<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/74726>74726</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            LLVM assembler (llvm-as) opaque pointers missing required field 'name'
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          CarlosAndresRamirez
      </td>
    </tr>
</table>

<pre>
    
**Details**
Multiple versions of the LLVM assembler (llvm-as)  do not properly handle named values in the opaque pointers module. As a result, an invalid memory read and crash of the assembler occurs. The issue occurs at function llvm::Value::getName() in file /llvm/lib/IR/Value.cpp

**Vulnerable versions**
The LLVM Compiler Project from versions 15, 16, 17 up to 18 (dev current) are known to be vulnerable.

**Impact** 
Currently, the biggest known threat is availability of the assembler (crash) due to an invalid memory read. 
Not considered to have security impact.

**llvm-as-16 Trace**
llvm-as-16 [llvm-as_crash-01.llvm](https://github.com/CarlosAndresRamirez/PoCs/blob/main/llvm-as_2023-12-08/llvm-as_crash-01.llvm)
```
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: llvm-as-16 llvm-as_crash-01.llvm
 #0 0x00007ff3ec3d139a llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0xfd139a)
 #1 0x00007ff3ec3cf5d4 llvm::sys::RunSignalHandlers() (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0xfcf5d4)
 #2 0x00007ff3ec3d1b6b (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0xfd1b6b)
 #3 0x00007ff3eae5a510 (/lib/x86_64-linux-gnu/libc.so.6+0x3c510)
 #4 0x00007ff3ec563334 llvm::Value::getName() const (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x1163334)
 #5 0x00007ff3ec4d6fc6 llvm::GlobalValue::getGlobalIdentifier[abi:cxx11]() const (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x10d6fc6)
 #6 0x00007ff3ed7c6493 (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x23c6493)
 #7 0x00007ff3ef06b8c3 llvm::LLParser::addGlobalValueToIndex(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, unsigned long, llvm::GlobalValue::LinkageTypes, unsigned int, std::unique_ptr<llvm::GlobalValueSummary, std::default_delete<llvm::GlobalValueSummary>>) (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c6b8c3)
 #8 0x00007ff3ef06c5b8 llvm::LLParser::parseVariableSummary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, unsigned long, unsigned int) (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c6c5b8)
 #9 0x00007ff3ef04673d llvm::LLParser::parseGVEntry(unsigned int) (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c4673d)
#10 0x00007ff3ef03f57a llvm::LLParser::parseSummaryEntry() (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c3f57a)
#11 0x00007ff3ef03d8a5 llvm::LLParser::parseTopLevelEntities() (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c3d8a5)
#12 0x00007ff3ef03d38a llvm::LLParser::Run(bool, llvm::function_ref<std::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>> (llvm::StringRef, llvm::StringRef)>) (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c3d38a)
#13 0x00007ff3ef07cddc (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c7cddc)
#14 0x00007ff3ef07d669 (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c7d669)
#15 0x00007ff3ef07d81a (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c7d81a)
#16 0x00007ff3ef07d6d2 llvm::parseAssemblyFileWithIndex(llvm::StringRef, llvm::SMDiagnostic&, llvm::LLVMContext&, llvm::SlotMapping*, llvm::function_ref<std::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>> (llvm::StringRef, llvm::StringRef)>) (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0x3c7d6d2)
#17 0x00005570677a008d (/usr/lib/llvm-16/bin/llvm-as+0x408d)
#18 0x00007ff3eae456ca __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#19 0x00007ff3eae45785 call_init ./csu/../csu/libc-start.c:128:20
#20 0x00007ff3eae45785 __libc_start_main ./csu/../csu/libc-start.c:347:5
#21 0x000055706779ee41 (/usr/lib/llvm-16/bin/llvm-as+0x2e41)
zsh: segmentation fault  llvm-as-16 llvm-as_crash-01.llvm
```


**Valgrind output**
```
...
==42002== Invalid read of size 1
==42002==    at 0x59B4334: llvm::Value::getName() const (in /usr/lib/x86_64-linux-gnu/libLLVM-16.so.1)
...
```

**PoC**
[llvm-as_crash-01.llvm](https://github.com/CarlosAndresRamirez/PoCs/blob/main/llvm-as_2023-12-08/llvm-as_crash-01.llvm)

**Credits**
These findings come from a research effort on software quality and security based on a Human Error-Driven Framework for software defect prediction.

--
Carlos Andres Ramirez
[Cybersecurity Researcher](https://carlos.engineer/)

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzsWE1v4zgS_TXKpWBDoj4sH3xwnHimgfQgSILs0aDIks1tilSTVBLPr1-QshPJcWd6t7OLOSwQBBJF1nv1ilUmi1ortgpxEeWXUX51QTu302axokZqu1TcoL2jjTD450Wl-X4RxVdRvIyI_7tCR4W0_Uv_4WsnnWglwhMaK7SyoGtwO4Sbm8evQK3FppJoICKllE_NhNqIzAG4BqUdtEa3aOQedlRxiaBogxyeqOzQglDBkG7p9w6h1UI5NBYazTuJU1haoGDQdtJFZAVUgVBPVAoODTba7MEg5UAVB2ao3R15vVHSjHXGTuFhhyCs7fAwAtRB3SnmhFbgSUfpMkqXj55V_7hF9wdtMCKld0YoqIVEiMg6zCZrKaqIrL_cRWQdVk1Z2x50HKj52EmFhlYD8YbKPhxFXOmmFZ7wrdH_ROagNrp50zvJvftJEf7PoGvBaUhKrzjHJ2CdMaicJ0oNwjeln5WfUSE8vRKYvmf3pWkpc_0z9B9WvSm591Bey0pst2jd0ejOIHUgLNAnKiSthBRu_173iJQhIp4S79CTOR-86QH3D-2AaWUFR4Pcz9_RJwSLrDMeQQSqZ3w47LhJUsCDoQyH8g6-Rfnl4W0TiE3iZBoimV9FpNw511ofd7KOyHor3K6rpkz7OJ9Jmoisb_XKRmRdSe13QUOFOuwMD0Bikk4SMonLweAYlcwPPhTx4S-83t5cL--vwXZVIxxQqLotGGy1cUGRH7M8bkoP1vZbKCLrsOM9z5AiQjHZcQyR6tOlouyb86IddL13lH0D3jWtRwlD8TSK57dGbw1tgJpt16ByngQMxD3vY1gPEUljiF_iOI5ndZ0iS3mSzukg6eze9g-3RigXOBwiWb5NMvR5o60zSJuIhDwQ_YYPCbrurHnNycDG58q6CmGZTt8-icqn2yQpplZPk4hcxi914PMaEU84GRNmdc6zc4TvOnUvtorK30NpM_ZQLX6dU4AccSKnIlZF9SnOV0U1AkqHQBRzmifxAai381IWmyKbSKG6l8lWdf0H5o0WwWjK8iQe2cxG5PMiTdPsZ8qurwju171MkoA4opSPKGW8qFkxoPSb1BWVY2L92BeOyolaoInyS1qJKF2yl5ck6SvJZ7KOA6kR62LIms9Ykc3TX0ciaTA0QpoNkeq4qEqWDvS5ubmlxqLp3yjnA8Ee9BfF8SUipXW8n7DZ9BqFl4pawTbWGaG2UbpiO2p8Qr9O9gMbZ6jwhab_nF6PZlApNaNOm8H3fkqnwtGHg9Rq6wc-COmNUN_oFh_2rS-Sg7WhtAzgOiW-d7hpncc7a_C-axpq9qNVHGvaSbfhKNHhX608ePAJxSNlIVijaJYn0WR5Vf4wmq1_fqRG-GPDq2d_h2COI_Q5WnkpRlrNx1plxSzlH2v12-O1ckGj_wLBgP92YCBpEo8JpnU-ox8TPATxyPKTmAXgEbPkhBkvaf4xswfd3uATymvlhBP4ab-gKQvgI3bklF1a_li3u05FpKy0luMqcrw1bAzWUbp63cW69aNUDsf-N4mSXsPoqHQfIO6wHhMfDM8_r9QEEUcqp2OVZ4xz9hlIwdAIKTtB4kXxKT4FQyOk_BSpTOjnIJXJWL3inU-cDIIYcmbZX7P2ayHxH8Ltjr-2f70Fvl4JulXaOsEOp-jh9n_8utLK4Yt79-1eaveVtq3fuv5-9f-E-GjzcDIK6fEkleezuJjNaByX_CeQXlspl_FLFpfjn4ByfEjP8oJR2Gz8OXxjHTVuw6iUG38xBc-Y2e5I3u4tx9bfClXr5OHwfrpouovS5SyL0mX6Bjo_BZ2VOYQlQgl3itM_euOTYHzKonSZkDJKlyR-NUric0ZHnpxz4qzxNJtF6TJ_s52MlZ8jZsm_qTzBLHlV_k_rZQGLW38LpqF5FM548JO34ZPr_pl-EZVbIxQH3bm2c8Nmxsna6fTYDEmvovQqI3FM-kf4cmizhOaYrsGKPxGSH80GAOogfsnnl5m_JB2u9j97MxMKTuQ8fz8cp8r81ImzwgTvb_VqJMPftJEzYLwyyH3RGjf6LEItFBdqa4HpBvsWX2hvIjVsB1jX2jjQCqyu3TM1CN87GvprVPG3VlhFLXI_jcLvXUMVXBujzeTKiCdUsDa0wWdtvkGtzZsljjUyB62nFsr1qJU2mRy6f0Ej6EWCo0pH3Vf7Cs0rjbsDb38Pfi89C5amqLZCIZoweJDqgi9SPk_n9AIXySxO5gXJ0_Jit5ixlJU1ifOU0rim86RkRcrL-TzntKxpeSEWPiIJiWdJTkiSTVmeFZRnlGfzglRsFmUxNlTIEJupNtuL0AJbzLIZKS4krVDa0BQnROFz3xGOCInyqwuzCAGuuq2NslgK6-ybFSecxMWH7e53LWxhrVBbMPi9EwY51AKlr_szFbJodtEZufjPW3rBpX8FAAD___Q_KBc">