From 2499aeead93a28cff56816c6ce7c093d227a0084 Mon Sep 17 00:00:00 2001 From: Vlad Tsyrklevich Date: Thu, 30 Aug 2018 20:44:51 +0000 Subject: SafeStack: Prevent OOB reads with mem intrinsics Summary: Currently, the SafeStack analysis disallows out-of-bounds writes but not out-of-bounds reads for mem intrinsics like llvm.memcpy. This could cause leaks of pointers to the safe stack by leaking spilled registers/ frame pointers. Check for allocas used as source or destination pointers to mem intrinsics. Reviewers: eugenis Reviewed By: eugenis Subscribers: pcc, llvm-commits, kcc Differential Revision: https://reviews.llvm.org/D51334 llvm-svn: 341116 --- llvm/lib/CodeGen/SafeStack.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'llvm/lib/CodeGen/SafeStack.cpp') diff --git a/llvm/lib/CodeGen/SafeStack.cpp b/llvm/lib/CodeGen/SafeStack.cpp index 60e2ddf0a3d..7b1c7fe49e4 100644 --- a/llvm/lib/CodeGen/SafeStack.cpp +++ b/llvm/lib/CodeGen/SafeStack.cpp @@ -260,8 +260,14 @@ bool SafeStack::IsAccessSafe(Value *Addr, uint64_t AccessSize, bool SafeStack::IsMemIntrinsicSafe(const MemIntrinsic *MI, const Use &U, const Value *AllocaPtr, uint64_t AllocaSize) { - // All MemIntrinsics have destination address in Arg0 and size in Arg2. - if (MI->getRawDest() != U) return true; + if (auto MTI = dyn_cast(MI)) { + if (MTI->getRawSource() != U && MTI->getRawDest() != U) + return true; + } else { + if (MI->getRawDest() != U) + return true; + } + const auto *Len = dyn_cast(MI->getLength()); // Non-constant size => unsafe. FIXME: try SCEV getRange. if (!Len) return false; -- cgit v1.2.3