[clang] [clang] Fix a use-after free in ASTContext::getSubstBuiltinTemplatePack (PR #160970)
via cfe-commits
cfe-commits at lists.llvm.org
Fri Sep 26 19:03:46 PDT 2025
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-clang
Author: Alexander Kornienko (alexfh)
<details>
<summary>Changes</summary>
ASTContext::getSubstBuiltinTemplatePack finds InsertPos and then calls itself
recursively, which may lead to rehashing and invalidation of all pointers to
buckets. The function then proceeds with using the potentially invalid
InsertPos, leading to use-after-free.
I didn't manage to produce a reasonably-sized test case yet.
---
Full diff: https://github.com/llvm/llvm-project/pull/160970.diff
1 Files Affected:
- (modified) clang/lib/AST/ASTContext.cpp (+7-1)
``````````diff
diff --git a/clang/lib/AST/ASTContext.cpp b/clang/lib/AST/ASTContext.cpp
index 07d42e7e2f3b3..e9d3e58f81cf2 100644
--- a/clang/lib/AST/ASTContext.cpp
+++ b/clang/lib/AST/ASTContext.cpp
@@ -5873,8 +5873,14 @@ ASTContext::getSubstBuiltinTemplatePack(const TemplateArgument &ArgPack) {
QualType Canon;
TemplateArgument CanonArgPack = getCanonicalTemplateArgument(ArgPack);
- if (!CanonArgPack.structurallyEquals(ArgPack))
+ if (!CanonArgPack.structurallyEquals(ArgPack)) {
Canon = getSubstBuiltinTemplatePack(CanonArgPack);
+ // Refresh InsertPos, in case the recursive call above caused rehashing,
+ // which would invalidate the bucket pointer.
+ if (auto *T =
+ SubstBuiltinTemplatePackTypes.FindNodeOrInsertPos(ID, InsertPos))
+ return QualType(T, 0);
+ }
auto *PackType = new (*this, alignof(SubstBuiltinTemplatePackType))
SubstBuiltinTemplatePackType(Canon, ArgPack);
``````````
</details>
https://github.com/llvm/llvm-project/pull/160970
More information about the cfe-commits
mailing list