[llvm-bugs] [Bug 42647] New: A denial of service vulnerability in function findBaseDefiningValue(llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp) via an bitcode file which has been overrided the module target triple.

via llvm-bugs llvm-bugs at lists.llvm.org
Wed Jul 17 01:25:46 PDT 2019 

https://bugs.llvm.org/show_bug.cgi?id=42647

            Bug ID: 42647
           Summary: A denial of service vulnerability in function
                    findBaseDefiningValue(llvm/lib/Transforms/Scalar/Rewri
                    teStatepointsForGC.cpp) via an bitcode file which has
                    been overrided the module target triple.
           Product: tools
           Version: 8.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: opt
          Assignee: unassignedbugs at nondot.org
          Reporter: zhangxianbu at gmail.com
                CC: llvm-bugs at lists.llvm.org

n llvm opt tools  8.0.0  and older version, an issue was discovered.The
findBaseDefiningValue  function in
llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp allows attackers to
cause a denial of service(assertion failure and opt tool crashed) via an
bitcode file which has been overrided the module target triple. 
The bitcode file which can cause denial of service has been in the attachment.

Reproduce steps:
# opt -mem2reg -rewrite-statepoints-for-gc -always-inline -o b0o_new.bc
b0_new.bc 


Please check the rewrite-statepoints-for-gc feature in the opt tool.

If you have confirmed the vulnerability, should i submit this issue for CVE?

The details crashed logs as bellow:

opt:
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:525:
{anonymous}::BaseDefiningValueResult findBaseDefiningValue(llvm::Value*):
Assertion `cast<PointerType>(Def->getType())->getAddressSpace() ==
cast<PointerType>(CI->getType())->getAddressSpace() && "unsupported
addrspacecast"' failed.
Stack dump:
0.      Program arguments: /usr/local/bin/opt -mem2reg
-rewrite-statepoints-for-gc -always-inline -o b0o_new.bc b02.bc 
1.      Running pass 'Make relocations explicit at statepoints' on module
'b02.bc'.
 #0 0x00000000043152b1 llvm::sys::PrintStackTrace(llvm::raw_ostream&)
/home/wenzhuo/llvm-project/llvm/lib/Support/Unix/Signals.inc:494:0
 #1 0x0000000004315344 PrintStackTraceSignalHandler(void*)
/home/wenzhuo/llvm-project/llvm/lib/Support/Unix/Signals.inc:558:0
 #2 0x0000000004313352 llvm::sys::RunSignalHandlers()
/home/wenzhuo/llvm-project/llvm/lib/Support/Signals.cpp:68:0
 #3 0x0000000004314d03 SignalHandler(int)
/home/wenzhuo/llvm-project/llvm/lib/Support/Unix/Signals.inc:357:0
 #4 0x00007f553aaa1390 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
 #5 0x00007f55397b0428 raise
/build/glibc-LK5gWL/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0
 #6 0x00007f55397b202a abort /build/glibc-LK5gWL/glibc-2.23/stdlib/abort.c:91:0
 #7 0x00007f55397a8bd7 __assert_fail_base
/build/glibc-LK5gWL/glibc-2.23/assert/assert.c:92:0
 #8 0x00007f55397a8c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
 #9 0x0000000004224460 findBaseDefiningValue(llvm::Value*)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:529:0
#10 0x00000000042247cb findBaseDefiningValueCached(llvm::Value*,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:614:0
#11 0x000000000422491c findBaseOrBDV(llvm::Value*,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:625:0
#12 0x0000000004225372 findBasePointer(llvm::Value*,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > >
>&)::'lambda0'(llvm::Value*)::operator()(llvm::Value*) const
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:815:0
#13 0x00000000042260d6 findBasePointer(llvm::Value*,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:826:0
#14 0x0000000004227d04 findBasePointers(llvm::SetVector<llvm::Value*,
std::vector<llvm::Value*, std::allocator<llvm::Value*> >,
llvm::DenseSet<llvm::Value*, llvm::DenseMapInfo<llvm::Value*> > > const&,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&,
llvm::DominatorTree*, llvm::MapVector<llvm::Value*, llvm::Value*,
llvm::DenseMap<llvm::Value*, unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:1163:0
#15 0x0000000004227e57 findBasePointers(llvm::DominatorTree&,
llvm::MapVector<llvm::Value*, llvm::Value*, llvm::DenseMap<llvm::Value*,
unsigned int, llvm::DenseMapInfo<llvm::Value*>,
llvm::detail::DenseMapPair<llvm::Value*, unsigned int> >,
std::vector<std::pair<llvm::Value*, llvm::Value*>,
std::allocator<std::pair<llvm::Value*, llvm::Value*> > > >&, llvm::CallBase*,
(anonymous namespace)::PartiallyConstructedSafepointRecord&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:1181:0
#16 0x000000000422cdfb insertParsePoints(llvm::Function&, llvm::DominatorTree&,
llvm::TargetTransformInfo&, llvm::SmallVectorImpl<llvm::CallBase*>&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:2230:0
#17 0x000000000422e984
llvm::RewriteStatepointsForGC::runOnFunction(llvm::Function&,
llvm::DominatorTree&, llvm::TargetTransformInfo&, llvm::TargetLibraryInfo
const&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:2626:0
#18 0x00000000042237d7 (anonymous
namespace)::RewriteStatepointsForGCLegacyPass::runOnModule(llvm::Module&)
/home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:191:0
#19 0x0000000003a69eb7 (anonymous
namespace)::MPPassManager::runOnModule(llvm::Module&)
/home/wenzhuo/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1752:0
#20 0x0000000003a6a659 llvm::legacy::PassManagerImpl::run(llvm::Module&)
/home/wenzhuo/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1865:0
#21 0x0000000003a6a85f llvm::legacy::PassManager::run(llvm::Module&)
/home/wenzhuo/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1897:0
#22 0x0000000001bc91c0 main
/home/wenzhuo/llvm-project/llvm/tools/opt/opt.cpp:899:0
#23 0x00007f553979b830 __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:325:0
#24 0x0000000001b8b1e9 _start (/usr/local/bin/opt+0x1b8b1e9)
Aborted (core dumped)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20190717/8bfb7663/attachment-0001.html>

More information about the llvm-bugs mailing list