-
Notifications
You must be signed in to change notification settings - Fork 15k
[clang] Fix a use-after free in ASTContext::getSubstBuiltinTemplatePack #160970
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
ASTContext::getSubstBuiltinTemplatePack finds InsertPos and then calls itself recursively, which may lead to rehashing and invalidation of all pointers to buckets. The function then proceeds with using the potentially invalid InsertPos, leading to use-after-free. I didn't manage to produce a reasonably-sized test case yet.
@llvm/pr-subscribers-clang Author: Alexander Kornienko (alexfh) ChangesASTContext::getSubstBuiltinTemplatePack finds InsertPos and then calls itself I didn't manage to produce a reasonably-sized test case yet. Full diff: https://github.com/llvm/llvm-project/pull/160970.diff 1 Files Affected:
diff --git a/clang/lib/AST/ASTContext.cpp b/clang/lib/AST/ASTContext.cpp
index 07d42e7e2f3b3..e9d3e58f81cf2 100644
--- a/clang/lib/AST/ASTContext.cpp
+++ b/clang/lib/AST/ASTContext.cpp
@@ -5873,8 +5873,14 @@ ASTContext::getSubstBuiltinTemplatePack(const TemplateArgument &ArgPack) {
QualType Canon;
TemplateArgument CanonArgPack = getCanonicalTemplateArgument(ArgPack);
- if (!CanonArgPack.structurallyEquals(ArgPack))
+ if (!CanonArgPack.structurallyEquals(ArgPack)) {
Canon = getSubstBuiltinTemplatePack(CanonArgPack);
+ // Refresh InsertPos, in case the recursive call above caused rehashing,
+ // which would invalidate the bucket pointer.
+ if (auto *T =
+ SubstBuiltinTemplatePackTypes.FindNodeOrInsertPos(ID, InsertPos))
+ return QualType(T, 0);
+ }
auto *PackType = new (*this, alignof(SubstBuiltinTemplatePackType))
SubstBuiltinTemplatePackType(Canon, ArgPack);
|
Assert that a node is not found when refreshing InsertPos.
LLVM Buildbot has detected a new failure on builder Full details are available at: https://lab.llvm.org/buildbot/#/builders/59/builds/24848 Here is the relevant piece of the build log for the reference
|
…ck (llvm#160970) ASTContext::getSubstBuiltinTemplatePack finds InsertPos and then calls itself recursively, which may lead to rehashing and invalidation of all pointers to buckets. The function then proceeds with using the potentially invalid InsertPos, leading to use-after-free. The issue goes back to llvm#157662. I didn't manage to produce a reasonably-sized test case yet.
ASTContext::getSubstBuiltinTemplatePack finds InsertPos and then calls itself
recursively, which may lead to rehashing and invalidation of all pointers to
buckets. The function then proceeds with using the potentially invalid
InsertPos, leading to use-after-free.
The issue goes back to #157662.
I didn't manage to produce a reasonably-sized test case yet.