Skip to content

[Runtime][4.2] In various enumTagSinglePayload functions, don't read getExtraInhabitantIndex or storeExtraInhabitant unless it actually has extra inhabitants. #17880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 11, 2018
Merged

[Runtime][4.2] In various enumTagSinglePayload functions, don't read getExtraInhabitantIndex or storeExtraInhabitant unless it actually has extra inhabitants. #17880

merged 1 commit into from
Jul 11, 2018

Conversation

mikeash
Copy link
Contributor

@mikeash mikeash commented Jul 11, 2018

Cherry-pick #17879 to 4.2.

This code would previously read off the end of the allocated metadata to fetch these values. This was usually harmless, as the value was never used in that case. However, on rare occasions the metadata would be right before unmapped memory, and this read would crash trying to access that unmapped memory.

rdar://problem/39866044

@mikeash
[Runtime] In various enumTagSinglePayload functions, don't read getEx…
1a7ff9a 
…traInhabitantIndex or storeExtraInhabitant unless it actually has extra inhabitants.

This code would previously read off the end of the allocated metadata to fetch these values. This was usually harmless, as the value was never used in that case. However, on rare occasions the metadata would be right before unmapped memory, and this read would crash trying to access that unmapped memory.

rdar://problem/39866044
@mikeash
Copy link
Contributor Author

mikeash commented Jul 11, 2018

@swift-ci please test

@mikeash
Copy link
Contributor Author

mikeash commented Jul 11, 2018

@swift-ci please nominate

Explanation: A rare crash was caused by reading past the end of some metadata records. Most of the time it was harmless as the value was ignored, but if the read extended into unmapped memory, the program would crash.
Scope of Issue: Lots of Swift code is potentially affected. It's hard to tell exactly since the crash is so rare.
Origination: It appears that this problem comes from the changes in #12606, merged at the end of October 2017.
Risk: Low. A bunch of unchecked casts are replaced with checked casts that fail gracefully.
Reviewed by: The concept for the fix was discussed with Joe Groff, Slava Pestov, and Arnold Schwaighofer. The actual fix is not yet reviewed.
Testing: Tested with the Swift test suite and one of the affected apps. Also tested with a hack to the metadata allocator that makes this crash happen reliably.

aschwaighofer
aschwaighofer approved these changes Jul 11, 2018
View reviewed changes
Copy link
Contributor

@aschwaighofer aschwaighofer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@mikeash mikeash merged commit 104c96a into swiftlang:swift-4.2-branch Jul 11, 2018
@tinder-garricnahapetian
Copy link

Thank you!

This was referenced Aug 30, 2018
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschwaighofer aschwaighofer aschwaighofer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mikeash @tinder-garricnahapetian @aschwaighofer