This is an archive of the discontinued LLVM Phabricator instance.

Differential D34554

[ELF] FIx use-after-return of archive path
ClosedPublic

Authored by ikudrin on Jun 23 2017, 6:05 AM.

Details

Reviewers
ruiu
rafael
evgeny777
Commits
rG943f62d9d71d: [ELF] Fix use after free in case of using --whole-archive.
rL325313: [ELF] Fix use after free in case of using --whole-archive.
rLLD325313: [ELF] Fix use after free in case of using --whole-archive.
Summary

There is a bug in lld which on some occasions causes InputFile::ArchiveName to store incorrect value. This happens because library name allocated on stack then converted to StringRef and assigned to member variable.

Diff Detail

Repository
rLLD LLVM Linker

Event Timeline

evgeny777 created this revision.Jun 23 2017, 6:05 AM
Herald added a subscriber: emaste. · View Herald TranscriptJun 23 2017, 6:05 AM
meadori added a subscriber: meadori.Jun 23 2017, 8:10 AM

Test case?

ruiu edited edge metadata.Jun 23 2017, 8:21 AM

I think a better approach would be to change the type of ArchiveName from StringRef to std::string. This patch may fix the issue, but I'm not 100% sure because it fixes only one path that can reach addFile function. There might be some other places at which we pass on-stack objects to the function.

evgeny777 added a comment.Jun 23 2017, 9:28 AM

Test case?

Any suggestions how to implement it?

ikudrin commandeered this revision.Feb 15 2018, 5:57 AM
ikudrin added a reviewer: evgeny777.

I asked @evgeny777 and he let me take this revision.

Herald added a subscriber: arichardson. · View Herald TranscriptFeb 15 2018, 5:57 AM
ikudrin updated this revision to Diff 134413.Feb 15 2018, 6:05 AM
  • Change type of ArchiveName to std::string.
  • Add a test.
ikudrin updated this revision to Diff 134415.Feb 15 2018, 6:08 AM
  • Remove "tee" in the test.
ruiu accepted this revision.Feb 15 2018, 10:31 AM

LGTM

test/ELF/whole-archive-name.s
9

I think you can remove test/ELF/Inputs/whole-archive-name.s because you only need single .s file. Since --whole-archive links everything, you don't need to pass any .o file. I.e. you can just pass an .a file.

This revision is now accepted and ready to land.Feb 15 2018, 10:31 AM
Closed by commit rLLD325313: [ELF] Fix use after free in case of using --whole-archive. (authored by ikudrin). · Explain WhyFeb 15 2018, 7:28 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
ELF/
2 lines
2 lines
2 lines
test/
ELF/
15 lines

Diff 134550

ELF/Driver.cpp

Show First 20 LinesShow All 978 Lines▼ Show 20 Linesstatic DenseSet<StringRef> getExcludeLibs(opt::InputArgList &Args) {
} }
return Ret; return Ret;
} }
static Optional<StringRef> getArchiveName(InputFile *File) { static Optional<StringRef> getArchiveName(InputFile *File) {
if (isa<ArchiveFile>(File)) if (isa<ArchiveFile>(File))
return File->getName(); return File->getName();
if (!File->ArchiveName.empty()) if (!File->ArchiveName.empty())
return File->ArchiveName; return StringRef(File->ArchiveName);
return None; return None;
} }
// Handles the -exclude-libs option. If a static library file is specified // Handles the -exclude-libs option. If a static library file is specified
// by the -exclude-libs option, all public symbols from the archive become // by the -exclude-libs option, all public symbols from the archive become
// private unless otherwise specified by version scripts or something. // private unless otherwise specified by version scripts or something.
// A special library name "ALL" means all archive files. // A special library name "ALL" means all archive files.
// //
▲ Show 20 LinesShow All 181 LinesShow Last 20 Lines

ELF/InputFiles.h

Show First 20 LinesShow All 92 Lines▼ Show 20 Lines ArrayRef<Symbol *> getSymbols() {
assert(FileKind == BinaryKind || FileKind == ObjKind || assert(FileKind == BinaryKind || FileKind == ObjKind ||
FileKind == BitcodeKind || FileKind == ArchiveKind); FileKind == BitcodeKind || FileKind == ArchiveKind);
return Symbols; return Symbols;
} }
// Filename of .a which contained this file. If this file was // Filename of .a which contained this file. If this file was
// not in an archive file, it is the empty string. We use this // not in an archive file, it is the empty string. We use this
// string for creating error messages. // string for creating error messages.
StringRef ArchiveName; std::string ArchiveName;
// If this is an architecture-specific file, the following members // If this is an architecture-specific file, the following members
// have ELF type (i.e. ELF{32,64}{LE,BE}) and target machine type. // have ELF type (i.e. ELF{32,64}{LE,BE}) and target machine type.
ELFKind EKind = ELFNoneKind; ELFKind EKind = ELFNoneKind;
uint16_t EMachine = llvm::ELF::EM_NONE; uint16_t EMachine = llvm::ELF::EM_NONE;
uint8_t OSABI = 0; uint8_t OSABI = 0;
// Cache for toString(). Only toString() should use this member. // Cache for toString(). Only toString() should use this member.
▲ Show 20 LinesShow All 239 LinesShow Last 20 Lines

ELF/InputSection.cpp

Show First 20 LinesShow All 271 Lines▼ Show 20 Lines
std::string InputSectionBase::getObjMsg(uint64_t Off) { std::string InputSectionBase::getObjMsg(uint64_t Off) {
// Synthetic sections don't have input files. // Synthetic sections don't have input files.
if (!File) if (!File)
return ("<internal>:(" + Name + "+0x" + utohexstr(Off) + ")").str(); return ("<internal>:(" + Name + "+0x" + utohexstr(Off) + ")").str();
std::string Filename = File->getName(); std::string Filename = File->getName();
std::string Archive; std::string Archive;
if (!File->ArchiveName.empty()) if (!File->ArchiveName.empty())
Archive = (" in archive " + File->ArchiveName).str(); Archive = " in archive " + File->ArchiveName;
// Find a symbol that encloses a given location. // Find a symbol that encloses a given location.
for (Symbol *B : File->getSymbols()) for (Symbol *B : File->getSymbols())
if (auto *D = dyn_cast<Defined>(B)) if (auto *D = dyn_cast<Defined>(B))
if (D->Section == this && D->Value <= Off && Off < D->Value + D->Size) if (D->Section == this && D->Value <= Off && Off < D->Value + D->Size)
return Filename + ":(" + toString(*D) + ")" + Archive; return Filename + ":(" + toString(*D) + ")" + Archive;
// If there's no symbol, print out the offset in the section. // If there's no symbol, print out the offset in the section.
▲ Show 20 LinesShow All 739 LinesShow Last 20 Lines

test/ELF/whole-archive-name.s

// REQUIRES: x86
// RUN: llvm-mc -filetype=obj -triple=x86_64-unknown-linux %s -o %t.o
// RUN: mkdir -p %t.dir
// RUN: rm -f %t.dir/liba.a
// RUN: llvm-ar rcs %t.dir/liba.a %t.o
// RUN: ld.lld -L%t.dir --whole-archive -la -o %t -Map=- | FileCheck %s
.globl _start
_start:
ruiuUnsubmitted
Not Done
ReplyInline Actions

I think you can remove test/ELF/Inputs/whole-archive-name.s because you only need single .s file. Since --whole-archive links everything, you don't need to pass any .o file. I.e. you can just pass an .a file.

ruiu: I think you can remove test/ELF/Inputs/whole-archive-name.s because you only need single .s…
nop
// There was a use after free of an archive name.
// Valgrind/asan would detect it.
// CHECK: liba.a(whole-archive-name.s.tmp.o):(.text)
// CHECK-NEXT: _start