[compiler-rt] 21a39df - [XRay][compiler-rt] Fix oob memory access in FDR BufferQueue iterator (#90940)

Mon May 27 16:33:00 PDT 2024

Author: Ricky Zhou
Date: 2024-05-27T16:32:57-07:00
New Revision: 21a39dfb17a4931d99d9a6d561d596c841d9197a

URL: https://github.com/llvm/llvm-project/commit/21a39dfb17a4931d99d9a6d561d596c841d9197a
DIFF: https://github.com/llvm/llvm-project/commit/21a39dfb17a4931d99d9a6d561d596c841d9197a.diff

LOG: [XRay][compiler-rt] Fix oob memory access in FDR BufferQueue iterator (#90940)

Before this change, the FDR BufferQueue iterator could access oob memory
due to checks of the form `!Buffers[Offset].Used && Offset != Max`. This
allows access to `Buffers[Max]`, which is past the end of the `Buffers`
array. This can lead to crashes when that memory is not mapped. Fix this
by testing `Offset != Max` first.

Added: 
    

Modified: 
    compiler-rt/lib/xray/xray_buffer_queue.h

Removed: 
    


################################################################################
diff  --git a/compiler-rt/lib/xray/xray_buffer_queue.h b/compiler-rt/lib/xray/xray_buffer_queue.h
index e1739d050f3d0..8d33f73576b5e 100644

--- a/compiler-rt/lib/xray/xray_buffer_queue.h
+++ b/compiler-rt/lib/xray/xray_buffer_queue.h
@@ -87,7 +87,7 @@ class BufferQueue {
       DCHECK_NE(Offset, Max);
       do {
         ++Offset;
-      } while (!Buffers[Offset].Used && Offset != Max);
+      } while (Offset != Max && !Buffers[Offset].Used);
       return *this;
     }
 
@@ -107,7 +107,7 @@ class BufferQueue {
           Max(M) {
       // We want to advance to the first Offset where the 'Used' property is
       // true, or to the end of the list/queue.
-      while (!Buffers[Offset].Used && Offset != Max) {
+      while (Offset != Max && !Buffers[Offset].Used) {
         ++Offset;
       }
     }


        
