llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
29.1k stars 12.01k forks source link

A denial of service vulnerability in function findBaseDefiningValue(llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp) via an bitcode file which has been overrided the module target triple. #41992

Open llvmbot opened 5 years ago

llvmbot commented 5 years ago
Bugzilla Link 42647
Version 8.0
OS Linux
Reporter LLVM Bugzilla Contributor
CC @TNorthover

Extended Description

n llvm opt tools 8.0.0 and older version, an issue was discovered.The findBaseDefiningValue function in llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp allows attackers to cause a denial of service(assertion failure and opt tool crashed) via an bitcode file which has been overrided the module target triple. The bitcode file which can cause denial of service has been in the attachment.

Reproduce steps:

opt -mem2reg -rewrite-statepoints-for-gc -always-inline -o b0o_new.bc b0_new.bc

Please check the rewrite-statepoints-for-gc feature in the opt tool.

If you have confirmed the vulnerability, should i submit this issue for CVE?

The details crashed logs as bellow:

opt: /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:525: {anonymous}::BaseDefiningValueResult findBaseDefiningValue(llvm::Value*): Assertion `cast(Def->getType())->getAddressSpace() == cast(CI->getType())->getAddressSpace() && "unsupported addrspacecast"' failed. Stack dump:

  1. Program arguments: /usr/local/bin/opt -mem2reg -rewrite-statepoints-for-gc -always-inline -o b0o_new.bc b02.bc
  2. Running pass 'Make relocations explicit at statepoints' on module 'b02.bc'.

    ​0 0x00000000043152b1 llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/wenzhuo/llvm-project/llvm/lib/Support/Unix/Signals.inc:494:0

    ​1 0x0000000004315344 PrintStackTraceSignalHandler(void*) /home/wenzhuo/llvm-project/llvm/lib/Support/Unix/Signals.inc:558:0

    ​2 0x0000000004313352 llvm::sys::RunSignalHandlers() /home/wenzhuo/llvm-project/llvm/lib/Support/Signals.cpp:68:0

    ​3 0x0000000004314d03 SignalHandler(int) /home/wenzhuo/llvm-project/llvm/lib/Support/Unix/Signals.inc:357:0

    ​4 0x00007f553aaa1390 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)

    ​5 0x00007f55397b0428 raise /build/glibc-LK5gWL/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0

    ​6 0x00007f55397b202a abort /build/glibc-LK5gWL/glibc-2.23/stdlib/abort.c:91:0

    ​7 0x00007f55397a8bd7 __assert_fail_base /build/glibc-LK5gWL/glibc-2.23/assert/assert.c:92:0

    ​8 0x00007f55397a8c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)

    ​9 0x0000000004224460 findBaseDefiningValue(llvm::Value*) /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:529:0

    ​10 0x00000000042247cb findBaseDefiningValueCached(llvm::Value, llvm::MapVector<llvm::Value, llvm::Value, llvm::DenseMap<llvm::Value, unsigned int, llvm::DenseMapInfo<llvm::Value>, llvm::detail::DenseMapPair<llvm::Value, unsigned int> >, std::vector<std::pair<llvm::Value, llvm::Value>, std::allocator<std::pair<llvm::Value, llvm::Value> > > >&) /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:614:0

    ​11 0x000000000422491c findBaseOrBDV(llvm::Value, llvm::MapVector<llvm::Value, llvm::Value, llvm::DenseMap<llvm::Value, unsigned int, llvm::DenseMapInfo<llvm::Value>, llvm::detail::DenseMapPair<llvm::Value, unsigned int> >, std::vector<std::pair<llvm::Value, llvm::Value>, std::allocator<std::pair<llvm::Value, llvm::Value> > > >&) /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:625:0

    ​12 0x0000000004225372 findBasePointer(llvm::Value, llvm::MapVector<llvm::Value, llvm::Value, llvm::DenseMap<llvm::Value, unsigned int, llvm::DenseMapInfo<llvm::Value>, llvm::detail::DenseMapPair<llvm::Value, unsigned int> >, std::vector<std::pair<llvm::Value, llvm::Value>, std::allocator<std::pair<llvm::Value, llvm::Value> > > >&)::'lambda0'(llvm::Value)::operator()(llvm::Value) const /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:815:0

    ​13 0x00000000042260d6 findBasePointer(llvm::Value, llvm::MapVector<llvm::Value, llvm::Value, llvm::DenseMap<llvm::Value, unsigned int, llvm::DenseMapInfo<llvm::Value>, llvm::detail::DenseMapPair<llvm::Value, unsigned int> >, std::vector<std::pair<llvm::Value, llvm::Value>, std::allocator<std::pair<llvm::Value, llvm::Value> > > >&) /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:826:0

    ​14 0x0000000004227d04 findBasePointers(llvm::SetVector<llvm::Value, std::vector<llvm::Value, std::allocator<llvm::Value> >, llvm::DenseSet<llvm::Value, llvm::DenseMapInfo<llvm::Value> > > const&, llvm::MapVector<llvm::Value, llvm::Value, llvm::DenseMap<llvm::Value, unsigned int, llvm::DenseMapInfo<llvm::Value>, llvm::detail::DenseMapPair<llvm::Value, unsigned int> >, std::vector<std::pair<llvm::Value, llvm::Value>, std::allocator<std::pair<llvm::Value, llvm::Value> > > >&, llvm::DominatorTree, llvm::MapVector<llvm::Value, llvm::Value, llvm::DenseMap<llvm::Value, unsigned int, llvm::DenseMapInfo<llvm::Value>, llvm::detail::DenseMapPair<llvm::Value, unsigned int> >, std::vector<std::pair<llvm::Value, llvm::Value>, std::allocator<std::pair<llvm::Value, llvm::Value> > > >&) /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:1163:0

    ​15 0x0000000004227e57 findBasePointers(llvm::DominatorTree&, llvm::MapVector<llvm::Value, llvm::Value, llvm::DenseMap<llvm::Value, unsigned int, llvm::DenseMapInfo<llvm::Value>, llvm::detail::DenseMapPair<llvm::Value, unsigned int> >, std::vector<std::pair<llvm::Value, llvm::Value>, std::allocator<std::pair<llvm::Value, llvm::Value> > > >&, llvm::CallBase, (anonymous namespace)::PartiallyConstructedSafepointRecord&) /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:1181:0

    ​16 0x000000000422cdfb insertParsePoints(llvm::Function&, llvm::DominatorTree&, llvm::TargetTransformInfo&, llvm::SmallVectorImpl<llvm::CallBase*>&) /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:2230:0

    ​17 0x000000000422e984 llvm::RewriteStatepointsForGC::runOnFunction(llvm::Function&, llvm::DominatorTree&, llvm::TargetTransformInfo&, llvm::TargetLibraryInfo const&) /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:2626:0

    ​18 0x00000000042237d7 (anonymous namespace)::RewriteStatepointsForGCLegacyPass::runOnModule(llvm::Module&) /home/wenzhuo/llvm-project/llvm/lib/Transforms/Scalar/RewriteStatepointsForGC.cpp:191:0

    ​19 0x0000000003a69eb7 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/wenzhuo/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1752:0

    ​20 0x0000000003a6a659 llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/wenzhuo/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1865:0

    ​21 0x0000000003a6a85f llvm::legacy::PassManager::run(llvm::Module&) /home/wenzhuo/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1897:0

    ​22 0x0000000001bc91c0 main /home/wenzhuo/llvm-project/llvm/tools/opt/opt.cpp:899:0

    ​23 0x00007f553979b830 __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:325:0

    ​24 0x0000000001b8b1e9 _start (/usr/local/bin/opt+0x1b8b1e9)

    Aborted (core dumped)

TNorthover commented 5 years ago

It's a genuine bug, but not particularly different from many others that are already known and we don't generally consider them vulnerabilities.

I think the general attitude (certainly mine) is that LLVM is not intended to be hardened against adversarial input. If someone wants to use it in that context they need achieve isolation by other means.