From b82404da072680a71f4dfca66a24325304151643 Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Mon, 22 Mar 2021 14:23:44 -0400
Subject: [PATCH] Fix: bytecode linker: validate event and field array/sequence
 encoding

The bytecode linker should only allow linking filter expressions loading
fields which are string-encoded arrays and sequence for comparison
against a string, and reject arrays and sequences without encoding, so
the filter interpreter does not attempt to load non-NULL terminated
arrays/sequences as if they were strings.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: Ic13fbbb0d601eddbb7d98f4a5e13fe3f45612fd8
---
 liblttng-ust/lttng-filter.c | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/liblttng-ust/lttng-filter.c b/liblttng-ust/lttng-filter.c
index d52658ae..2db388dc 100644
--- a/liblttng-ust/lttng-filter.c
+++ b/liblttng-ust/lttng-filter.c
@@ -254,9 +254,23 @@ int apply_field_reloc(struct lttng_event *event,
 			op->op = FILTER_OP_LOAD_FIELD_REF_S64;
 			break;
 		case atype_array:
+		{
+			const struct lttng_basic_type *elem_type = &field->type.u.array.elem_type;
+
+			if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none)
+				return -EINVAL;
+			op->op = FILTER_OP_LOAD_FIELD_REF_SEQUENCE;
+			break;
+		}
 		case atype_sequence:
+		{
+			const struct lttng_basic_type *elem_type = &field->type.u.sequence.elem_type;
+
+			if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none)
+				return -EINVAL;
 			op->op = FILTER_OP_LOAD_FIELD_REF_SEQUENCE;
 			break;
+		}
 		case atype_string:
 			op->op = FILTER_OP_LOAD_FIELD_REF_STRING;
 			break;
@@ -329,9 +343,25 @@ int apply_context_reloc(struct lttng_event *event,
 			op->op = FILTER_OP_GET_CONTEXT_REF_S64;
 			break;
 			/* Sequence and array supported as string */
-		case atype_string:
 		case atype_array:
+		{
+			const struct lttng_basic_type *elem_type = &ctx_field->event_field.type.u.array.elem_type;
+
+			if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none)
+				return -EINVAL;
+			op->op = FILTER_OP_GET_CONTEXT_REF_STRING;
+			break;
+		}
 		case atype_sequence:
+		{
+			const struct lttng_basic_type *elem_type = &ctx_field->event_field.type.u.sequence.elem_type;
+
+			if (elem_type != atype_integer || elem_type->u.basic.integer.encoding == lttng_encode_none)
+				return -EINVAL;
+			op->op = FILTER_OP_GET_CONTEXT_REF_STRING;
+			break;
+		}
+		case atype_string:
 			op->op = FILTER_OP_GET_CONTEXT_REF_STRING;
 			break;
 		case atype_float:
-- 
2.34.1