This is an archive of the discontinued LLVM Phabricator instance.

Differential D139457

Fix buffer-overflow in llvm-mt's notify_update feature.
ClosedPublic

Authored by hctim on Dec 6 2022, 1:37 PM.

Details

Reviewers
abrachet
phosek
Commits
rG6f43255edb9e: Fix buffer-overflow in llvm-mt's notify_update feature.
Summary

The 3-parameter std::equal used in this code access FileBuffer from [0,
OutputBuffer->getBufferEnd() - OutputBuffer->getBufferStart()). If the
size of FileBuffer is shorter than OutputBuffer, this ends up
overflowing.

This wasn't found on the sanitizer buildbots as they use an instrumented
libcxx, and libcxx implements std::equal using a loop. libstdc++ on my
local macine finds the bug, as it implements std::equal using bcmp(),
which ASan intercepts and does a range check.

The existing test doesn't technically do a buffer-overflow, but the code
definitely can. If OutputBuffer was "AAABBB" and FileBuffer was "AAA",
then the code would overflow.

Diff Detail

Event Timeline

hctim created this revision.Dec 6 2022, 1:37 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 6 2022, 1:37 PM
hctim requested review of this revision.Dec 6 2022, 1:37 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 6 2022, 1:37 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
abrachet accepted this revision.Dec 6 2022, 1:44 PM

Thanks for catching it, there is already D139315 which should address this too. But this is good to go if you want to submit it now

This revision is now accepted and ready to land.Dec 6 2022, 1:44 PM
This revision was landed with ongoing or failed builds.Dec 6 2022, 1:46 PM
Closed by commit rG6f43255edb9e: Fix buffer-overflow in llvm-mt's notify_update feature. (authored by hctim). · Explain Why
This revision was automatically updated to reflect the committed changes.
hctim added a commit: rG6f43255edb9e: Fix buffer-overflow in llvm-mt's notify_update feature..
Harbormaster completed remote builds in B201478: Diff 480604.Dec 6 2022, 10:57 PM
jmmartinez mentioned this in D139315: [NFC][LLVM-MT] Fix buffer-overflow when comparing buffers.Dec 12 2022, 1:10 AM

Revision Contents

PathSize
llvm/
tools/
llvm-mt/
6 lines

Diff 480611

llvm/tools/llvm-mt/llvm-mt.cpp

Show First 20 LinesShow All 144 Lines▼ Show 20 Linesint llvm_mt_main(int Argc, char **Argv) {
if (InputArgs.hasArg(OPT_notify_update)) { if (InputArgs.hasArg(OPT_notify_update)) {
ErrorOr<std::unique_ptr<MemoryBuffer>> OutBuffOrErr = ErrorOr<std::unique_ptr<MemoryBuffer>> OutBuffOrErr =
MemoryBuffer::getFile(OutputFile); MemoryBuffer::getFile(OutputFile);
// Assume if we couldn't open the output file then it doesn't exist meaning // Assume if we couldn't open the output file then it doesn't exist meaning
// there was a change. // there was a change.
bool Same = false; bool Same = false;
if (OutBuffOrErr) { if (OutBuffOrErr) {
const std::unique_ptr<MemoryBuffer> &FileBuffer = *OutBuffOrErr; const std::unique_ptr<MemoryBuffer> &FileBuffer = *OutBuffOrErr;
Same = std::equal(OutputBuffer->getBufferStart(), Same = std::equal(
OutputBuffer->getBufferEnd(), OutputBuffer->getBufferStart(), OutputBuffer->getBufferEnd(),
FileBuffer->getBufferStart()); FileBuffer->getBufferStart(), FileBuffer->getBufferEnd());
} }
if (!Same) { if (!Same) {
#if LLVM_ON_UNIX #if LLVM_ON_UNIX
ExitCode = 0xbb; ExitCode = 0xbb;
#elif defined(_WIN32) #elif defined(_WIN32)
ExitCode = 0x41020001; ExitCode = 0x41020001;
#endif #endif
} }
Show All 12 Lines