This is an archive of the discontinued LLVM Phabricator instance.

Differential D158725

[NFC][AMDGPU] Guard the custom fixups kind array from invalid access
ClosedPublic

Authored by gmirazchiyski on Aug 24 2023, 4:43 AM.

Details

Reviewers
arsenm
Commits
rG05637256005b: [NFC][AMDGPU] Guard the custom fixups kind array from invalid access
Summary

Verify the possibility of accidental passing of an invalid MCFixupKind value which can cause an invalid access in the array, and guard from it via assert.

Diff Detail

Unit TestsFailed

TimeTest
60,030 msx64 debian > MLIR.Examples/standalone::test.toy

Event Timeline

gmirazchiyski created this revision.Aug 24 2023, 4:43 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 24 2023, 4:43 AM
Herald added subscribers: foad, kerbowa, hiraditya and 6 others. · View Herald Transcript
gmirazchiyski requested review of this revision.Aug 24 2023, 4:43 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 24 2023, 4:43 AM
Herald added subscribers: llvm-commits, wdng. · View Herald Transcript
gmirazchiyski edited the summary of this revision. (Show Details)Aug 24 2023, 4:45 AM
arsenm added inline comments.Aug 24 2023, 5:21 AM
llvm/lib/Target/AMDGPU/MCTargetDesc/AMDGPUAsmBackend.cpp
188

Isn’t this equivalent to the previous bounds check?

Harbormaster completed remote builds in B254600: Diff 553076.Aug 24 2023, 5:26 AM
gmirazchiyski added inline comments.Aug 24 2023, 7:07 AM
llvm/lib/Target/AMDGPU/MCTargetDesc/AMDGPUAsmBackend.cpp
188

Thank you for checking this @arsenm ! I don't think it is or at least see it as exactly the same check.

Kind < 128 (FirstTargetFixupKind) -> returns FK_NONE which I think it's no-op here
Kind >= 256 (FirstLiteralRelocationKind) -> returns the base getFixupKindInfo(Kind)
Those bounds checks are fair and needed, but for anything in the range of [128;255], Kind is allowed, and anything above 128 will be invalid.

Yes, obviously only the AMDGPU::fixup_si_sopp_br fixup kind which is valid will be used for AMDGPU but the assert is here as a security guard to the Infos array in case of misuse.

I can agree to the point this can do and is safe without the assert, but from the outside it looks like a security concern, which we will only know it will not occur after we dig into the logic.
Moreover, other backends seem to similarly assert too.

gmirazchiyski added a comment.Aug 25 2023, 3:30 AM

A friendly ping. Thanks! :)

gmirazchiyski added a reviewer: arsenm.Aug 25 2023, 3:45 AM
arsenm accepted this revision.Aug 29 2023, 2:52 PM
This revision is now accepted and ready to land.Aug 29 2023, 2:52 PM
This revision was landed with ongoing or failed builds.Aug 30 2023, 3:13 AM
Closed by commit rG05637256005b: [NFC][AMDGPU] Guard the custom fixups kind array from invalid access (authored by gmirazchiyski, committed by ldrumm). · Explain Why
This revision was automatically updated to reflect the committed changes.
ldrumm added a commit: rG05637256005b: [NFC][AMDGPU] Guard the custom fixups kind array from invalid access.

Revision Contents

PathSize
llvm/
lib/
Target/
AMDGPU/
MCTargetDesc/
2 lines

Diff 553076

llvm/lib/Target/AMDGPU/MCTargetDesc/AMDGPUAsmBackend.cpp

Show First 20 LinesShow All 179 Lines▼ Show 20 Linesconst MCFixupKindInfo &AMDGPUAsmBackend::getFixupKindInfo(
}; };
if (Kind >= FirstLiteralRelocationKind) if (Kind >= FirstLiteralRelocationKind)
return MCAsmBackend::getFixupKindInfo(FK_NONE); return MCAsmBackend::getFixupKindInfo(FK_NONE);
if (Kind < FirstTargetFixupKind) if (Kind < FirstTargetFixupKind)
return MCAsmBackend::getFixupKindInfo(Kind); return MCAsmBackend::getFixupKindInfo(Kind);
assert(unsigned(Kind - FirstTargetFixupKind) < getNumFixupKinds() &&
arsenmUnsubmitted
Not Done
ReplyInline Actions

Isn’t this equivalent to the previous bounds check?

arsenm: Isn’t this equivalent to the previous bounds check?
gmirazchiyskiAuthorUnsubmitted
Done
ReplyInline Actions

Thank you for checking this @arsenm ! I don't think it is or at least see it as exactly the same check.

Kind < 128 (FirstTargetFixupKind) -> returns FK_NONE which I think it's no-op here
Kind >= 256 (FirstLiteralRelocationKind) -> returns the base getFixupKindInfo(Kind)
Those bounds checks are fair and needed, but for anything in the range of [128;255], Kind is allowed, and anything above 128 will be invalid.

Yes, obviously only the AMDGPU::fixup_si_sopp_br fixup kind which is valid will be used for AMDGPU but the assert is here as a security guard to the Infos array in case of misuse.

I can agree to the point this can do and is safe without the assert, but from the outside it looks like a security concern, which we will only know it will not occur after we dig into the logic.
Moreover, other backends seem to similarly assert too.

gmirazchiyski: Thank you for checking this @arsenm ! I don't think it is or at least see it as exactly the…
"Invalid kind!");
return Infos[Kind - FirstTargetFixupKind]; return Infos[Kind - FirstTargetFixupKind];
} }
bool AMDGPUAsmBackend::shouldForceRelocation(const MCAssembler &, bool AMDGPUAsmBackend::shouldForceRelocation(const MCAssembler &,
const MCFixup &Fixup, const MCFixup &Fixup,
const MCValue &) { const MCValue &) {
return Fixup.getKind() >= FirstLiteralRelocationKind; return Fixup.getKind() >= FirstLiteralRelocationKind;
} }
▲ Show 20 LinesShow All 73 LinesShow Last 20 Lines