This is an archive of the discontinued LLVM Phabricator instance.

[libc++] Fix use-after-free when building with _LIBCPP_DEBUG=1
ClosedPublic

Authored by thomasanderson on Mar 4 2019, 3:04 PM.

Details

Summary

The issue is the following code:

__cn1->__add(*__ip);
(*__ip)->__c_ = __cn1;

__ip points into the array of iterators for container __cn2. This code adds
the iterator to the array of iterators for __cn1, and updates the iterator to
point to the new container.

This code works fine, except when __cn1 and __cn2 are the same container.
__cn1->__add() might need to grow the array of iterators, and when it does,
__ip becomes invalid, so the second line becomes a use-after-free error.

Simply swapping the order of the above two lines is not sufficient, because of
the memmove() below. The easiest and most performant solution is just to skip
touching any iterators if the containers are the same.

Diff Detail

Repository
rCXX libc++

Event Timeline

thomasanderson created this revision.Mar 4 2019, 3:04 PM
EricWF requested changes to this revision.Mar 4 2019, 6:17 PM

Can you add a test in test/libcxx/debug/containers/db_sequence_container_iterators.pass.cpp?

This revision now requires changes to proceed.Mar 4 2019, 6:17 PM

Added test: crashes before change, passes after

EricWF accepted this revision.Mar 6 2019, 1:06 PM
This revision is now accepted and ready to land.Mar 6 2019, 1:06 PM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptMar 6 2019, 1:09 PM