[PATCH] D101175: [lld-macho] Fix use-after-free in loadDylib()
Jez Ng via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Fri Apr 23 09:12:31 PDT 2021
int3 created this revision.
int3 added a reviewer: lld-macho.
Herald added a project: lld-macho.
int3 requested review of this revision.
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.
We were taking a reference to a value in `loadedDylibs`, which in turn
called `make<DylibFile>()`, which could then recursively call
`loadDylibs`, which would then potentially resize `loadedDylibs` and
invalidate that reference.
Fixes PR50101.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D101175
Files:
lld/MachO/DriverUtils.cpp
Index: lld/MachO/DriverUtils.cpp
===================================================================
--- lld/MachO/DriverUtils.cpp
+++ lld/MachO/DriverUtils.cpp
@@ -185,8 +185,8 @@
Optional<DylibFile *> macho::loadDylib(MemoryBufferRef mbref,
DylibFile *umbrella,
bool isBundleLoader) {
- StringRef path = mbref.getBufferIdentifier();
- DylibFile *&file = loadedDylibs[CachedHashStringRef(path)];
+ CachedHashStringRef path(mbref.getBufferIdentifier());
+ DylibFile *file = loadedDylibs[path];
if (file)
return file;
@@ -206,6 +206,11 @@
magic == file_magic::macho_bundle);
file = make<DylibFile>(mbref, umbrella, isBundleLoader);
}
+ // Note that DylibFile's ctor may recursively invoke loadDylib(), which can
+ // cause loadedDylibs to get resized and its iterators invalidated. As such,
+ // we redo the key lookup here instead of caching an iterator from our earlier
+ // lookup at the start of the function.
+ loadedDylibs[path] = file;
return file;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D101175.340067.patch
Type: text/x-patch
Size: 1083 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20210423/29c0b05f/attachment.bin>
More information about the llvm-commits
mailing list