[PATCH] D129840: Avoid UAF in WinCOFFObjectWriter with weak symbols.

Tim Besard via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Fri Jul 15 01:46:12 PDT 2022 

maleadt created this revision.
Herald added subscribers: jsji, pengfei, hiraditya.
Herald added a project: All.
maleadt requested review of this revision.
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.

When using weak symbols, the WinCOFFObjectWriter keeps a list (`WeakDefaults`)
that's used to make names unique. This list should be reset when the object
writer is reset, because otherwise reuse of the object writer can result in
freed symbols being accessed. With some added output, this becomes clear when
using `llc` in `--run-twice` mode:

  $ ./llc --compile-twice -mtriple=x86_64-pc-win32 trivial.ll -filetype=obj
  
  DefineSymbol::WeakDefaults
   - .weak.foo.default
   - .weak.bar.default
  
  DefineSymbol::WeakDefaults
   - .weak.foo.default
   - áÑJij⌂  p§┼Ø┐☺
   - .debug_macinfo.dw
   - .weak.bar.default

This does not seem to leak into the output object file though, so I couldn't
come up with a test. I added one that just does `--run-twice` (and verified
that it does access freed memory), which should result in detecting the
invalid memory accesses when running under ASAN.

Observed in a Julia PR where we started using weak symbols:
https://github.com/JuliaLang/julia/pull/45649


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D129840

Files:
  llvm/lib/MC/WinCOFFObjectWriter.cpp
  llvm/test/MC/COFF/weak-uaf.ll


Index: llvm/test/MC/COFF/weak-uaf.ll
===================================================================
--- /dev/null
+++ llvm/test/MC/COFF/weak-uaf.ll
@@ -0,0 +1,12 @@
+; llc --compile-twice -mtriple=x86_64-pc-win32 trivial.ll -filetype=obj
+
+; UAF when re-using the MCObjectWriter. does not leak into the output,
+; but should be detectable with --compile-twice under ASAN or so.
+
+define weak void @foo() nounwind {
+  ret void
+}
+
+define weak void @bar() nounwind {
+  ret void
+}
Index: llvm/lib/MC/WinCOFFObjectWriter.cpp
===================================================================
--- llvm/lib/MC/WinCOFFObjectWriter.cpp
+++ llvm/lib/MC/WinCOFFObjectWriter.cpp
@@ -169,6 +169,7 @@
     Strings.clear();
     SectionMap.clear();
     SymbolMap.clear();
+    WeakDefaults.clear();
     MCObjectWriter::reset();
   }
 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D129840.444916.patch
Type: text/x-patch
Size: 836 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20220715/03675229/attachment.bin>

More information about the llvm-commits mailing list