Mailing List Archive

JIT code generation on Windows x64 / MSVC
One of the recent bytecode signatures:

LibClamAV debug: Bytecode 0001444645.cbc(38) has logical signature:
BC.Exploit.CVE_2012_0165.{CVE_2012_0165};Engine:56-255,Target:0;0;0:01000000{36}20454d46

ends up calling the abort function defined in byte2code2llvm.cpp:

.Case("abort", (void*)(intptr_t)jit_exception_handler)

on certain input data.

jit_exception_handler calls longjmp, which tries to unwind the stack
using RtlUnwindEx. However, the JIT'd code generated by LLVM hasn't
generated the unwind information which RtlUnwindEx requires, so this
fails. From what I could figure out the JIT generator needs to call
RtlAddFunctionTable and ensure that function prolog/epilog is of the
appropriate form to make longjmp work. (I started poking this, but I
didn't get very far as I'm not very familiar with LLVM and have very
limited time to work on this).

I do have input that will reliably trigger this, however it's somebody's
mail so unfortunately I can't share it -- just calling abort from some
bytecode would be enough to reproduce this though.

(I would have put this in bugzilla but it doesn't seem to be sending the
confirmation mail required to create an account which is required to add
a bug).

Thanks,

Mark
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: JIT code generation on Windows x64 / MSVC [ In reply to ]
On Jan 9, 2013, at 9:27 AM, Mark Weaver <mark-clist@npsl.co.uk> wrote:

> One of the recent bytecode signatures:
>
> LibClamAV debug: Bytecode 0001444645.cbc(38) has logical signature: BC.Exploit.CVE_2012_0165.{CVE_2012_0165};Engine:56-255,Target:0;0;0:01000000{36}20454d46
>
> ends up calling the abort function defined in byte2code2llvm.cpp:
>
> .Case("abort", (void*)(intptr_t)jit_exception_handler)
>
> on certain input data.
>
> jit_exception_handler calls longjmp, which tries to unwind the stack using RtlUnwindEx. However, the JIT'd code generated by LLVM hasn't generated the unwind information which RtlUnwindEx requires, so this fails. From what I could figure out the JIT generator needs to call RtlAddFunctionTable and ensure that function prolog/epilog is of the appropriate form to make longjmp work. (I started poking this, but I didn't get very far as I'm not very familiar with LLVM and have very limited time to work on this).
>
> I do have input that will reliably trigger this, however it's somebody's mail so unfortunately I can't share it -- just calling abort from some bytecode would be enough to reproduce this though.
>
> (I would have put this in bugzilla but it doesn't seem to be sending the confirmation mail required to create an account which is required to add a bug).


Thanks Mark, I've forwarded your email on.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net