From 7bb65f68b15312ad82729d1689d70eec616d74b7 Mon Sep 17 00:00:00 2001 From: Konrad Kleine Date: Tue, 28 May 2024 15:18:49 +0200 Subject: [PATCH] Fix use after free on ppc64le (rhbz#2283525) --- .llvm.metadata | 8 ++++ 93442.patch | 103 +++++++++++++++++++++++++++++++++++++++++++++++++ llvm.spec | 8 +++- 3 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 .llvm.metadata create mode 100644 93442.patch diff --git a/.llvm.metadata b/.llvm.metadata new file mode 100644 index 0000000..1fdf74e --- /dev/null +++ b/.llvm.metadata @@ -0,0 +1,8 @@ +eb5c08768e9445d3a9b9ac3b9ad17f1378e3805f llvm-18.1.6.src.tar.xz +5247fe6fb2a35388dd522cb6284ecb2b21f5ee88 llvm-18.1.6.src.tar.xz.sig +2d3d21c2847760692f323d4c334031a05ba5f541 cmake-18.1.6.src.tar.xz +39b7cceeced0203a1e8f6807335cfca806027795 cmake-18.1.6.src.tar.xz.sig +3e2171e588995d02e4d68e92274e97d86e02d49b third-party-18.1.6.src.tar.xz +adcf69e6a5a6aaedddeefeeed4838caceb04f632 third-party-18.1.6.src.tar.xz.sig +860a3605f08a0a56a8de4e073e26a259871623a6 llvm-17.0.6.src.tar.xz +2ad479ab00a6d5e61ecb953997cfeef6650a687a llvm-17.0.6.src.tar.xz.sig diff --git a/93442.patch b/93442.patch new file mode 100644 index 0000000..f2ff1d9 --- /dev/null +++ b/93442.patch @@ -0,0 +1,103 @@ +From 97ab1917845fa9426ba913139fc8a007cba1d7ce Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 27 May 2024 08:54:11 +0200 +Subject: [PATCH] [PPCMergeStringPool] Only replace constant once (#92996) + +In #88846 I changed this code to use RAUW to perform the replacement +instead of manual updates -- but kept the outer loop, which means we try +to perform RAUW once per user. However, some of the users might be freed +by the RAUW operation, resulting in use-after-free. + +The case where this happens is constant users where the replacement +might result in the destruction of the original constant. + +Fixes https://github.com/llvm/llvm-project/issues/92991. + +(cherry picked from commit 9f85bc834b07ebfec9e5e02deb9255a0f6ec5cc7) +--- + .../lib/Target/PowerPC/PPCMergeStringPool.cpp | 37 ++++--------------- + .../PowerPC/mergeable-string-pool-pr92991.ll | 20 ++++++++++ + 2 files changed, 27 insertions(+), 30 deletions(-) + create mode 100644 llvm/test/CodeGen/PowerPC/mergeable-string-pool-pr92991.ll + +diff --git a/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp b/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp +index ebd876d50c44e..0830b02370cd0 100644 +--- a/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp ++++ b/llvm/lib/Target/PowerPC/PPCMergeStringPool.cpp +@@ -290,13 +290,6 @@ bool PPCMergeStringPool::mergeModuleStringPool(Module &M) { + return true; + } + +-static bool userHasOperand(User *TheUser, GlobalVariable *GVOperand) { +- for (Value *Op : TheUser->operands()) +- if (Op == GVOperand) +- return true; +- return false; +-} +- + // For pooled strings we need to add the offset into the pool for each string. + // This is done by adding a Get Element Pointer (GEP) before each user. This + // function adds the GEP. +@@ -307,29 +300,13 @@ void PPCMergeStringPool::replaceUsesWithGEP(GlobalVariable *GlobalToReplace, + Indices.push_back(ConstantInt::get(Type::getInt32Ty(*Context), 0)); + Indices.push_back(ConstantInt::get(Type::getInt32Ty(*Context), ElementIndex)); + +- // Need to save a temporary copy of each user list because we remove uses +- // as we replace them. +- SmallVector Users; +- for (User *CurrentUser : GlobalToReplace->users()) +- Users.push_back(CurrentUser); +- +- for (User *CurrentUser : Users) { +- // The user was not found so it must have been replaced earlier. +- if (!userHasOperand(CurrentUser, GlobalToReplace)) +- continue; +- +- // We cannot replace operands in globals so we ignore those. +- if (isa(CurrentUser)) +- continue; +- +- Constant *ConstGEP = ConstantExpr::getInBoundsGetElementPtr( +- PooledStructType, GPool, Indices); +- LLVM_DEBUG(dbgs() << "Replacing this global:\n"); +- LLVM_DEBUG(GlobalToReplace->dump()); +- LLVM_DEBUG(dbgs() << "with this:\n"); +- LLVM_DEBUG(ConstGEP->dump()); +- GlobalToReplace->replaceAllUsesWith(ConstGEP); +- } ++ Constant *ConstGEP = ++ ConstantExpr::getInBoundsGetElementPtr(PooledStructType, GPool, Indices); ++ LLVM_DEBUG(dbgs() << "Replacing this global:\n"); ++ LLVM_DEBUG(GlobalToReplace->dump()); ++ LLVM_DEBUG(dbgs() << "with this:\n"); ++ LLVM_DEBUG(ConstGEP->dump()); ++ GlobalToReplace->replaceAllUsesWith(ConstGEP); + } + + } // namespace +diff --git a/llvm/test/CodeGen/PowerPC/mergeable-string-pool-pr92991.ll b/llvm/test/CodeGen/PowerPC/mergeable-string-pool-pr92991.ll +new file mode 100644 +index 0000000000000..4e9c69e5fe4cf +--- /dev/null ++++ b/llvm/test/CodeGen/PowerPC/mergeable-string-pool-pr92991.ll +@@ -0,0 +1,20 @@ ++; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py UTC_ARGS: --version 5 ++; RUN: llc -mtriple=powerpc64le-unknown-linux-gnu < %s | FileCheck %s ++ ++@g = private constant [4 x i32] [i32 122, i32 67, i32 35, i32 56] ++@g2 = private constant [1 x i64] [i64 1], align 8 ++ ++define void @test(ptr %p, ptr %p2) { ++; CHECK-LABEL: test: ++; CHECK: # %bb.0: ++; CHECK-NEXT: addis 5, 2, .L__ModuleStringPool@toc@ha ++; CHECK-NEXT: addi 5, 5, .L__ModuleStringPool@toc@l ++; CHECK-NEXT: addi 6, 5, 12 ++; CHECK-NEXT: std 6, 0(3) ++; CHECK-NEXT: addi 3, 5, 16 ++; CHECK-NEXT: std 3, 0(4) ++; CHECK-NEXT: blr ++ store ptr getelementptr inbounds ([4 x i32], ptr @g, i64 0, i64 1), ptr %p ++ store ptr getelementptr inbounds ([4 x i32], ptr @g, i64 0, i64 2), ptr %p2 ++ ret void ++} diff --git a/llvm.spec b/llvm.spec index 2e4eb9f..63a9332 100644 --- a/llvm.spec +++ b/llvm.spec @@ -101,7 +101,7 @@ Name: %{pkg_name} Version: %{maj_ver}.%{min_ver}.%{patch_ver}%{?rc_ver:~rc%{rc_ver}}%{?llvm_snapshot_version_suffix:~%{llvm_snapshot_version_suffix}} -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Low Level Virtual Machine License: Apache-2.0 WITH LLVM-exception OR NCSA @@ -129,6 +129,9 @@ Source8: https://github.com/llvm/llvm-project/releases/download/llvmorg-%{compat # RHEL-specific patch to avoid unwanted python3-myst-parser dep Patch101: 0101-Deactivate-markdown-doc.patch +# Backport of PPCMergeStringPool fix for rhbz#2283525. +Patch102: 93442.patch + BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: clang @@ -650,6 +653,9 @@ fi %license LICENSE.TXT %changelog +* Tue May 28 2024 Nikita Popov - 18.1.6-3 +- Fix use after free on ppc64le (rhbz#2283525) + * Wed May 22 2024 Konrad Kleine - 18.1.6-2 - Turn on build condition bundle_compat_lib by default