[llvm] 787a5ef - [memprof] Fix use-after-free in peekBuildIds.

[Snehasish Kumar via llvm-commits]

Author: Snehasish Kumar
Date: 2023-07-12T21:21:35Z
New Revision: 787a5efb020f6020bc9b7610074cbdd55ea824f1

URL: https://github.com/llvm/llvm-project/commit/787a5efb020f6020bc9b7610074cbdd55ea824f1
DIFF: https://github.com/llvm/llvm-project/commit/787a5efb020f6020bc9b7610074cbdd55ea824f1.diff

LOG: [memprof] Fix use-after-free in peekBuildIds.

To check the uniqueness of buildids, we held on to a StringRef of the build id string pushed into the vector. If the number of build ids were large enough to trigger a realloc in the vector then these references where invalidated resulting in a use-after free. This was exposed in downstream usage.

Reviewed By: tejohnson

Differential Revision: https://reviews.llvm.org/D155110

Added: 
    

Modified: 
    llvm/lib/ProfileData/RawMemProfReader.cpp

Removed: 
    


################################################################################
diff  --git a/llvm/lib/ProfileData/RawMemProfReader.cpp b/llvm/lib/ProfileData/RawMemProfReader.cpp
index d247a0fd6f6911..bccb205fb24335 100644
--- a/llvm/lib/ProfileData/RawMemProfReader.cpp
+++ b/llvm/lib/ProfileData/RawMemProfReader.cpp
@@ -552,7 +552,7 @@ RawMemProfReader::peekBuildIds(MemoryBuffer *DataBuffer) {
   // callback is the main program."
   // https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html
   std::vector<std::string> BuildIds;
-  llvm::SmallSet<StringRef, 4> BuildIdsSet;
+  llvm::SmallSet<std::string, 10> BuildIdsSet;
   while (Next < DataBuffer->getBufferEnd()) {
     auto *Header = reinterpret_cast<const memprof::Header *>(Next);
 
@@ -564,7 +564,7 @@ RawMemProfReader::peekBuildIds(MemoryBuffer *DataBuffer) {
       if (BuildIdsSet.contains(Id))
         continue;
       BuildIds.push_back(Id);
-      BuildIdsSet.insert(BuildIds.back());
+      BuildIdsSet.insert(Id);
     }
 
     Next += Header->TotalSize;