Skip to content

Possible SEGV (null pointer) in MetadataLoader::MetadataLoaderImpl::parseOneMetadata() #67388

Closed
@GJDuck

Description

@GJDuck

There seems to be a possible NULL pointer dereference in parseOneMetadata(). The problem occurs here:

    unsigned TyID = Record[0];
    Type *Ty = Callbacks.GetTypeByID(TyID);     // <--- GetTypeByID() may return NULL
    if (Ty->isMetadataTy() || Ty->isVoidTy())   // <--- No NULL check = SEGV
      return error("Invalid record");

According to GDB, the GetTypeByID() callback routes to BitcodeReader::getTypeByID() (here) . This method will return nullptr on unexpected input, leading to a crash.

To reproduce, decompress bug.o.gz then run:

    $ llvm-lto bug.o

Tested with latest LLVM head and LLVM-15. Other LLVM tools also seem to crash on this file.

Crash report:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.  Program arguments: debug/llvm-project/llvm/build/bin/llvm-lto bug.o
 #0 0x0000558dac706f32 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) ./debug/llvm-project/llvm/lib/Support/Unix/Signals.inc:723:22
 #1 0x0000558dac70734e PrintStackTraceSignalHandler(void*) ./debug/llvm-project/llvm/lib/Support/Unix/Signals.inc:798:1
 #2 0x0000558dac70471b llvm::sys::RunSignalHandlers() ./debug/llvm-project/llvm/lib/Support/Signals.cpp:105:20
 #3 0x0000558dac7067d6 SignalHandler(int) ./debug/llvm-project/llvm/lib/Support/Unix/Signals.inc:413:1
 #4 0x00007f6eece3c4b0 (/lib/x86_64-linux-gnu/libc.so.6+0x3c4b0)
 #5 0x0000558da93a248e llvm::Type::getTypeID() const ./debug/llvm-project/llvm/include/llvm/IR/Type.h:137:37
 #6 0x0000558dab3cbb56 llvm::Type::isMetadataTy() const ./debug/llvm-project/llvm/include/llvm/IR/Type.h:222:53
 #7 0x0000558dab427c56 llvm::MetadataLoader::MetadataLoaderImpl::parseOneMetadata(llvm::SmallVectorImpl<unsigned long>&, unsigned int, (anonymous namespace)::(anonymous namespace)::PlaceholderQueue&, llvm::StringRef, unsigned int&) ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1369:28
 #8 0x0000558dab426580 llvm::MetadataLoader::MetadataLoaderImpl::parseMetadata(bool) ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1133:60
 #9 0x0000558dab431624 llvm::MetadataLoader::parseMetadata(bool) ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:2464:1
#10 0x0000558dab3cbf2f llvm::MetadataLoader::parseModuleMetadata() ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.h:61:61
#11 0x0000558dab3add37 (anonymous namespace)::BitcodeReader::parseModule(unsigned long, bool, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4300:56
#12 0x0000558dab3af098 (anonymous namespace)::BitcodeReader::parseBitcodeInto(llvm::Module*, bool, bool, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4500:58
#13 0x0000558dab3c5b62 llvm::BitcodeModule::getModuleImpl(llvm::LLVMContext&, bool, bool, bool, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:7941:61
#14 0x0000558dab3c73eb llvm::BitcodeModule::parseModule(llvm::LLVMContext&, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8141:62
#15 0x0000558dab3c7529 llvm::parseBitcodeFile(llvm::MemoryBufferRef, llvm::LLVMContext&, llvm::ParserCallbacks) ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8153:44
#16 0x0000558dac265bbf parseBitcodeFileImpl(llvm::MemoryBufferRef, llvm::LLVMContext&, bool) ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:185:59
#17 0x0000558dac265d7c llvm::LTOModule::makeLTOModule(llvm::MemoryBufferRef, llvm::TargetOptions const&, llvm::LLVMContext&, bool) ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:198:57
#18 0x0000558dac2654d5 llvm::LTOModule::createFromFile(llvm::LLVMContext&, llvm::StringRef, llvm::TargetOptions const&) ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:121:47
#19 0x0000558da9017a75 main ./debug/llvm-project/llvm/tools/llvm-lto/llvm-lto.cpp:1031:43
#20 0x00007f6eece23a90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#21 0x00007f6eece23b49 call_init ./csu/../csu/libc-start.c:128:20
#22 0x00007f6eece23b49 __libc_start_main ./csu/../csu/libc-start.c:347:5
#23 0x0000558da9014125 _start (debug/llvm-project/llvm/build/bin/llvm-lto+0x5d6125)

Stack trace (GDB):

#0  0x0000555555eb848e in llvm::Type::getTypeID (this=0x0) at ./debug/llvm-project/llvm/include/llvm/IR/Type.h:137
#1  0x0000555557ee1b56 in llvm::Type::isMetadataTy (this=0x0) at ./debug/llvm-project/llvm/include/llvm/IR/Type.h:222
#2  0x0000555557f3dc56 in llvm::MetadataLoader::MetadataLoaderImpl::parseOneMetadata (this=0x555561cea620, Record=..., Code=2, Placeholders=..., Blob=..., NextMetadataNo=@0x7fffffffc2d4: 7)
    at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1369
#3  0x0000555557f3c580 in llvm::MetadataLoader::MetadataLoaderImpl::parseMetadata (this=0x555561cea620, ModuleLevel=true) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:1133
#4  0x0000555557f47624 in llvm::MetadataLoader::parseMetadata (this=0x555561cea0f8, ModuleLevel=true) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.cpp:2463
#5  0x0000555557ee1f2f in llvm::MetadataLoader::parseModuleMetadata (this=0x555561cea0f8) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/MetadataLoader.h:61
#6  0x0000555557ec3d37 in (anonymous namespace)::BitcodeReader::parseModule (this=0x555561ce9dd0, ResumeBit=0, ShouldLazyLoadMetadata=false, Callbacks=...) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4300
#7  0x0000555557ec5098 in (anonymous namespace)::BitcodeReader::parseBitcodeInto (this=0x555561ce9dd0, M=0x555561c7d270, ShouldLazyLoadMetadata=false, IsImporting=false, Callbacks=...)
    at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:4500
#8  0x0000555557edbb62 in llvm::BitcodeModule::getModuleImpl (this=0x7fffffffcfa0, Context=..., MaterializeAll=true, ShouldLazyLoadMetadata=false, IsImporting=false, Callbacks=...)
    at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:7941
#9  0x0000555557edd3eb in llvm::BitcodeModule::parseModule (this=0x7fffffffcfa0, Context=..., Callbacks=...) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8141
#10 0x0000555557edd529 in llvm::parseBitcodeFile (Buffer=..., Context=..., Callbacks=...) at ./debug/llvm-project/llvm/lib/Bitcode/Reader/BitcodeReader.cpp:8153
#11 0x0000555558d7bbbf in parseBitcodeFileImpl (Buffer=..., Context=..., ShouldBeLazy=false) at ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:185
#12 0x0000555558d7bd7c in llvm::LTOModule::makeLTOModule (Buffer=..., options=..., Context=..., ShouldBeLazy=false) at ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:198
#13 0x0000555558d7b4d5 in llvm::LTOModule::createFromFile (Context=..., path=..., options=...) at ./debug/llvm-project/llvm/lib/LTO/LTOModule.cpp:121
#14 0x0000555555b2da75 in main (argc=2, argv=0x7fffffffdff8) at ./debug/llvm-project/llvm/tools/llvm-lto/llvm-lto.cpp:1030

Metadata

Metadata

Assignees

No one assigned

    Labels

    crashPrefer [crash-on-valid] or [crash-on-invalid]llvm:bitcode

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions