This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lld/MachO/
-
MachO/
-
DriverUtils.cpp

Differential D101175

[lld-macho] Fix use-after-free in loadDylib()
ClosedPublic

Authored by int3 on Apr 23 2021, 9:12 AM.

Download Raw Diff

Details

Reviewers

oontvoo

Group Reviewers

Restricted Project

Commits

rG3fe5c3b0189f: [lld-macho] Fix use-after-free in loadDylib()

Summary

We were taking a reference to a value in loadedDylibs, which in turn
called make<DylibFile>(), which could then recursively call
loadDylibs, which would then potentially resize loadedDylibs and
invalidate that reference.

Fixes PR50101.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

int3 created this revision.Apr 23 2021, 9:12 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 23 2021, 9:12 AM

int3 requested review of this revision.Apr 23 2021, 9:12 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 23 2021, 9:12 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

LGTM - good catch! Is there not any sanitizers build that would've caught this?

This revision is now accepted and ready to land.Apr 23 2021, 9:18 AM

Harbormaster completed remote builds in B100595: Diff 340067.Apr 23 2021, 11:47 AM

Is there not any sanitizers build that would've caught this?

It *was* caught by a sanitizer in PR50101. The tricky bit here is that our tests don't trigger a hashmap resize (since the inputs are small), so the ASAN contbuilds didn't catch it.

(Maybe there's value in having a test mode where hashmaps are aggressively resized/rehashed, e.g. on every write. Much like how llvm::sort forces std::sort to be unstable to catch nondeterminism...)

Closed by commit rG3fe5c3b0189f: [lld-macho] Fix use-after-free in loadDylib() (authored by int3). · Explain WhyApr 23 2021, 3:06 PM

This revision was automatically updated to reflect the committed changes.

int3 added a commit: rG3fe5c3b0189f: [lld-macho] Fix use-after-free in loadDylib().

Thanks :)

Revision Contents

Path

Size

lld/

MachO/

DriverUtils.cpp

9 lines

Diff 340067

lld/MachO/DriverUtils.cpp

	Show First 20 Lines • Show All 179 Lines • ▼ Show 20 Lines

	// It's not uncommon to have multiple attempts to load a single dylib,			// It's not uncommon to have multiple attempts to load a single dylib,
	// especially if it's a commonly re-exported core library.			// especially if it's a commonly re-exported core library.
	static DenseMap<CachedHashStringRef, DylibFile *> loadedDylibs;			static DenseMap<CachedHashStringRef, DylibFile *> loadedDylibs;

	Optional<DylibFile *> macho::loadDylib(MemoryBufferRef mbref,			Optional<DylibFile *> macho::loadDylib(MemoryBufferRef mbref,
	DylibFile *umbrella,			DylibFile *umbrella,
	bool isBundleLoader) {			bool isBundleLoader) {
	StringRef path = mbref.getBufferIdentifier();			CachedHashStringRef path(mbref.getBufferIdentifier());
	DylibFile *&file = loadedDylibs[CachedHashStringRef(path)];			DylibFile *file = loadedDylibs[path];
	if (file)			if (file)
	return file;			return file;

	file_magic magic = identify_magic(mbref.getBuffer());			file_magic magic = identify_magic(mbref.getBuffer());
	if (magic == file_magic::tapi_file) {			if (magic == file_magic::tapi_file) {
	Expected<std::unique_ptr<InterfaceFile>> result = TextAPIReader::get(mbref);			Expected<std::unique_ptr<InterfaceFile>> result = TextAPIReader::get(mbref);
	if (!result) {			if (!result) {
	error("could not load TAPI file at " + mbref.getBufferIdentifier() +			error("could not load TAPI file at " + mbref.getBufferIdentifier() +
	": " + toString(result.takeError()));			": " + toString(result.takeError()));
	return {};			return {};
	}			}
	file = make<DylibFile>(**result, umbrella, isBundleLoader);			file = make<DylibFile>(**result, umbrella, isBundleLoader);
	} else {			} else {
	assert(magic == file_magic::macho_dynamically_linked_shared_lib \|\|			assert(magic == file_magic::macho_dynamically_linked_shared_lib \|\|
	magic == file_magic::macho_dynamically_linked_shared_lib_stub \|\|			magic == file_magic::macho_dynamically_linked_shared_lib_stub \|\|
	magic == file_magic::macho_executable \|\|			magic == file_magic::macho_executable \|\|
	magic == file_magic::macho_bundle);			magic == file_magic::macho_bundle);
	file = make<DylibFile>(mbref, umbrella, isBundleLoader);			file = make<DylibFile>(mbref, umbrella, isBundleLoader);
	}			}
				// Note that DylibFile's ctor may recursively invoke loadDylib(), which can
				// cause loadedDylibs to get resized and its iterators invalidated. As such,
				// we redo the key lookup here instead of caching an iterator from our earlier
				// lookup at the start of the function.
				loadedDylibs[path] = file;
	return file;			return file;
	}			}

	Optional<InputFile *> macho::loadArchiveMember(MemoryBufferRef mb,			Optional<InputFile *> macho::loadArchiveMember(MemoryBufferRef mb,
	uint32_t modTime,			uint32_t modTime,
	StringRef archiveName,			StringRef archiveName,
	bool objCOnly) {			bool objCOnly) {
	switch (identify_magic(mb.getBuffer())) {			switch (identify_magic(mb.getBuffer())) {
	▲ Show 20 Lines • Show All 81 Lines • Show Last 20 Lines