Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This fixes a UaF bug in llvm::GlobalObject::copyAttributesFrom, where a sanitizer metadata object is captured by reference, and passed by reference to llvm::GlobalValue::setSanitizerMetadata. The reference comes from the same map that the new value is going to be inserted to, and the map insertion triggers iterator invalidation - leading to a use-after-free on the dangling reference. This patch fixes that bug by making setSanitizerMetadata's argument byval. This should also systematically prevent the problem from happening in future, as it's a very easy pattern to have. This shouldn't be any performance problem, the SanitizerMetadata struct is a bitfield POD.
- Loading branch information