[all-commits] [llvm/llvm-project] ed5a34: Make setSanitizerMetadata byval.

Mitch Phillips via All-commits all-commits at lists.llvm.org
Thu Jun 16 14:47:59 PDT 2022


  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: ed5a349b89e9ccc1c3dbe427de27d28e145f8203
      https://github.com/llvm/llvm-project/commit/ed5a349b89e9ccc1c3dbe427de27d28e145f8203
  Author: Mitch Phillips <31459023+hctim at users.noreply.github.com>
  Date:   2022-06-16 (Thu, 16 Jun 2022)

  Changed paths:
    M llvm/include/llvm/IR/GlobalValue.h
    M llvm/lib/IR/Globals.cpp

  Log Message:
  -----------
  Make setSanitizerMetadata byval.

This fixes a UaF bug in llvm::GlobalObject::copyAttributesFrom, where a
sanitizer metadata object is captured by reference, and passed by
reference to llvm::GlobalValue::setSanitizerMetadata. The reference
comes from the same map that the new value is going to be inserted to,
and the map insertion triggers iterator invalidation - leading to a
use-after-free on the dangling reference.

This patch fixes that bug by making setSanitizerMetadata's argument
byval. This should also systematically prevent the problem from
happening in future, as it's a very easy pattern to have. This shouldn't
be any performance problem, the SanitizerMetadata struct is a bitfield
POD.




More information about the All-commits mailing list