This is an archive of the discontinued LLVM Phabricator instance.

Differential D129840

Avoid UAF in WinCOFFObjectWriter with weak symbols.
ClosedPublic

Authored by maleadt on Jul 15 2022, 1:46 AM.

Details

Reviewers
mstorsjo
Commits
rGc71d77876f52: [MC] Avoid UAF in WinCOFFObjectWriter with weak symbols.
Summary

When using weak symbols, the WinCOFFObjectWriter keeps a list (WeakDefaults)
that's used to make names unique. This list should be reset when the object
writer is reset, because otherwise reuse of the object writer can result in
freed symbols being accessed. With some added output, this becomes clear when
using llc in --run-twice mode:

$ ./llc --compile-twice -mtriple=x86_64-pc-win32 trivial.ll -filetype=obj

DefineSymbol::WeakDefaults
 - .weak.foo.default
 - .weak.bar.default

DefineSymbol::WeakDefaults
 - .weak.foo.default
 - áÑJij⌂  p§┼Ø┐☺
 - .debug_macinfo.dw
 - .weak.bar.default

This does not seem to leak into the output object file though, so I couldn't
come up with a test. I added one that just does --run-twice (and verified
that it does access freed memory), which should result in detecting the
invalid memory accesses when running under ASAN.

Observed in a Julia PR where we started using weak symbols:
https://github.com/JuliaLang/julia/pull/45649

Diff Detail

Event Timeline

maleadt created this revision.Jul 15 2022, 1:46 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 15 2022, 1:46 AM
Herald added subscribers: jsji, pengfei, hiraditya. · View Herald Transcript
maleadt requested review of this revision.Jul 15 2022, 1:46 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 15 2022, 1:46 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
maleadt added a project: Restricted Project.Jul 15 2022, 1:47 AM
maleadt added a reviewer: mstorsjo.
Harbormaster completed remote builds in B175592: Diff 444916.Jul 15 2022, 3:44 AM
mstorsjo accepted this revision.Jul 15 2022, 6:18 AM

LGTM, thanks! Do you have commit access, or do you want me to push it for you? In that case, can you provide your preferred git author line (Real Name <email@address>)?

This revision is now accepted and ready to land.Jul 15 2022, 6:18 AM
maleadt planned changes to this revision.Jul 15 2022, 7:08 AM

Looks like I botched the test here (missing a RUN directive), so let me update that first.

I don't have commit access; you can use Tim Besard <tim.besard@gmail.com>.

maleadt updated this revision to Diff 444974.Jul 15 2022, 7:11 AM

Fix test.

This revision is now accepted and ready to land.Jul 15 2022, 7:11 AM
Harbormaster completed remote builds in B175632: Diff 444974.Jul 15 2022, 8:02 AM
maleadt updated this revision to Diff 445017.Jul 15 2022, 9:22 AM

Fix tests again.

Harbormaster completed remote builds in B175668: Diff 445017.Jul 15 2022, 11:45 AM
Closed by commit rGc71d77876f52: [MC] Avoid UAF in WinCOFFObjectWriter with weak symbols. (authored by maleadt, committed by mstorsjo). · Explain WhyJul 16 2022, 3:26 AM
This revision was automatically updated to reflect the committed changes.
mstorsjo added a commit: rGc71d77876f52: [MC] Avoid UAF in WinCOFFObjectWriter with weak symbols..

Revision Contents

PathSize
llvm/
lib/
MC/
1 line
test/
MC/
COFF/
12 lines

Diff 445219

llvm/lib/MC/WinCOFFObjectWriter.cpp

Show First 20 LinesShow All 163 Lines▼ Show 20 Linespublic:
void reset() override { void reset() override {
memset(&Header, 0, sizeof(Header)); memset(&Header, 0, sizeof(Header));
Header.Machine = TargetObjectWriter->getMachine(); Header.Machine = TargetObjectWriter->getMachine();
Sections.clear(); Sections.clear();
Symbols.clear(); Symbols.clear();
Strings.clear(); Strings.clear();
SectionMap.clear(); SectionMap.clear();
SymbolMap.clear(); SymbolMap.clear();
WeakDefaults.clear();
MCObjectWriter::reset(); MCObjectWriter::reset();
} }
COFFSymbol *createSymbol(StringRef Name); COFFSymbol *createSymbol(StringRef Name);
COFFSymbol *GetOrCreateCOFFSymbol(const MCSymbol *Symbol); COFFSymbol *GetOrCreateCOFFSymbol(const MCSymbol *Symbol);
COFFSection *createSection(StringRef Name); COFFSection *createSection(StringRef Name);
void defineSection(MCSectionCOFF const &Sec, const MCAsmLayout &Layout); void defineSection(MCSectionCOFF const &Sec, const MCAsmLayout &Layout);
▲ Show 20 LinesShow All 997 LinesShow Last 20 Lines

llvm/test/MC/COFF/weak-uaf.ll

  • This file was added.
; RUN: llc --compile-twice -mtriple=x86_64-pc-win32 -filetype=obj < %s
; UAF when re-using the MCObjectWriter. does not leak into the output,
; but should be detectable with --compile-twice under ASAN or so.
define weak void @foo() nounwind {
ret void
}
define weak void @bar() nounwind {
ret void
}