search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
27.64k stars 11.37k forks source link

Undefined `delete` due to unsafe unique_ptr conversions #96991

Open leni536 opened 2 months ago

leni536 commented 2 months ago

https://github.com/llvm/llvm-project/blob/eec9d0b6816e815fbe009941c1fda3b39c38adeb/lldb/source/Plugins/SymbolFile/CTF/SymbolFileCTF.cpp#L610-L638

CTFType is not polymorphic. The function ParseType creates a unique_ptr of a derived type and converts it to a unique_ptr of CTFType on return. When the returned object is destroyed then the invoked delete expression is undefined.

It manifests at least in leaks for some of the derived types that contain non-trivial data members. If/when sized deallocation functions are enabled it also causes the wrong size to be passed to it, which can manifest in more surprising ways, possibly corrupting the heap.

This bug was found by a reference implementation of https://wg21.link/P2413R1.

llvmbot commented 2 months ago

@llvm/issue-subscribers-lldb

Author: Lénárd Szolnoki (leni536)

https://github.com/llvm/llvm-project/blob/eec9d0b6816e815fbe009941c1fda3b39c38adeb/lldb/source/Plugins/SymbolFile/CTF/SymbolFileCTF.cpp#L610-L638 `CTFType` is not polymorphic. The function `ParseType` creates a unique_ptr of a derived type and converts it to a unique_ptr of `CTFType` on return. When the returned object is destroyed then the invoked `delete` expression is undefined. It manifests at least in leaks for some of the derived types that contain non-trivial data members. If/when sized deallocation functions are enabled it also causes the wrong size to be passed to it, which can manifest in more surprising ways, possibly corrupting the heap. This bug was found by a reference implementation of https://wg21.link/P2413R1.