[PATCH] D58926: [libc++] Fix use-after-free when building with _LIBCPP_DEBUG=1

Tom Anderson via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Mon Mar 4 15:04:35 PST 2019


thomasanderson created this revision.
thomasanderson added reviewers: EricWF, llvm-commits.
Herald added subscribers: libcxx-commits, ldionne.

The issue is the following code:

  __cn1->__add(*__ip);
  (*__ip)->__c_ = __cn1;

`__ip` points into the array of iterators for container `__cn2`.  This code adds
the iterator to the array of iterators for `__cn1`, and updates the iterator to
point to the new container.

This code works fine, except when `__cn1` and `__cn2` are the same container.
`__cn1->__add()` might need to grow the array of iterators, and when it does,
`__ip` becomes invalid, so the second line becomes a use-after-free error.

Simply swapping the order of the above two lines is not sufficient, because of
the memmove() below.  The easiest and most performant solution is just to skip
touching any iterators if the containers are the same.


Repository:
  rCXX libc++

https://reviews.llvm.org/D58926

Files:
  include/list

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D58926.189210.patch
Type: text/x-patch
Size: 4873 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190304/11f3778b/attachment.bin>


More information about the llvm-commits mailing list