[llvm] 6f43255 - Fix buffer-overflow in llvm-mt's notify_update feature.

Mitch Phillips via llvm-commits llvm-commits at lists.llvm.org
Tue Dec 6 13:46:13 PST 2022 

Author: Mitch Phillips
Date: 2022-12-06T13:45:57-08:00
New Revision: 6f43255edb9eadd6e7b0fba61165a5fd352a0b6d

URL: https://github.com/llvm/llvm-project/commit/6f43255edb9eadd6e7b0fba61165a5fd352a0b6d
DIFF: https://github.com/llvm/llvm-project/commit/6f43255edb9eadd6e7b0fba61165a5fd352a0b6d.diff

LOG: Fix buffer-overflow in llvm-mt's notify_update feature.

The 3-parameter std::equal used in this code access FileBuffer from [0,
OutputBuffer->getBufferEnd() - OutputBuffer->getBufferStart()). If the
size of FileBuffer is shorter than OutputBuffer, this ends up
overflowing.

This wasn't found on the sanitizer buildbots as they use an instrumented
libcxx, and libcxx implements std::equal using a loop. libstdc++ on my
local macine finds the bug, as it implements std::equal using bcmp(),
which ASan intercepts and does a range check.

The existing test doesn't technically do a buffer-overflow, but the code
definitely can. If OutputBuffer was "AAABBB" and FileBuffer was "AAA",
then the code would overflow.

Reviewed By: abrachet

Differential Revision: https://reviews.llvm.org/D139457

Added: 
    

Modified: 
    llvm/tools/llvm-mt/llvm-mt.cpp

Removed: 
    


################################################################################
diff  --git a/llvm/tools/llvm-mt/llvm-mt.cpp b/llvm/tools/llvm-mt/llvm-mt.cpp
index aa7582b5d9967..051a09fd3f8b9 100644
--- a/llvm/tools/llvm-mt/llvm-mt.cpp
+++ b/llvm/tools/llvm-mt/llvm-mt.cpp
@@ -150,9 +150,9 @@ int llvm_mt_main(int Argc, char **Argv) {
     bool Same = false;
     if (OutBuffOrErr) {
       const std::unique_ptr<MemoryBuffer> &FileBuffer = *OutBuffOrErr;
-      Same = std::equal(OutputBuffer->getBufferStart(),
-                        OutputBuffer->getBufferEnd(),
-                        FileBuffer->getBufferStart());
+      Same = std::equal(
+          OutputBuffer->getBufferStart(), OutputBuffer->getBufferEnd(),
+          FileBuffer->getBufferStart(), FileBuffer->getBufferEnd());
     }
     if (!Same) {
 #if LLVM_ON_UNIX

More information about the llvm-commits mailing list