test,security: added example code for invalid branch hints

Signed-off-by: Stephen Berard <[email protected]>

Author: srberard

tests/invalid-branch-hints/CMakeLists.txt

@@ -0,0 +1,45 @@
+cmake_minimum_required (VERSION 3.14)
+
+set (EXE_NAME invalid-branch-hints)
+project (${EXE_NAME})
+
+################  runtime settings  ################
+string (TOLOWER ${CMAKE_HOST_SYSTEM_NAME} WAMR_BUILD_PLATFORM)
+
+# Reset default linker flags
+set (CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
+set (CMAKE_SHARED_LIBRARY_LINK_CXX_FLAGS "")
+
+# WAMR features switch
+set (CMAKE_BUILD_TYPE Debug)
+
+set (WAMR_BUILD_INTERP 1)
+set (WAMR_BUILD_AOT 1)
+set (WAMR_BUILD_JIT 0)
+set (WAMR_BUILD_LIBC_BUILTIN 1)
+set (WAMR_BUILD_LIBC_WASI 1)
+
+# Explicitly enable branch hints
+add_definitions(-DWASM_ENABLE_BRANCH_HINTS=1)
+
+  # linker flags
+if (NOT (CMAKE_C_COMPILER MATCHES ".*clang.*" OR CMAKE_C_COMPILER_ID MATCHES ".*Clang"))
+  set (CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--gc-sections")
+endif ()
+if (WAMR_BUILD_TARGET MATCHES "X86_.*" OR WAMR_BUILD_TARGET STREQUAL "AMD_64")
+  if (NOT (CMAKE_C_COMPILER MATCHES ".*clang.*" OR CMAKE_C_COMPILER_ID MATCHES ".*Clang"))
+    set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mindirect-branch-register")
+  endif ()
+endif ()
+
+# build out vmlib
+set (WAMR_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
+include (${WAMR_ROOT_DIR}/build-scripts/runtime_lib.cmake)
+
+add_library(vmlib ${WAMR_RUNTIME_LIB_SOURCE})
+
+################  application related  ################
+add_executable (${EXE_NAME} main.c )
+target_link_libraries (${EXE_NAME} vmlib -lm )
+
+

tests/invalid-branch-hints/branch_hint_invalid_free.wasm

@@ -0,0 +1,48 @@
+from pathlib import Path
+
+def u32leb(n):
+    out = bytearray()
+    while True:
+        b = n & 0x7f
+        n >>= 7
+        if n:
+            b |= 0x80
+        out.append(b)
+        if not n:
+            break
+    return bytes(out)
+name = b"metadata.code.branch_hint"
+assert len(name) == 25
+def build_module(payload_tail, out_path):
+    payload = b"".join([
+        u32leb(len(name)),
+        name,
+        payload_tail
+    ])
+    custom_section = b"\x00" + u32leb(len(payload)) + payload
+    payload_type = u32leb(1) + b"\x60" + u32leb(0) + u32leb(0)
+    sec_type = b"\x01" + u32leb(len(payload_type)) + payload_type
+    payload_func = u32leb(1) + u32leb(0)
+    sec_func = b"\x03" + u32leb(len(payload_func)) + payload_func
+    body = u32leb(0) + b"\x0b"
+    payload_code = u32leb(1) + u32leb(len(body)) + body
+    sec_code = b"\x0a" + u32leb(len(payload_code)) + payload_code
+    module = b"\x00asm" + b"\x01\x00\x00\x00" + sec_type + sec_func + sec_code + custom_section
+    Path(out_path).write_bytes(module)
+payload_invalid_free = b"".join([
+    b"\x01",            # numFunctionHints
+    b"\x00",            # func_idx
+    b"\x02",            # num_hints
+    b"\x00",            # hint0 offset
+    b"\x01",            # hint0 size
+    b"\x00",            # hint0 data
+    b"\x00",            # hint1 offset
+    b"\x02",            # hint1 size (invalid)
+])
+build_module(payload_invalid_free, "branch_hint_invalid_free.wasm")
+payload_dos = b"".join([
+    b"\x01",            
+    b"\x00",
+    b"\xff\xff\xff\xff\x0f",
+])
+build_module(payload_dos, "branch_hint_null_deref.wasm")

tests/invalid-branch-hints/branch_hint_null_deref.wasm

@@ -0,0 +1,96 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "wasm_export.h"
+
+static uint8_t *
+read_file(const char *path, uint32_t *out_size)
+{
+    FILE *fp = fopen(path, "rb");
+    long size;
+    uint8_t *buf;
+
+    if (!fp) {
+        return NULL;
+    }
+
+    if (fseek(fp, 0, SEEK_END) != 0) {
+        fclose(fp);
+        return NULL;
+    }
+
+    size = ftell(fp);
+    if (size < 0) {
+        fclose(fp);
+        return NULL;
+    }
+
+    if (fseek(fp, 0, SEEK_SET) != 0) {
+        fclose(fp);
+        return NULL;
+    }
+
+    if (size == 0) {
+        fclose(fp);
+        return NULL;
+    }
+
+    buf = (uint8_t *)malloc((size_t)size);
+    if (!buf) {
+        fclose(fp);
+        return NULL;
+    }
+
+    if (fread(buf, 1, (size_t)size, fp) != (size_t)size) {
+        free(buf);
+        fclose(fp);
+        return NULL;
+    }
+
+    fclose(fp);
+    *out_size = (uint32_t)size;
+    return buf;
+}
+
+int
+main(int argc, char **argv)
+{
+    RuntimeInitArgs init_args;
+    wasm_module_t module = NULL;
+    uint8_t *buffer = NULL;
+    uint32_t size = 0;
+    char error_buf[128];
+
+    if (argc != 2) {
+        fprintf(stderr, "usage: %s <wasm-file>\n", argv[0]);
+        return 1;
+    }
+
+    memset(&init_args, 0, sizeof(init_args));
+    init_args.mem_alloc_type = Alloc_With_System_Allocator;
+
+    if (!wasm_runtime_full_init(&init_args)) {
+        fprintf(stderr, "wasm_runtime_full_init failed\n");
+        return 1;
+    }
+
+    buffer = read_file(argv[1], &size);
+    if (!buffer) {
+        fprintf(stderr, "read_file failed\n");
+        wasm_runtime_destroy();
+        return 1;
+    }
+
+    module = wasm_runtime_load(buffer, size, error_buf, sizeof(error_buf));
+    if (!module) {
+        fprintf(stderr, "wasm_runtime_load failed: %s\n", error_buf);
+    }
+    else {
+        wasm_runtime_unload(module);
+    }
+
+    free(buffer);
+    wasm_runtime_destroy();
+    return 0;
+}