[llvm] [Windows] Avoid loading shared libraries from load directory (PR #90520)
Daniel Paoliello via llvm-commits
llvm-commits at lists.llvm.org
Mon Apr 29 16:27:04 PDT 2024
================
@@ -43,6 +43,10 @@ InitLLVM::InitLLVM(int &Argc, const char **&Argv,
assert(!Initialized && "InitLLVM was already initialized!");
Initialized = true;
#endif
+#ifdef _WIN32
+ // Avoid searching the directory from which the application is loaded.
----------------
dpaoliello wrote:
Loading dlls from the directory where the application is loaded is not a security vulnerability: the attacker hasn't gained anything.
If the attacker has the ability to write to the directory where the application is loaded then they don't have to play games with dropping binaries with names that collide with the system - they can modify the application's binary instead.
Furthermore, changing the behavior of `LoadLibrary` doesn't help with the system libraries that are loaded statically, for that you need the `/DEPENDENTLOADFLAG` linker flag.
https://github.com/llvm/llvm-project/pull/90520
More information about the llvm-commits
mailing list