Skip to content

[llvm-nm] Fix heap-use-after-free while executing 'llvm-nm -n --export-symbols' #65668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 13, 2023
Merged

[llvm-nm] Fix heap-use-after-free while executing 'llvm-nm -n --export-symbols' #65668

merged 1 commit into from
Sep 13, 2023

Conversation

chbessonova
Copy link
Contributor

Use symbol's flags saved in NMSymbol::SymFlags inside NMSymbol::isDefined() since BasicSymbolRef::getFlags() requires the symbol's containing entity object to exist (which doesn't, causing llvm-nm to crash).

Here is the AddressSanitizer report:

==3324663==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000000200 READ of size 8 at 0x60e000000200 thread T0
    #0 0x55c6536785d8 in llvm::object::BasicSymbolRef::getFlags() const llvm-project/llvm/include/llvm/Object/SymbolicFile.h:207:24
    #1 0x55c6536785d8 in (anonymous namespace)::NMSymbol::isDefined() const llvm-project/llvm/tools/llvm-nm/llvm-nm.cpp:241:37

@MaskRay
Copy link
Member

MaskRay commented Sep 7, 2023

Is there a test covering this case?

@MaskRay
Copy link
Member

MaskRay commented Sep 7, 2023

@tstellar It seems that https://github.com/orgs/llvm/teams/pr-subscribers-llvm-binary-utilities cannot be added as a reviewer. Perhaps the team hasn't been properly set?

@chbessonova
Copy link
Contributor Author

chbessonova commented Sep 8, 2023
edited
Loading

@MaskRay

Is there a test covering this case?

No. I'm not sure what would be a good test for this. I can add a test that just run llvm-nm -n --export-symbols to ensure it works fine, but it'd only check that this command line run w/o issues, and it wouldn't help to catch bugs where some properties of BasicSymbolRef requested when there is no valid OwningObject set.

@llvmbot
Copy link
Member

llvmbot commented Sep 12, 2023

@llvm/pr-subscribers-llvm-binary-utilities

Changes

Use symbol's flags saved in NMSymbol::SymFlags inside NMSymbol::isDefined() since BasicSymbolRef::getFlags() requires the symbol's containing entity object to exist (which doesn't, causing llvm-nm to crash).

Here is the AddressSanitizer report:

==3324663==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000000200 READ of size 8 at 0x60e000000200 thread T0
    #0 0x55c6536785d8 in llvm::object::BasicSymbolRef::getFlags() const llvm-project/llvm/include/llvm/Object/SymbolicFile.h:207:24
    #1 0x55c6536785d8 in (anonymous namespace)::NMSymbol::isDefined() const llvm-project/llvm/tools/llvm-nm/llvm-nm.cpp:241:37

--
Full diff: https://github.com/llvm/llvm-project/pull/65668.diff

1 Files Affected:

  • (modified) llvm/tools/llvm-nm/llvm-nm.cpp (+2-4)
diff --git a/llvm/tools/llvm-nm/llvm-nm.cpp b/llvm/tools/llvm-nm/llvm-nm.cpp
index 79213b3b2c27e31..8ac7eb2a825b57e 100644
--- a/llvm/tools/llvm-nm/llvm-nm.cpp
+++ b/llvm/tools/llvm-nm/llvm-nm.cpp
@@ -237,10 +237,8 @@ struct NMSymbol {
   std::string IndirectName;
 
   bool isDefined() const {
-    if (Sym.getRawDataRefImpl().p) {
-      uint32_t Flags = cantFail(Sym.getFlags());
-      return !(Flags & SymbolRef::SF_Undefined);
-    }
+    if (Sym.getRawDataRefImpl().p)
+      return !(SymFlags & SymbolRef::SF_Undefined);
     return TypeChar != 'U';
   }

MaskRay
MaskRay approved these changes Sep 12, 2023
View reviewed changes
Copy link
Member

@MaskRay MaskRay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is purely code simplification, I think this is fine.

@chbessonova
[llvm-nm] Fix heap-use-after-free while executing 'llvm-nm -n --expor…
0f12a7a 
…t-symbols'

Use symbol's flags saved in NMSymbol::SymFlags inside NMSymbol::isDefined()
since BasicSymbolRef::getFlags() requires the symbol's containing entity object
to exist (which doesn't, causing llvm-nm to crash).

Here is the AddressSanitizer report:

==3324663==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000000200
READ of size 8 at 0x60e000000200 thread T0
    #0 0x55c6536785d8 in llvm::object::BasicSymbolRef::getFlags() const llvm-project/llvm/include/llvm/Object/SymbolicFile.h:207:24
    llvm#1 0x55c6536785d8 in (anonymous namespace)::NMSymbol::isDefined() const llvm-project/llvm/tools/llvm-nm/llvm-nm.cpp:241:37
@chbessonova chbessonova merged commit 7457228 into llvm:main Sep 13, 2023
ZijunZhaoCCK pushed a commit to ZijunZhaoCCK/llvm-project that referenced this pull request Sep 19, 2023
@chbessonova @ZijunZhaoCCK
[llvm-nm] Fix heap-use-after-free while executing 'llvm-nm -n --expor…
023bbe4 
…t-symbols' (llvm#65668)

Use symbol's flags saved in `NMSymbol::SymFlags` inside
`NMSymbol::isDefined()` since `BasicSymbolRef::getFlags()` requires the
symbol's containing entity object to exist (which doesn't, causing
llvm-nm to crash).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@compnerd compnerd compnerd approved these changes

@MaskRay MaskRay MaskRay approved these changes

@diggerlin diggerlin Awaiting requested review from diggerlin

Assignees
No one assigned
Labels
llvm:binary-utilities tools:llvm-nm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@chbessonova @MaskRay @llvmbot @compnerd @tstellar