[all-commits] [llvm/llvm-project] ed5a34: Make setSanitizerMetadata byval.
Mitch Phillips via All-commits
all-commits at lists.llvm.org
Thu Jun 16 14:47:59 PDT 2022
Branch: refs/heads/main
Home: https://github.com/llvm/llvm-project
Commit: ed5a349b89e9ccc1c3dbe427de27d28e145f8203
https://github.com/llvm/llvm-project/commit/ed5a349b89e9ccc1c3dbe427de27d28e145f8203
Author: Mitch Phillips <31459023+hctim at users.noreply.github.com>
Date: 2022-06-16 (Thu, 16 Jun 2022)
Changed paths:
M llvm/include/llvm/IR/GlobalValue.h
M llvm/lib/IR/Globals.cpp
Log Message:
-----------
Make setSanitizerMetadata byval.
This fixes a UaF bug in llvm::GlobalObject::copyAttributesFrom, where a
sanitizer metadata object is captured by reference, and passed by
reference to llvm::GlobalValue::setSanitizerMetadata. The reference
comes from the same map that the new value is going to be inserted to,
and the map insertion triggers iterator invalidation - leading to a
use-after-free on the dangling reference.
This patch fixes that bug by making setSanitizerMetadata's argument
byval. This should also systematically prevent the problem from
happening in future, as it's a very easy pattern to have. This shouldn't
be any performance problem, the SanitizerMetadata struct is a bitfield
POD.
More information about the All-commits
mailing list