Preserve pointer provenance during string table offset arithmetic#641
Merged
Conversation
When calculating the address of the section header string table, the previous implementation cast the base data pointer to a size_t to perform integer arithmetic, and then cast the resulting integer back to a const char *. This breaks standard C/C++ pointer provenance rules. Compilers rely on pointer arithmetic to track object origins, bounds, and aliasing. Losing this provenance chain by laundering the pointer through an integer type can lead to undefined behavior, as the compiler may no longer recognize the resulting pointer as safely pointing within the original allocation. Fix the issue by using standard pointer arithmetic instead of integer arithmetic. By adding the offset directly to the base pointer (fileContents->data() + shstrtabOffset) and only casting the final, derived pointer to the target type, the provenance chain remains perfectly intact. Adhering to these provenance rules is strictly required on capability-based architectures like CHERI (e.g., CHERI RISC-V). On these systems, pointers are hardware capabilities containing bounds and validity tags. The integer cast stripped this metadata, resulting in an untagged, invalid pointer that caused a hardware trap (SIGSEGV) when reading the string table. This fix allows the compiler use correctly derived and valid capabilities. Additionally, replace the __builtin_add_overflow() check on the absolute memory address with a more straightforward bounds check against the total file size.
Flowdalic
force-pushed
the
shstrtab-ptr-provenance
branch
from
18ec58c to
f999432
Compare
edolstra
approved these changes
Jun 24, 2026
Contributor
Author
|
Not sure what the workflow here is. Anything to do in my end? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When calculating the address of the section header string table, the previous implementation cast the base data pointer to a size_t to perform integer arithmetic, and then cast the resulting integer back to a const char *.
This breaks standard C/C++ pointer provenance rules. Compilers rely on pointer arithmetic to track object origins, bounds, and aliasing. Losing this provenance chain by laundering the pointer through an integer type can lead to undefined behavior, as the compiler may no longer recognize the resulting pointer as safely pointing within the original allocation.
This patch resolves the issue by using standard pointer arithmetic instead of integer arithmetic. By adding the offset directly to the base pointer (fileContents->data() + shstrtabOffset) and only casting the final, derived pointer to the target type, the provenance chain remains perfectly intact.
Adhering to these provenance rules is strictly required on capability-based architectures like CHERI (e.g., CHERI RISC-V). On these systems, pointers are hardware capabilities containing bounds and validity tags. The integer cast stripped this metadata, resulting in an untagged, invalid pointer that caused a hardware trap (SIGSEGV) when reading the string table. This fix allows the compiler use correctly derived and valid capabilities.
Additionally, replace the
__builtin_add_overflowcheck on the absolute memory address with a more straightforward bounds check against the total file size.