[compiler-rt] [scudo] Fix stack depot validation. (PR #87024)
Christopher Ferris via llvm-commits
llvm-commits at lists.llvm.org
Thu Mar 28 16:58:03 PDT 2024
https://github.com/cferris1000 created https://github.com/llvm/llvm-project/pull/87024
In the StackDepot::isValid function, there is work to validate the TabMask variable. Unfortunately, if TabMask is set to the maximum allowed value, TabSize = TabMask + 1 becomes zero and validation passes.
Disallow that case to prevent invalid reads into the Tab structure.
>From 69f3dd0e88070c00ff95f18f4d5d206ff453dbc2 Mon Sep 17 00:00:00 2001
From: Christopher Ferris <cferris at google.com>
Date: Thu, 28 Mar 2024 16:53:39 -0700
Subject: [PATCH] [scudo] Fix stack depot validation.
In the StackDepot::isValid function, there is work to validate the
TabMask variable. Unfortunately, if TabMask is set to the maximum
allowed value, TabSize = TabMask + 1 becomes zero and validation
passes.
Disallow that case to prevent invalid reads into the Tab structure.
---
compiler-rt/lib/scudo/standalone/stack_depot.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/compiler-rt/lib/scudo/standalone/stack_depot.h b/compiler-rt/lib/scudo/standalone/stack_depot.h
index cf3cabf7085b60..98cd9707a64613 100644
--- a/compiler-rt/lib/scudo/standalone/stack_depot.h
+++ b/compiler-rt/lib/scudo/standalone/stack_depot.h
@@ -112,7 +112,7 @@ class alignas(atomic_u64) StackDepot {
if (TabMask == 0)
return false;
uptr TabSize = TabMask + 1;
- if (!isPowerOfTwo(TabSize))
+ if (TabSize == 0 || !isPowerOfTwo(TabSize))
return false;
uptr TabBytes = sizeof(atomic_u32) * TabSize;
More information about the llvm-commits
mailing list