[llvm] [GlobalIsel] zero out State.DL to fix use-after-free (PR #76693)

via llvm-commits llvm-commits at lists.llvm.org
Mon Jan 1 15:58:17 PST 2024 

llvmbot wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-llvm-globalisel

Author: None (DavidKorczynski)

<details>
<summary>Changes</summary>

llvm-isel-fuzzer--aarch64-gisel is running into a UAF and this fixes it. I'm not familiar in detail with this part of the codebase, however, it seems that `State.DL` may carry data that causes a UAF.

The UAF details:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64761

The problem occurs over two iterations of the
[llvm-isel-fuzzer](https://github.com/llvm/llvm-project/blob/main/llvm/tools/llvm-isel-fuzzer/llvm-isel-fuzzer.cpp#L81) and it's due to the DILocation embedded in the `State.DL`. The problem is that the `DILocation` pointer is freed when the fuzzer destructs the `LLVMContext Context`, however, it seems some memory is reused in the next iteration of the fuzzer, which causes the UAF. Ensuring the memory is zerod and emptying the `DistinctMDNodes` fixes the UAF.

---
Full diff: https://github.com/llvm/llvm-project/pull/76693.diff


2 Files Affected:

- (modified) llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp (+2) 
- (modified) llvm/lib/IR/LLVMContextImpl.cpp (+1) 


``````````diff
diff --git a/llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp b/llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp
index a5827c26c04f48..bf292de6b5a99b 100644
--- a/llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp
+++ b/llvm/lib/CodeGen/GlobalISel/MachineIRBuilder.cpp
@@ -26,6 +26,8 @@ void MachineIRBuilder::setMF(MachineFunction &MF) {
   State.MBB = nullptr;
   State.MRI = &MF.getRegInfo();
   State.TII = MF.getSubtarget().getInstrInfo();
+  // Ensure State.DL is zeroed to avoid potential UAF
+  memset(&(State.DL), 0, sizeof(DebugLoc));
   State.DL = DebugLoc();
   State.PCSections = nullptr;
   State.II = MachineBasicBlock::iterator();
diff --git a/llvm/lib/IR/LLVMContextImpl.cpp b/llvm/lib/IR/LLVMContextImpl.cpp
index 15c90a4fe7b2ec..928bd26d35aef9 100644
--- a/llvm/lib/IR/LLVMContextImpl.cpp
+++ b/llvm/lib/IR/LLVMContextImpl.cpp
@@ -74,6 +74,7 @@ LLVMContextImpl::~LLVMContextImpl() {
   for (auto *I : CLASS##s)                                                     \
     I->dropAllReferences();
 #include "llvm/IR/Metadata.def"
+  DistinctMDNodes.clear();
 
   // Also drop references that come from the Value bridges.
   for (auto &Pair : ValuesAsMetadata)

``````````

</details>


https://github.com/llvm/llvm-project/pull/76693

More information about the llvm-commits mailing list