PE Loader improvement

[Segfaultd]

Fix Critical Security Issues and Improve Robustness in PE Loader

Summary

This PR addresses multiple critical security vulnerabilities and missing features in the PE loader (exe_ldr.cpp), significantly improving its robustness and security
posture.

Critical Security Fixes

• Buffer Overflow Fix: Replaced static 4KB buffer with thread-local 64-byte buffer in ordinal name formatting, eliminating race conditions
• Bounds Validation: Added comprehensive bounds checking for all RVA operations and section loading
• Input Validation: Implemented thorough PE header validation (DOS/NT signatures, machine types, section counts)
• Memory Protection: Fixed timing issues where sections were temporarily executable+writable

New Features

• TLS Callback Support: Added proper execution of TLS callbacks during process attachment
• Extended Relocation Types: Support for IMAGE_REL_BASED_HIGH/IMAGE_REL_BASED_LOW relocations
• Resource Cleanup: Added destructor and cleanup mechanisms for proper error recovery

Robustness Improvements

• Error Handling: Changed void functions to return bool with detailed error logging
• Thread Safety: Eliminated static variables causing race conditions
• Bounds Safety: All memory operations are now bounds-checked with overflow protection
• RAII: Added automatic resource cleanup on failures

Breaking Changes

• LoadIntoModule() now returns bool instead of void - calling code updated accordingly

Files Modified

• code/framework/src/launcher/loaders/exe_ldr.h - Added new methods and improved templates
• code/framework/src/launcher/loaders/exe_ldr.cpp - Complete security overhaul
• code/framework/src/launcher/project.cpp - Updated error handling for new return values

Resolves security vulnerabilities that could lead to arbitrary code execution or memory corruption during PE loading.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced validation and error handling during module loading with improved boundary checks.
  • Implemented proper resource cleanup when loading operations fail.
  • Added comprehensive validation checks to prevent invalid memory operations.
  • Extended error logging and reporting for better diagnostics of loading failures.

[coderabbitai]

Walkthrough

The executable loader module is enhanced with comprehensive error handling and validation. Methods are refactored to return bool instead of void, enabling failure detection. A destructor and cleanup routine manage allocated memory. PE header validation, bounds checking, relocation error handling, and TLS callback execution are added throughout the loading pipeline.

Changes

Cohort / File(s)	Summary
Executable Loader Implementation code/framework/src/launcher/loaders/exe_ldr.cpp	Adds destructor and CleanupOnError() for memory management. Introduces ValidatePEHeaders() with signature/machine/section validation. Refactors LoadImports, LoadSection, LoadSections, LoadDelayImports, and LoadIntoModule to return bool with early-return error handling. Extends section loading with comprehensive bounds, overflow, and protection checks. Enhances ApplyRelocations with per-type relocation handling and protection state restoration. Adds ExecuteTLSCallbacks() and per-section protection calculation. Includes detailed error logging at failure paths.
Executable Loader Header code/framework/src/launcher/loaders/exe_ldr.h	Adds public TLSCallbackProc alias. Introduces private members _imageSize and _allocatedMemory. Changes return types from void to bool for LoadSection, LoadSections, LoadImports, LoadDelayImports, and LoadIntoModule. Adds public methods ValidatePEHeaders(), ExecuteTLSCallbacks(), and CleanupOnError(). Adds destructor ~ExecutableLoader(). Enhances GetRVA() and GetTargetRVA() template helpers with bounds checks.
Loader Integration code/framework/src/launcher/project.cpp	Updates LoadIntoModule call to check bool return value; on failure, unmaps view, closes handles, displays error, and returns false.

Sequence Diagram(s)

sequenceDiagram
    participant App as Application
    participant Loader as ExecutableLoader
    participant Mem as Memory
    participant PE as PE Image

    App->>Loader: LoadIntoModule(module)
    activate Loader
    
    Loader->>PE: ValidatePEHeaders()
    alt Invalid Headers
        Loader-->>App: return false
        Loader->>Mem: CleanupOnError()
    else Valid Headers
        Note over Loader: Set _imageSize
        Loader->>Loader: LoadSections()
        alt Section Load Failed
            Loader->>Mem: CleanupOnError()
            Loader-->>App: return false
        else Success
            Loader->>Loader: LoadImports()
            alt Import Load Failed
                Loader->>Mem: CleanupOnError()
                Loader-->>App: return false
            else Success
                Loader->>Loader: ApplyRelocations()
                alt Relocation Failed
                    Loader->>Mem: CleanupOnError()
                    Loader-->>App: return false
                else Success
                    Loader->>Loader: ExecuteTLSCallbacks()
                    Loader-->>App: return true
                end
            end
        end
    end
    
    deactivate Loader

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Key focus areas:
  • Signature changes across multiple methods in exe_ldr.h and exe_ldr.cpp; verify bool propagation is correct at each call site
  • ValidatePEHeaders() logic; ensure all PE validation checks are correct and complete
  • ApplyRelocations() extended logic with multiple relocation type handlers; verify each type's offset calculation and protection state restoration
  • Memory lifecycle: _allocatedMemory vector management and CleanupOnError() thoroughness; ensure no leaks on error paths
  • LoadIntoModule integration in project.cpp; verify error handling flow and resource cleanup sequence

Poem

🐰 In frameworks deep where modules load,
A shepherd now keeps steadfast goal—
With bounds that check and hearts that mend,
No crash shall breach from end to end!
Errors caught, malloc friends,
The loader's tale now safely trends. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title 'PE Loader improvement' is too vague and generic; it does not convey the specific nature of the changes (security fixes, bounds checking, TLS support, thread safety improvements).	Consider a more descriptive title such as 'Fix PE loader security issues and add bounds checking' or 'Add PE header validation and TLS callback support to exe_ldr' to better communicate the main improvements.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/pe-loader-improvements

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

code/framework/src/launcher/loaders/exe_ldr.cpp (2)

323-328: Fix return type mismatch.

Line 328 has a bare return; statement, but LoadDelayImports returns bool. This should be return true; to indicate successful handling of the no-delay-imports case.

Apply this diff:

         if (delayImportDirectory->VirtualAddress == 0 || delayImportDirectory->Size == 0) {
-            return;
+            return true;
         }

---

361-368: Critical: Race condition in LoadDelayImports - static buffer not fixed.

Lines 366-368 still use a static char ordinalNameBuf[32] buffer for ordinal formatting, creating the same race condition that was fixed in LoadImports (lines 150-152) using thread_local. This is inconsistent and defeats the purpose of the security fix.

Apply this diff to match the fix in LoadImports:

                 if (IMAGE_SNAP_BY_ORDINAL(nameArray[i].u1.Ordinal)) {
                     WORD ordinal = IMAGE_ORDINAL(nameArray[i].u1.Ordinal);
                     function = GetProcAddress(module, (LPCSTR)(ULONG_PTR)ordinal);
                     
-                    static char ordinalNameBuf[32];
-                    sprintf_s(ordinalNameBuf, "#%u", ordinal);
+                    thread_local char ordinalNameBuf[64];
+                    ::snprintf(ordinalNameBuf, sizeof(ordinalNameBuf), "#%u", ordinal);
                     functionName = ordinalNameBuf;

🧹 Nitpick comments (2)

code/framework/src/launcher/loaders/exe_ldr.cpp (1)

408-415: Simplify redundant platform-specific typedefs.

The TLS_CALLBACK_PROC typedef is identical for both _M_AMD64 and _M_IX86 platforms. This can be simplified by removing the conditional compilation.

Apply this diff:

         // Execute TLS callbacks if they exist
         if (tlsData->AddressOfCallBacks) {
-#ifdef _M_AMD64
             typedef void (NTAPI *TLS_CALLBACK_PROC)(PVOID, DWORD, PVOID);
             TLS_CALLBACK_PROC *callbacks = reinterpret_cast<TLS_CALLBACK_PROC *>(tlsData->AddressOfCallBacks);
-#else
-            typedef void (NTAPI *TLS_CALLBACK_PROC)(PVOID, DWORD, PVOID);
-            TLS_CALLBACK_PROC *callbacks = reinterpret_cast<TLS_CALLBACK_PROC *>(tlsData->AddressOfCallBacks);
-#endif

code/framework/src/launcher/loaders/exe_ldr.h (1)

28-28: Remove unused TLSCallbackProc typedef or consolidate with local definition in ExecuteTLSCallbacks.

Verification confirms TLSCallbackProc is never used. The ExecuteTLSCallbacks function (exe_ldr.cpp:410, 413) defines its own local typedef with identical signature instead. Remove the public typedef at exe_ldr.h:28, or refactor ExecuteTLSCallbacks to use it for consistency.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f879e71 and 4ba0bd9.

📒 Files selected for processing (3)

• code/framework/src/launcher/loaders/exe_ldr.cpp (10 hunks)
• code/framework/src/launcher/loaders/exe_ldr.h (3 hunks)
• code/framework/src/launcher/project.cpp (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

code/framework/src/launcher/loaders/exe_ldr.h (1)

code/framework/src/launcher/loaders/exe_ldr.cpp (24)

• LoadSection (179-287)
• LoadSection (179-179)
• LoadSections (289-300)
• LoadSections (289-289)
• ApplyRelocations (545-646)
• ApplyRelocations (545-545)
• LoadExceptionTable (310-320)
• LoadExceptionTable (310-310)
• LoadImports (101-177)
• LoadImports (101-101)
• LoadDelayImports (323-392)
• LoadDelayImports (323-323)
• ValidatePEHeaders (53-99)
• ValidatePEHeaders (53-53)
• ExecuteTLSCallbacks (394-426)
• ExecuteTLSCallbacks (394-394)
• CleanupOnError (44-51)
• CleanupOnError (44-44)
• ResolveLibrary (648-650)
• ResolveLibrary (648-648)
• LoadIntoModule (428-543)
• LoadIntoModule (428-428)
• ExecutableLoader (23-38)
• ExecutableLoader (40-42)

code/framework/src/launcher/loaders/exe_ldr.cpp (1)

code/framework/src/launcher/loaders/exe_ldr.h (1)

• ExecutableLoader (24-78)

🔇 Additional comments (9)

code/framework/src/launcher/loaders/exe_ldr.h (2)

64-78: Excellent bounds checking additions.

The bounds checks in both GetRVA and GetTargetRVA properly prevent out-of-bounds memory access by validating RVAs against their respective size limits before dereferencing.

---

47-48: LGTM - Strong API improvements for error handling.

The changes to return bool from loader methods and the addition of ValidatePEHeaders, ExecuteTLSCallbacks, CleanupOnError, and the destructor significantly improve error handling and resource management.

Also applies to: 56-60, 104-105

code/framework/src/launcher/project.cpp (1)

721-727: LGTM - Proper error handling for LoadIntoModule.

The error handling correctly checks the boolean return value from LoadIntoModule and performs proper cleanup by unmapping the file view and closing handles before returning failure.

code/framework/src/launcher/loaders/exe_ldr.cpp (6)

23-42: LGTM - Proper RAII implementation.

The constructor correctly initializes _imageSize, and the destructor ensures cleanup by calling CleanupOnError(), providing proper resource management.

---

53-99: Excellent PE header validation.

The comprehensive validation of PE headers including signatures, machine types, section counts, and data directory limits effectively prevents malformed PE files from being processed.

---

101-177: LGTM - Race condition fixed with thread_local.

The use of thread_local for ordinalNameBuf (lines 150-152) properly eliminates the race condition from the previous static buffer implementation. Error handling is comprehensive with proper validation and early returns.

---

179-287: Excellent security improvements in LoadSection.

The comprehensive validation including bounds checking (lines 181-185, 204-208), integer overflow protection (lines 211-219), and deferred protection application (lines 281-284) significantly improves security and eliminates race conditions.

---

428-543: LGTM - Comprehensive error handling in LoadIntoModule.

The refactored LoadIntoModule method now includes:

• Proper validation at each step with early returns
• Consistent cleanup via CleanupOnError() on failures
• Detailed error logging
• TLS callback execution

This significantly improves robustness and security.

---

545-646: Excellent relocation handling improvements.

The enhanced ApplyRelocations method now includes:

• Validation of relocation target RVAs (lines 582-585)
• Support for additional relocation types (HIGH and LOW at lines 595-611)
• Per-relocation protection changes with proper restoration (lines 635-638)
• Detailed error logging for all failure cases

This significantly improves both functionality and security.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify that _allocatedMemory is being populated.

The _allocatedMemory vector is declared and freed in CleanupOnError(), but no code appears to populate it via push_back(). If this is intended for tracking allocations for cleanup, ensure all relevant allocations are being tracked.

---

🏁 Script executed:

#!/bin/bash
# Search for push_back operations on _allocatedMemory
rg -n "_allocatedMemory\.push_back" --type=cpp

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Search for all references to _allocatedMemory
rg -n "_allocatedMemory" --type=cpp -C 3

Length of output: 1548

---

🏁 Script executed:

#!/bin/bash
# Search for CleanupOnError function to see how _allocatedMemory is used
rg -n "CleanupOnError" --type=cpp -A 15

Length of output: 5737

---

🏁 Script executed:

#!/bin/bash
# Check if there are any memory allocation or tracking patterns in the exe_ldr files
fd -e h -e cpp "exe_ldr" --exec cat {}

Length of output: 31348

---

The review comment is accurate and should be addressed.

After verification, _allocatedMemory is indeed declared but never populated. No push_back() calls exist anywhere in the codebase, and none of the memory allocation operations (in LoadSections(), LoadImports(), LoadDelayImports(), ApplyRelocations(), or LoadIntoModule()) add entries to this vector.

Either remove the unused vector, or if allocation tracking is required, implement the tracking by adding push_back() calls wherever memory is allocated during the executable loading process.

🤖 Prompt for AI Agents

In code/framework/src/launcher/loaders/exe_ldr.h around line 44, the member
std::vector<void *> _allocatedMemory is declared but never populated; either
remove this unused member or implement allocation tracking. If removing: delete
the member declaration and any references (if any) to it. If keeping: update all
allocation sites in LoadSections(), LoadImports(), LoadDelayImports(),
ApplyRelocations(), and LoadIntoModule() to push_back the allocated pointers
into _allocatedMemory immediately after each successful allocation and ensure
they are freed/cleared from this vector during cleanup to avoid leaks. Ensure
thread-safety if allocations can occur concurrently (use mutex or document
single-threaded usage).