[PATCH] D155110: [memprof] Fix use-after-free in peekBuildIds.
Snehasish Kumar via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Wed Jul 12 12:59:18 PDT 2023
snehasish created this revision.
snehasish added a reviewer: tejohnson.
Herald added a subscriber: hiraditya.
Herald added a project: All.
snehasish requested review of this revision.
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.
To check the uniqueness of buildids, we held on to a StringRef of the build id string pushed into the vector. If the number of build ids were large enough to trigger a realloc in the vector then these references where invalidated resulting in a use-after free. This was exposed in downstream usage.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D155110
Files:
llvm/lib/ProfileData/RawMemProfReader.cpp
Index: llvm/lib/ProfileData/RawMemProfReader.cpp
===================================================================
--- llvm/lib/ProfileData/RawMemProfReader.cpp
+++ llvm/lib/ProfileData/RawMemProfReader.cpp
@@ -552,7 +552,7 @@
// callback is the main program."
// https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html
std::vector<std::string> BuildIds;
- llvm::SmallSet<StringRef, 4> BuildIdsSet;
+ llvm::SmallSet<std::string, 10> BuildIdsSet;
while (Next < DataBuffer->getBufferEnd()) {
auto *Header = reinterpret_cast<const memprof::Header *>(Next);
@@ -564,7 +564,7 @@
if (BuildIdsSet.contains(Id))
continue;
BuildIds.push_back(Id);
- BuildIdsSet.insert(BuildIds.back());
+ BuildIdsSet.insert(Id);
}
Next += Header->TotalSize;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D155110.539692.patch
Type: text/x-patch
Size: 805 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20230712/3a9312f4/attachment.bin>
More information about the llvm-commits
mailing list