<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/74732>74732</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            LLVM disassembler (llvm-dis) fails to handle Unknown attributes
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          CarlosAndresRamirez
      </td>
    </tr>
</table>

<pre>
    
**Details**
Multiple versions of the LLVM disassembler (llvm-dis) fail to handle unknown attributes when printinting metadata identifiers in the opaque pointers module. As a result, an invalid memory read and crash of the disassembler occurs. The issue occurs at function printMetadataIdentifier() in file llvm/lib/IR/AsmWriter.cpp

**Vulnerable versions**
The LLVM Compiler Project from versions 16, 17 up to 18 (dev current) are known to be vulnerable.

**Impact**
Currently, the biggest known threat is availability of the disassembler (crash) due to an invalid memory read.
Not considered to have security impact.

**llvm-dis-16 Trace**
llvm-dis-16 [llvm-dis_crash-01.bc](https://github.com/CarlosAndresRamirez/PoCs/blob/main/llvm-dis_2023-12-08/llvm-dis_crash-01.bc)

```
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: llvm-dis-16 llvm-dis_2023-12-08/llvm-dis_crash-01.bc
 #0 0x00007f13545d139a llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0xfd139a)
 #1 0x00007f13545cf5d4 llvm::sys::RunSignalHandlers() (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0xfcf5d4)
 #2 0x00007f13545d1b6b (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0xfd1b6b)
 #3 0x00007f135305a510 (/lib/x86_64-linux-gnu/libc.so.6+0x3c510)
 #4 0x00007f13545e6265 (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0xfe6265)
 #5 0x00007f13545da32e (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0xfda32e)
 #6 0x00007f13545d9dfb llvm::Module::print(llvm::raw_ostream&, llvm::AssemblyAnnotationWriter*, bool, bool) const (/usr/lib/llvm-16/bin/../lib/libLLVM-16.so.1+0xfd9dfb)
 #7 0x000055604ae02097 (/usr/lib/llvm-16/bin/llvm-dis+0x6097)
 #8 0x00007f13530456ca __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:74:3
 #9 0x00007f1353045785 call_init ./csu/../csu/libc-start.c:128:20
#10 0x00007f1353045785 __libc_start_main ./csu/../csu/libc-start.c:347:5
#11 0x000055604adffbf1 (/usr/lib/llvm-16/bin/llvm-dis+0x3bf1)
zsh: segmentation fault llvm-dis-16 llvm-dis_2023-12-08/llvm-dis_crash-01.bc

```

**Valgrind output**
```
...
==45302== 
llvm-dis-16: warning: ignoring debug info with an invalid version (0) in llvm-dis_2023-12-08/llvm-dis_crash-01.bc
==45302== Invalid read of size 1
==45302==    at 0x5837265: ??? (in /usr/lib/x86_64-linux-gnu/libLLVM-16.so.1)
==45302==    by 0x582B32D: ??? (in /usr/lib/x86_64-linux-gnu/libLLVM-16.so.1)
==45302==    by 0x582ADFA: llvm::Module::print(llvm::raw_ostream&, llvm::AssemblyAnnotationWriter*, bool, bool) const (in /usr/lib/x86_64-linux-gnu/libLLVM-16.so.1)
==45302== by 0x10E096: ??? (in /usr/lib/llvm-16/bin/llvm-dis)
==45302==    by 0xC2A06C9: (below main) (libc_start_call_main.h:58)
==45302==  Address 0x108b095eb is not stack'd, malloc'd or (recently) free'd
==45302== 
...
```

**PoC**
[llvm-dis_crash-01.bc](https://github.com/CarlosAndresRamirez/PoCs/blob/main/llvm-dis_2023-12-08/llvm-dis_crash-01.bc)

**Credits**
These findings come from a research effort on software quality and security based on a Human Error-Driven Framework for software defect prediction.

--
Carlos Andres Ramirez
[Cybersecurity Researcher](https://carlos.engineer/)
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzMWF9v2zgS_zTMy8ACRVmy9OAHxa6xBdpD0Pb2HgNKGsm8UqSXpJK4n_5ASo6t1Om2t8HdAgZMidLMb37zhzPi1opOIa5JekvS7Q0f3F6b9YYbqW2pGoP2E--FwW83lW6Oa0K3hJaE-d8WHRfSjhfjxsdBOnGQCA9orNDKgm7B7RE-fPj9IzTCcmuxryQaICyX8qFfNMISVkDLhQSnYc9VIxEG9VXpRwXcOSOqwaGFxz0qOBihXPh10KPjDXccRIPKiVagsSBU0KcP_I8B4aCFcv52r5tBYgSlBQ4G7SAdYRvgCoR64FI00GOvzREM8ga4aqA23O5P8GfIdV0PxkbwZY8grB1wugPcQTuo2gk9Af04IXz_DJCw3FsrFLRCIngGCNtJURG2e_-JsF1p-38Z4dBE9eEwsX3B-e-DVGh4dUHxJf9fTlRvdH8QHuyd0f_G2kFrdH_2Spx56-MVDAdPepx7dzT4APVgDCrnMXKDMDrBaagQHp5VR9_jet8feO0uoWxGSfLoNXkOK9F1aN1J5t4gdyAs8AcuJK-EFO54lW_C8uAMD6oZ0MO57rcJ1z-0g1orKxo02IxB9YBgsR6M1yEC1itGnOJxEWfwxfAaL-253CTp7enyPkBb0DiqapJuCcv3zh0sSUrCdoTtOuH2QxXV2vv5SloRtrvTG0vYrpLaR0HPhfIhcZLPKEsWMVvQ_PLupVZWzEzJ6PQLl3cf3pWf34Edql444FANHRg8aOMCMa9jPYWm13gYg4iwXYh3jzbkiFC1HBoMLhvzpeL1V-epm-j97Hj9FZqhP3gt4RaNCC3ujO4M74GbbuhROQ8CLin-BfuDVCAsoUCfKKV01cZJukybOCn4mGJJSZLSHu24uPO5GZBNXs7PDxn-eK-tM8h7wkKWiDEdQubuBmue8zWA8Zm0q4LLoui8JSqfhos4i6yOYsJu6VMb8Dx7ywOO54DrNm2W1wB_GtRn0SkufwvV0dipjPx1TEHlDBN7SWKVVW9ifJVVM0XJpaKEpjyN6aRolPOUZ_fZciGFGp4WnRrGjdoLzYLQpE5jOpO5nIPHjGXpG4APcmaK0hcs8YThW7Dk5cwUZS8UFU1bXYTIx3Cujetw5PxJMJ_3yrG-HkultOP-zBrPnVDzNlBpLc__RSio7i0s9AbMLFxNFqZpRpccKaPF6icUnZuHW_qU0WI1E5rPg2uZZjWH-3sfP_fWcePuay7lvS-24BHXdjiBt0fb4MHXOHVwcgq6ly9Fe5KUqyVJyuSstHipdJWnEF4RSriXesalF74IwqOaJGXMcpKUjJ6OpSSm14TOLLlmxFXhyXJFkjI9y45n1DdtW7Xxr1KfVG38TP0363kBi50v6iGqoOWDdH-ptl892GZdEZedEaoBPbjDMGtDXrwVRadzP9mSZLtME8rGJXx3zHtLHrlRQnV-KTqlje87G_SHqFCthkfh9pfNyNRgeQ7p1Of9srHfAXs_CQ-tqW7Bim8I8WtPA_g-lD6lebLyVSspgSS78edxCY9u5t7rdXaeusUP1FXHoI7dJmz7P1RXbnflqWv4fxXDN7YumBbTd7TIfoLI19PyT-nbsJJmmyIoYXmFUj_C2HiGpuLVipfmPxJeNr6xtcGGvKJFipVv8JV2YH23Rdiq8TT2XEpd-yvQob03WE-jQgGtQQwP_jBNz3n8elW405tZJfg7N-0B58ZgI9zLgc4itEI1QnUWat3jOMqFKRa5qfeAbevbea3A6tY9-rntj4GHcco36c9zT8UtNv4xDr8NPVfwzhhtFlsjHlDBzvAeH7X5Cq02Z0kNtn58PHhoYbKdzU2LxTTsBY5gJAlOLJ1o3xwrNM8wPk240Vyjvg6SIlSdUOgTcEdYcdOsk6ZICn6D63hF4yLLKC1u9muOWUJrrHNaIc2Xcc6XLG9XWGRpHudVcyPW3hUxo6s4Y5QWUda2KV2ulk3CWI41JUuKPRcy8l6KtOluwoizXi1XCbuRvEJpTx9HzDq4sho6S5ZUCuvs-TUnnMT1T33nsBcfOv753YeOm8HI9X8_mAXg_wkAAP__z_NUKg">