[lld] r326345 - Fix use after free in PDB linker.

Zachary Turner via llvm-commits llvm-commits at lists.llvm.org
Wed Feb 28 10:09:18 PST 2018 

Author: zturner
Date: Wed Feb 28 10:09:18 2018
New Revision: 326345

URL: http://llvm.org/viewvc/llvm-project?rev=326345&view=rev
Log:
Fix use after free in PDB linker.

When merging in types from a type server PDB, we would use a
pointer into the type server PDB's mapped file buffer directly
to avoid copying data.  However, we would close the type server
PDB after we finished merging in its types, which would unmap
all of its memory.  This would lead to a use after free.

We fix this by making a strong reference in the PDBLinker class
to all referenced type server PDBs, thereby making it safe to
hold pointers into its memory mapped contents.

This fixes llvm.org/pr36455

Differential Revision: https://reviews.llvm.org/D43834

Modified:
    lld/trunk/COFF/PDB.cpp

Modified: lld/trunk/COFF/PDB.cpp
URL: http://llvm.org/viewvc/llvm-project/lld/trunk/COFF/PDB.cpp?rev=326345&r1=326344&r2=326345&view=diff
==============================================================================
--- lld/trunk/COFF/PDB.cpp (original)
+++ lld/trunk/COFF/PDB.cpp Wed Feb 28 10:09:18 2018
@@ -148,6 +148,11 @@ private:
 
   llvm::SmallString<128> NativePath;
 
+  /// A list of other PDBs which are loaded during the linking process and which
+  /// we need to keep around since the linking operation may reference pointers
+  /// inside of these PDBs.
+  llvm::SmallVector<std::unique_ptr<pdb::NativeSession>, 2> LoadedPDBs;
+
   std::vector<pdb::SecMapEntry> SectionMap;
 
   /// Type index mappings of type server PDBs that we've loaded so far.
@@ -361,10 +366,16 @@ Expected<const CVIndexMap&> PDBLinker::m
     return std::move(E);
   }
 
-  auto ExpectedTpi = (*ExpectedSession)->getPDBFile().getPDBTpiStream();
+  pdb::NativeSession *Session = ExpectedSession->get();
+
+  // Keep a strong reference to this PDB, so that it's safe to hold pointers
+  // into the file.
+  LoadedPDBs.push_back(std::move(*ExpectedSession));
+
+  auto ExpectedTpi = Session->getPDBFile().getPDBTpiStream();
   if (auto E = ExpectedTpi.takeError())
     fatal("Type server does not have TPI stream: " + toString(std::move(E)));
-  auto ExpectedIpi = (*ExpectedSession)->getPDBFile().getPDBIpiStream();
+  auto ExpectedIpi = Session->getPDBFile().getPDBIpiStream();
   if (auto E = ExpectedIpi.takeError())
     fatal("Type server does not have TPI stream: " + toString(std::move(E)));

More information about the llvm-commits mailing list