This is an archive of the discontinued LLVM Phabricator instance.

Differential D42346

Fix use after free in DiskFilesOrDirectories
ClosedPublic

Authored by teemperor on Jan 20 2018, 11:35 PM.

Details

Reviewers
zturner
Commits
rG17843885676e: Fix use after free in DiskFilesOrDirectories
rLLDB323082: Fix use after free in DiskFilesOrDirectories
rL323082: Fix use after free in DiskFilesOrDirectories
Summary

We copy the local variable Resolved into Storage to keep it around. However, we then still let the SearchDir ref point to Resolved which then is used to access the already freed memory later on. With this patch we point to Storage which doesn't get deleted after the current scope exits.

Discovered by memory sanitizer in the CompletionTest.DirCompletionUsername test.

Diff Detail

Repository
rL LLVM

Event Timeline

teemperor created this revision.Jan 20 2018, 11:35 PM
teemperor mentioned this in D42348: Prevent unaligned memory read in parseMinidumpString.Jan 22 2018, 12:16 AM
This revision was not accepted when it landed; it landed in state Needs Review.Jan 22 2018, 1:19 AM
Closed by commit rL323082: Fix use after free in DiskFilesOrDirectories (authored by teemperor). · Explain Why
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptJan 22 2018, 1:19 AM

Revision Contents

PathSize
lldb/
trunk/
source/
Commands/
2 lines

Diff 130841

lldb/trunk/source/Commands/CommandCompletions.cpp

Show First 20 LinesShow All 159 Lines▼ Show 20 Lines if (FirstSep == llvm::StringRef::npos) {
matches.AppendString(CompletionBuffer); matches.AppendString(CompletionBuffer);
return 1; return 1;
} }
// We want to keep the form the user typed, so we special case this to // We want to keep the form the user typed, so we special case this to
// search in the fully resolved directory, but CompletionBuffer keeps the // search in the fully resolved directory, but CompletionBuffer keeps the
// unmodified form that the user typed. // unmodified form that the user typed.
Storage = Resolved; Storage = Resolved;
SearchDir = Resolved; SearchDir = Storage;
} else { } else {
SearchDir = path::parent_path(CompletionBuffer); SearchDir = path::parent_path(CompletionBuffer);
} }
size_t FullPrefixLen = CompletionBuffer.size(); size_t FullPrefixLen = CompletionBuffer.size();
PartialItem = path::filename(CompletionBuffer); PartialItem = path::filename(CompletionBuffer);
if (PartialItem == ".") if (PartialItem == ".")
▲ Show 20 LinesShow All 393 LinesShow Last 20 Lines