem_type->u.integer.encoding == lttng_encode_none)
+				return -EINVAL;
 			if (field->user)
 				op->op = BYTECODE_OP_LOAD_FIELD_REF_USER_SEQUENCE;
 			else
 				op->op = BYTECODE_OP_LOAD_FIELD_REF_SEQUENCE;
 			break;
+		}
 		case atype_string:
 			if (field->user)
 				op->op = BYTECODE_OP_LOAD_FIELD_REF_USER_STRING;
@@ -314,17 +331,25 @@ int apply_context_reloc(struct bytecode_runtime *runtime,
 			op->op = BYTECODE_OP_GET_CONTEXT_REF_STRING;
 			break;
 		case atype_array_nestable:
-			if (!lttng_is_bytewise_integer(ctx_field->event_field.type.u.array_nestable.elem_type))
+		{
+			const struct lttng_type *elem_type = ctx_field->event_field.type.u.array_nestable.elem_type;
+
+			if (!lttng_is_bytewise_integer(elem_type) || elem_type->u.integer.encoding == lttng_encode_none)
 				return -EINVAL;
 			BUG_ON(ctx_field->event_field.user);
 			op->op = BYTECODE_OP_GET_CONTEXT_REF_STRING;
 			break;
+		}
 		case atype_sequence_nestable:
-			if (!lttng_is_bytewise_integer(ctx_field->event_field.type.u.sequence_nestable.elem_type))
+		{
+			const struct lttng_type *elem_type = ctx_field->event_field.type.u.sequence_nestable.elem_type;
+
+			if (!lttng_is_bytewise_integer(elem_type) || elem_type->u.integer.encoding == lttng_encode_none)
 				return -EINVAL;
 			BUG_ON(ctx_field->event_field.user);
 			op->op = BYTECODE_OP_GET_CONTEXT_REF_STRING;
 			break;
+		}
 		case atype_struct_nestable:	/* Unsupported. */
 		case atype_variant_nestable:	/* Unsupported. */
 		default:
-- 
2.34.1