From c33d10ae79e5a9aa99512a7736da93039824f53b Mon Sep 17 00:00:00 2001
From: Ben Clayton <bclayton@google.com>
Date: Sun, 13 Nov 2022 18:26:25 +0000
Subject: [PATCH] tint/resolver: Fix bad pointer deref (UAF)

Passing a dereferenced value from Hashmap::Find() directly into Hashmap::Add() is a potential cause of UAF, as the insertion may reallocate the map, invalidating the input reference.

I'll try to think of ways to make this foot-gun harder to do, but this CL fixes the immediate bug found by fuzzers.

Bug: chromium:1383755
Change-Id: I4f8b2fcb0745b008a47ef9947c330afb9ac4e78f
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/110020
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
---
 src/tint/resolver/resolver.cc                 |  4 +-
 test/tint/bug/chromium/1383755.wgsl           | 30 +++++++++++
 .../chromium/1383755.wgsl.expected.dxc.hlsl   |  5 ++
 .../chromium/1383755.wgsl.expected.fxc.hlsl   |  5 ++
 .../bug/chromium/1383755.wgsl.expected.glsl   | 41 +++++++++++++++
 .../bug/chromium/1383755.wgsl.expected.msl    | 51 +++++++++++++++++++
 .../bug/chromium/1383755.wgsl.expected.spvasm | 16 ++++++
 .../bug/chromium/1383755.wgsl.expected.wgsl   | 34 +++++++++++++
 8 files changed, 184 insertions(+), 2 deletions(-)
 create mode 100644 test/tint/bug/chromium/1383755.wgsl
 create mode 100644 test/tint/bug/chromium/1383755.wgsl.expected.dxc.hlsl
 create mode 100644 test/tint/bug/chromium/1383755.wgsl.expected.fxc.hlsl
 create mode 100644 test/tint/bug/chromium/1383755.wgsl.expected.glsl
 create mode 100644 test/tint/bug/chromium/1383755.wgsl.expected.msl
 create mode 100644 test/tint/bug/chromium/1383755.wgsl.expected.spvasm
 create mode 100644 test/tint/bug/chromium/1383755.wgsl.expected.wgsl

diff --git a/src/tint/resolver/resolver.cc b/src/tint/resolver/resolver.cc
index 880d59560e..2a9b4767ef 100644
--- a/src/tint/resolver/resolver.cc
+++ b/src/tint/resolver/resolver.cc
@@ -2688,7 +2688,7 @@ sem::Array* Resolver::Array(const ast::Array* arr) {
     if (el_ty->Is<sem::Atomic>()) {
         atomic_composite_info_.Add(out, &arr->type->source);
     } else {
-        if (auto* found = atomic_composite_info_.Find(el_ty)) {
+        if (auto found = atomic_composite_info_.Get(el_ty)) {
             atomic_composite_info_.Add(out, *found);
         }
     }
@@ -3027,7 +3027,7 @@ sem::Struct* Resolver::Structure(const ast::Struct* str) {
             atomic_composite_info_.Add(out, &sem_members[i]->Declaration()->source);
             break;
         } else {
-            if (auto* found = atomic_composite_info_.Find(mem_type)) {
+            if (auto found = atomic_composite_info_.Get(mem_type)) {
                 atomic_composite_info_.Add(out, *found);
                 break;
             }
diff --git a/test/tint/bug/chromium/1383755.wgsl b/test/tint/bug/chromium/1383755.wgsl
new file mode 100644
index 0000000000..3836d8196f
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl
@@ -0,0 +1,30 @@
+struct TestDatabuMltin {functionatxa4 : array<atomic<i32>, 9
+>,  data : array<atomic<i32>,                                    32772>,
+  a : array<atomic<i32>, 4>,
+dzet4rnaumtax2at : array<atomic<i32>, 1>,
+}
+
+struct Tc65535tDtint_symbol_7ata {
+  dtma1atxa4 : array<atomic<        i32>, 72365>,
+  hata : array<atomic<i32>, 2>,
+  a : array<atomic<i32>, 3>,
+   returnma3tatxa92233720368547R758p8 : array<atomic<i32>, 35526>,
+}
+
+struct TzVfat0x32769tDvar {
+  dmat2axat2 : array<atomic<i32>, 39611>, }
+struct TestDauiltin {
+  dmat2a2axt : array<atomic<i32>, 9
+>,  data : array<atomic<i32>, 32742>,
+  a : array<atomic<i32>, 4>,
+}
+
+struct Teec65538tDtint_sybom_l7ata {
+  dmat1atxainverseSqrt4                                                        : array<atomic<        i32>, 32768>,
+  hata : array< atomic<i32>, 2>,
+  a : array                                                                                                                                    <atomic<i32>, 5>,
+  dreturnmc4tax2at : array<atomic<i32>, 1>,
+}
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+  dmat2axat1 : array<atomic<i32>, 39711>, }
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.dxc.hlsl b/test/tint/bug/chromium/1383755.wgsl.expected.dxc.hlsl
new file mode 100644
index 0000000000..051e8c381c
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.dxc.hlsl
@@ -0,0 +1,5 @@
+[numthreads(1, 1, 1)]
+void unused_entry_point() {
+  return;
+}
+
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.fxc.hlsl b/test/tint/bug/chromium/1383755.wgsl.expected.fxc.hlsl
new file mode 100644
index 0000000000..051e8c381c
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.fxc.hlsl
@@ -0,0 +1,5 @@
+[numthreads(1, 1, 1)]
+void unused_entry_point() {
+  return;
+}
+
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.glsl b/test/tint/bug/chromium/1383755.wgsl.expected.glsl
new file mode 100644
index 0000000000..49beef46c2
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.glsl
@@ -0,0 +1,41 @@
+#version 310 es
+
+layout(local_size_x = 1, local_size_y = 1, local_size_z = 1) in;
+void unused_entry_point() {
+  return;
+}
+struct TestDatabuMltin {
+  int functionatxa4[9];
+  int data[32772];
+  int a[4];
+  int dzet4rnaumtax2at[1];
+};
+
+struct Tc65535tDtint_symbol_7ata {
+  int dtma1atxa4[72365];
+  int hata[2];
+  int a[3];
+  int returnma3tatxa92233720368547R758p8[35526];
+};
+
+struct TzVfat0x32769tDvar {
+  int dmat2axat2[39611];
+};
+
+struct TestDauiltin {
+  int dmat2a2axt[9];
+  int data[32742];
+  int a[4];
+};
+
+struct Teec65538tDtint_sybom_l7ata {
+  int dmat1atxainverseSqrt4[32768];
+  int hata[2];
+  int a[5];
+  int dreturnmc4tax2at[1];
+};
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+  int dmat2axat1[39711];
+};
+
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.msl b/test/tint/bug/chromium/1383755.wgsl.expected.msl
new file mode 100644
index 0000000000..f51d876241
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.msl
@@ -0,0 +1,51 @@
+#include <metal_stdlib>
+
+using namespace metal;
+
+template<typename T, size_t N>
+struct tint_array {
+    const constant T& operator[](size_t i) const constant { return elements[i]; }
+    device T& operator[](size_t i) device { return elements[i]; }
+    const device T& operator[](size_t i) const device { return elements[i]; }
+    thread T& operator[](size_t i) thread { return elements[i]; }
+    const thread T& operator[](size_t i) const thread { return elements[i]; }
+    threadgroup T& operator[](size_t i) threadgroup { return elements[i]; }
+    const threadgroup T& operator[](size_t i) const threadgroup { return elements[i]; }
+    T elements[N];
+};
+
+struct TestDatabuMltin {
+  tint_array<atomic_int, 9> functionatxa4;
+  tint_array<atomic_int, 32772> data;
+  tint_array<atomic_int, 4> a;
+  tint_array<atomic_int, 1> dzet4rnaumtax2at;
+};
+
+struct Tc65535tDtint_symbol_7ata {
+  tint_array<atomic_int, 72365> dtma1atxa4;
+  tint_array<atomic_int, 2> hata;
+  tint_array<atomic_int, 3> a;
+  tint_array<atomic_int, 35526> returnma3tatxa92233720368547R758p8;
+};
+
+struct TzVfat0x32769tDvar {
+  tint_array<atomic_int, 39611> dmat2axat2;
+};
+
+struct TestDauiltin {
+  tint_array<atomic_int, 9> dmat2a2axt;
+  tint_array<atomic_int, 32742> data;
+  tint_array<atomic_int, 4> a;
+};
+
+struct Teec65538tDtint_sybom_l7ata {
+  tint_array<atomic_int, 32768> dmat1atxainverseSqrt4;
+  tint_array<atomic_int, 2> hata;
+  tint_array<atomic_int, 5> a;
+  tint_array<atomic_int, 1> dreturnmc4tax2at;
+};
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+  tint_array<atomic_int, 39711> dmat2axat1;
+};
+
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.spvasm b/test/tint/bug/chromium/1383755.wgsl.expected.spvasm
new file mode 100644
index 0000000000..65bef946a5
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.spvasm
@@ -0,0 +1,16 @@
+; SPIR-V
+; Version: 1.3
+; Generator: Google Tint Compiler; 0
+; Bound: 5
+; Schema: 0
+               OpCapability Shader
+               OpMemoryModel Logical GLSL450
+               OpEntryPoint GLCompute %unused_entry_point "unused_entry_point"
+               OpExecutionMode %unused_entry_point LocalSize 1 1 1
+               OpName %unused_entry_point "unused_entry_point"
+       %void = OpTypeVoid
+          %1 = OpTypeFunction %void
+%unused_entry_point = OpFunction %void None %1
+          %4 = OpLabel
+               OpReturn
+               OpFunctionEnd
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.wgsl b/test/tint/bug/chromium/1383755.wgsl.expected.wgsl
new file mode 100644
index 0000000000..a772dddbc2
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.wgsl
@@ -0,0 +1,34 @@
+struct TestDatabuMltin {
+  functionatxa4 : array<atomic<i32>, 9>,
+  data : array<atomic<i32>, 32772>,
+  a : array<atomic<i32>, 4>,
+  dzet4rnaumtax2at : array<atomic<i32>, 1>,
+}
+
+struct Tc65535tDtint_symbol_7ata {
+  dtma1atxa4 : array<atomic<i32>, 72365>,
+  hata : array<atomic<i32>, 2>,
+  a : array<atomic<i32>, 3>,
+  returnma3tatxa92233720368547R758p8 : array<atomic<i32>, 35526>,
+}
+
+struct TzVfat0x32769tDvar {
+  dmat2axat2 : array<atomic<i32>, 39611>,
+}
+
+struct TestDauiltin {
+  dmat2a2axt : array<atomic<i32>, 9>,
+  data : array<atomic<i32>, 32742>,
+  a : array<atomic<i32>, 4>,
+}
+
+struct Teec65538tDtint_sybom_l7ata {
+  dmat1atxainverseSqrt4 : array<atomic<i32>, 32768>,
+  hata : array<atomic<i32>, 2>,
+  a : array<atomic<i32>, 5>,
+  dreturnmc4tax2at : array<atomic<i32>, 1>,
+}
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+  dmat2axat1 : array<atomic<i32>, 39711>,
+}