[GR-33183] Improve wasm memory bounds check.

PullRequest: graal/9564

Author: woess

wasm/src/org.graalvm.wasm/src/org/graalvm/wasm/BinaryParser.java

@@ -1333,8 +1333,8 @@ private void readDataSection(WasmContext linkedContext, WasmInstance linkedInsta
                 // directly.
                 final WasmMemory memory = linkedInstance.memory();
 
-                Assert.assertUnsignedIntLessOrEqual(offsetAddress, memory.byteSize(), Failure.DATA_SEGMENT_DOES_NOT_FIT);
-                Assert.assertUnsignedIntLessOrEqual(offsetAddress + byteLength, memory.byteSize(), Failure.DATA_SEGMENT_DOES_NOT_FIT);
+                Assert.assertUnsignedIntLessOrEqual(offsetAddress, WasmMath.toUnsignedIntExact(memory.byteSize()), Failure.DATA_SEGMENT_DOES_NOT_FIT);
+                Assert.assertUnsignedIntLessOrEqual(offsetAddress + byteLength, WasmMath.toUnsignedIntExact(memory.byteSize()), Failure.DATA_SEGMENT_DOES_NOT_FIT);
 
                 for (int writeOffset = 0; writeOffset != byteLength; ++writeOffset) {
                     final byte b = read1();

wasm/src/org.graalvm.wasm/src/org/graalvm/wasm/Linker.java

@@ -364,8 +364,8 @@ void resolveDataSegment(WasmContext context, WasmInstance instance, int dataSegm
                 baseAddress = offsetAddress;
             }
 
-            Assert.assertUnsignedIntLessOrEqual(baseAddress, memory.byteSize(), Failure.DATA_SEGMENT_DOES_NOT_FIT);
-            Assert.assertUnsignedIntLessOrEqual(baseAddress + byteLength, memory.byteSize(), Failure.DATA_SEGMENT_DOES_NOT_FIT);
+            Assert.assertUnsignedIntLessOrEqual(baseAddress, WasmMath.toUnsignedIntExact(memory.byteSize()), Failure.DATA_SEGMENT_DOES_NOT_FIT);
+            Assert.assertUnsignedIntLessOrEqual(baseAddress + byteLength, WasmMath.toUnsignedIntExact(memory.byteSize()), Failure.DATA_SEGMENT_DOES_NOT_FIT);
 
             for (int writeOffset = 0; writeOffset != byteLength; ++writeOffset) {
                 byte b = data[writeOffset];

wasm/src/org.graalvm.wasm/src/org/graalvm/wasm/WasmMath.java

@@ -108,6 +108,20 @@ public static int maxUnsigned(int a, int b) {
         return compareUnsigned(a, b) > 0 ? a : b;
     }
 
+    /**
+     * Returns the value of the {@code long} argument as an {@code int}; throwing an exception if
+     * the value overflows an unsigned {@code int}.
+     *
+     * @throws ArithmeticException if the argument is outside of the unsigned int32 range
+     * @since 1.8
+     */
+    public static int toUnsignedIntExact(long value) {
+        if (value < 0 || value > 0xffff_ffffL) {
+            throw new ArithmeticException("unsigned int overflow");
+        }
+        return (int) value;
+    }
+
     /**
      * Converts the given unsigned {@code int} to the closest {@code float} value.
      */

wasm/src/org.graalvm.wasm/src/org/graalvm/wasm/memory/ByteArrayWasmMemory.java

@@ -103,11 +103,13 @@ public ByteArrayWasmMemory(int declaredMinSize, int declaredMaxSize, int maxAllo
         this(declaredMinSize, declaredMaxSize, declaredMinSize, maxAllowedSize);
     }
 
-    @TruffleBoundary
-    private WasmException trapOutOfBounds(Node node, int address, long size) {
-        final String message = String.format("%d-byte memory access at address 0x%016X (%d) is out-of-bounds (memory size %d bytes).",
-                        size, address, address, byteSize());
-        return WasmException.create(Failure.OUT_OF_BOUNDS_MEMORY_ACCESS, node, message);
+    private int validateAddress(Node node, long address, int length) {
+        assert length >= 1;
+        if (address < 0 || address > Integer.MAX_VALUE) {
+            CompilerDirectives.transferToInterpreterAndInvalidate();
+            throw trapOutOfBounds(node, address, length);
+        }
+        return (int) address;
     }
 
     @Override
@@ -126,7 +128,7 @@ public int size() {
     }
 
     @Override
-    public int byteSize() {
+    public long byteSize() {
         return buffer.length;
     }
 
@@ -168,208 +170,231 @@ public void reset() {
     }
 
     @Override
-    public int load_i32(Node node, int address) {
+    public int load_i32(Node node, long address) {
+        int intAddress = validateAddress(node, address, 4);
         try {
-            return ByteArraySupport.littleEndian().getInt(buffer, address);
+            return ByteArraySupport.littleEndian().getInt(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 4);
         }
     }
 
     @Override
-    public long load_i64(Node node, int address) {
+    public long load_i64(Node node, long address) {
+        int intAddress = validateAddress(node, address, 8);
         try {
-            return ByteArraySupport.littleEndian().getLong(buffer, address);
+            return ByteArraySupport.littleEndian().getLong(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 8);
         }
     }
 
     @Override
-    public float load_f32(Node node, int address) {
+    public float load_f32(Node node, long address) {
+        int intAddress = validateAddress(node, address, 4);
         try {
-            return ByteArraySupport.littleEndian().getFloat(buffer, address);
+            return ByteArraySupport.littleEndian().getFloat(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 4);
         }
     }
 
     @Override
-    public double load_f64(Node node, int address) {
+    public double load_f64(Node node, long address) {
+        int intAddress = validateAddress(node, address, 8);
         try {
-            return ByteArraySupport.littleEndian().getDouble(buffer, address);
+            return ByteArraySupport.littleEndian().getDouble(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 8);
         }
     }
 
     @Override
-    public int load_i32_8s(Node node, int address) {
+    public int load_i32_8s(Node node, long address) {
+        int intAddress = validateAddress(node, address, 1);
         try {
-            return ByteArraySupport.littleEndian().getByte(buffer, address);
+            return ByteArraySupport.littleEndian().getByte(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 1);
         }
     }
 
     @Override
-    public int load_i32_8u(Node node, int address) {
+    public int load_i32_8u(Node node, long address) {
+        int intAddress = validateAddress(node, address, 1);
         try {
-            return 0x0000_00ff & ByteArraySupport.littleEndian().getByte(buffer, address);
+            return 0x0000_00ff & ByteArraySupport.littleEndian().getByte(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 1);
         }
     }
 
     @Override
-    public int load_i32_16s(Node node, int address) {
+    public int load_i32_16s(Node node, long address) {
+        int intAddress = validateAddress(node, address, 2);
         try {
-            return ByteArraySupport.littleEndian().getShort(buffer, address);
+            return ByteArraySupport.littleEndian().getShort(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 2);
         }
     }
 
     @Override
-    public int load_i32_16u(Node node, int address) {
+    public int load_i32_16u(Node node, long address) {
+        int intAddress = validateAddress(node, address, 2);
         try {
-            return 0x0000_ffff & ByteArraySupport.littleEndian().getShort(buffer, address);
+            return 0x0000_ffff & ByteArraySupport.littleEndian().getShort(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 2);
         }
     }
 
     @Override
-    public long load_i64_8s(Node node, int address) {
+    public long load_i64_8s(Node node, long address) {
+        int intAddress = validateAddress(node, address, 1);
         try {
-            return ByteArraySupport.littleEndian().getByte(buffer, address);
+            return ByteArraySupport.littleEndian().getByte(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 1);
         }
     }
 
     @Override
-    public long load_i64_8u(Node node, int address) {
+    public long load_i64_8u(Node node, long address) {
+        int intAddress = validateAddress(node, address, 1);
         try {
-            return 0x0000_0000_0000_00ffL & ByteArraySupport.littleEndian().getByte(buffer, address);
+            return 0x0000_0000_0000_00ffL & ByteArraySupport.littleEndian().getByte(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 1);
         }
     }
 
     @Override
-    public long load_i64_16s(Node node, int address) {
+    public long load_i64_16s(Node node, long address) {
+        int intAddress = validateAddress(node, address, 2);
         try {
-            return ByteArraySupport.littleEndian().getShort(buffer, address);
+            return ByteArraySupport.littleEndian().getShort(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 2);
         }
     }
 
     @Override
-    public long load_i64_16u(Node node, int address) {
+    public long load_i64_16u(Node node, long address) {
+        int intAddress = validateAddress(node, address, 2);
         try {
-            return 0x0000_0000_0000_ffffL & ByteArraySupport.littleEndian().getShort(buffer, address);
+            return 0x0000_0000_0000_ffffL & ByteArraySupport.littleEndian().getShort(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 2);
         }
     }
 
     @Override
-    public long load_i64_32s(Node node, int address) {
+    public long load_i64_32s(Node node, long address) {
+        int intAddress = validateAddress(node, address, 4);
         try {
-            return ByteArraySupport.littleEndian().getInt(buffer, address);
+            return ByteArraySupport.littleEndian().getInt(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 4);
         }
     }
 
     @Override
-    public long load_i64_32u(Node node, int address) {
+    public long load_i64_32u(Node node, long address) {
+        int intAddress = validateAddress(node, address, 4);
         try {
-            return 0x0000_0000_ffff_ffffL & ByteArraySupport.littleEndian().getInt(buffer, address);
+            return 0x0000_0000_ffff_ffffL & ByteArraySupport.littleEndian().getInt(buffer, intAddress);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 4);
         }
     }
 
     @Override
-    public void store_i32(Node node, int address, int value) {
+    public void store_i32(Node node, long address, int value) {
+        int intAddress = validateAddress(node, address, 4);
         try {
-            ByteArraySupport.littleEndian().putInt(buffer, address, value);
+            ByteArraySupport.littleEndian().putInt(buffer, intAddress, value);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 4);
         }
     }
 
     @Override
-    public void store_i64(Node node, int address, long value) {
+    public void store_i64(Node node, long address, long value) {
+        int intAddress = validateAddress(node, address, 8);
         try {
-            ByteArraySupport.littleEndian().putLong(buffer, address, value);
+            ByteArraySupport.littleEndian().putLong(buffer, intAddress, value);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 8);
         }
 
     }
 
     @Override
-    public void store_f32(Node node, int address, float value) {
+    public void store_f32(Node node, long address, float value) {
+        int intAddress = validateAddress(node, address, 4);
         try {
-            ByteArraySupport.littleEndian().putFloat(buffer, address, value);
+            ByteArraySupport.littleEndian().putFloat(buffer, intAddress, value);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 4);
         }
     }
 
     @Override
-    public void store_f64(Node node, int address, double value) {
+    public void store_f64(Node node, long address, double value) {
+        int intAddress = validateAddress(node, address, 8);
         try {
-            ByteArraySupport.littleEndian().putDouble(buffer, address, value);
+            ByteArraySupport.littleEndian().putDouble(buffer, intAddress, value);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 8);
         }
     }
 
     @Override
-    public void store_i32_8(Node node, int address, byte value) {
+    public void store_i32_8(Node node, long address, byte value) {
+        int intAddress = validateAddress(node, address, 1);
         try {
-            ByteArraySupport.littleEndian().putByte(buffer, address, value);
+            ByteArraySupport.littleEndian().putByte(buffer, intAddress, value);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 1);
         }
     }
 
     @Override
-    public void store_i32_16(Node node, int address, short value) {
+    public void store_i32_16(Node node, long address, short value) {
+        int intAddress = validateAddress(node, address, 2);
         try {
-            ByteArraySupport.littleEndian().putShort(buffer, address, value);
+            ByteArraySupport.littleEndian().putShort(buffer, intAddress, value);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 2);
         }
     }
 
     @Override
-    public void store_i64_8(Node node, int address, byte value) {
+    public void store_i64_8(Node node, long address, byte value) {
+        int intAddress = validateAddress(node, address, 1);
         try {
-            ByteArraySupport.littleEndian().putByte(buffer, address, value);
+            ByteArraySupport.littleEndian().putByte(buffer, intAddress, value);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 1);
         }
     }
 
     @Override
-    public void store_i64_16(Node node, int address, short value) {
+    public void store_i64_16(Node node, long address, short value) {
+        int intAddress = validateAddress(node, address, 2);
         try {
-            ByteArraySupport.littleEndian().putShort(buffer, address, value);
+            ByteArraySupport.littleEndian().putShort(buffer, intAddress, value);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 2);
         }
     }
 
     @Override
-    public void store_i64_32(Node node, int address, int value) {
+    public void store_i64_32(Node node, long address, int value) {
+        int intAddress = validateAddress(node, address, 4);
         try {
-            ByteArraySupport.littleEndian().putInt(buffer, address, value);
+            ByteArraySupport.littleEndian().putInt(buffer, intAddress, value);
         } catch (final IndexOutOfBoundsException e) {
             throw trapOutOfBounds(node, address, 4);
         }