[llvm] [GlobalIsel] zero out State.DL to fix use-after-free (PR #76693)
via llvm-commits
llvm-commits at lists.llvm.org
Mon Jan 1 15:57:49 PST 2024
https://github.com/DavidKorczynski created https://github.com/llvm/llvm-project/pull/76693
llvm-isel-fuzzer--aarch64-gisel is running into a UAF and this fixes it. I'm not familiar in detail with this part of the codebase, however, it seems that `State.DL` may carry data that causes a UAF.
The UAF details:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64761
The problem occurs over two iterations of the
[llvm-isel-fuzzer](https://github.com/llvm/llvm-project/blob/main/llvm/tools/llvm-isel-fuzzer/llvm-isel-fuzzer.cpp#L81) and it's due to the DILocation embedded in the `State.DL`. The problem is that the `DILocation` pointer is freed when the fuzzer destructs the `LLVMContext Context`, however, it seems some memory is reused in the next iteration of the fuzzer, which causes the UAF. Ensuring the memory is zerod and emptying the `DistinctMDNodes` fixes the UAF.
>From 817c4718da33dd673c02182c5c812a5fd6d08dd0 Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Mon, 1 Jan 2024 15:52:37 -0800
Subject: [PATCH] [GlobalIsel] zero out State.DL to fix UAF
llvm-isel-fuzzer--aarch64-gisel is running into a UAF and this fixes it.
I'm not familiar in detail with this part of the codebase, however, it
seems that `State.DL` may carry data that causes a UAF.
The UAF details:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64761
The problem occurs over two iterations of the
[llvm-isel-fuzzer](https://github.com/llvm/llvm-project/blob/main/llvm/tools/llvm-isel-fuzzer/llvm-isel-fuzzer.cpp#L81)
and it's due to the DILocation embedded in the `State.DL`. The problem
is that the `DILocation` pointer is freed when the fuzzer destructs the
`LLVMContext Context`, however, it seems some memory is reused in the
next iteration of the fuzzer, which causes the UAF. Ensuring the memory
is zerod and emptying the `DistinctMDNodes` fixes the UAF.
Signed-off-by: David Korczynski <david at adalogics.com>
---
llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp | 2 ++
llvm/lib/IR/LLVMContextImpl.cpp | 1 +
2 files changed, 3 insertions(+)
diff --git a/llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp b/llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp
index a5827c26c04f48..bf292de6b5a99b 100644
--- a/llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp
+++ b/llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp
@@ -26,6 +26,8 @@ void MachineIRBuilder::setMF(MachineFunction &MF) {
State.MBB = nullptr;
State.MRI = &MF.getRegInfo();
State.TII = MF.getSubtarget().getInstrInfo();
+ // Ensure State.DL is zeroed to avoid potential UAF
+ memset(&(State.DL), 0, sizeof(DebugLoc));
State.DL = DebugLoc();
State.PCSections = nullptr;
State.II = MachineBasicBlock::iterator();
diff --git a/llvm/lib/IR/LLVMContextImpl.cpp b/llvm/lib/IR/LLVMContextImpl.cpp
index 15c90a4fe7b2ec..928bd26d35aef9 100644
--- a/llvm/lib/IR/LLVMContextImpl.cpp
+++ b/llvm/lib/IR/LLVMContextImpl.cpp
@@ -74,6 +74,7 @@ LLVMContextImpl::~LLVMContextImpl() {
for (auto *I : CLASS##s) \
I->dropAllReferences();
#include "llvm/IR/Metadata.def"
+ DistinctMDNodes.clear();
// Also drop references that come from the Value bridges.
for (auto &Pair : ValuesAsMetadata)
More information about the llvm-commits
mailing list