tint/resolver: Fix bad pointer deref (UAF)

Passing a dereferenced value from Hashmap::Find() directly into Hashmap::Add() is a potential cause of UAF, as the insertion may reallocate the map, invalidating the input reference. I'll try to think of ways to make this foot-gun harder to do, but this CL fixes the immediate bug found by fuzzers. Bug: chromium:1383755 Change-Id: I4f8b2fcb0745b008a47ef9947c330afb9ac4e78f Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/110020 Kokoro: Kokoro <noreply+kokoro@google.com> Reviewed-by: James Price <jrprice@google.com> Commit-Queue: Ben Clayton <bclayton@google.com>
2022-11-13 18:26:25 +00:00 · 2022-11-13 18:26:25 +00:00 · c33d10ae79
parent 570a0faf26
commit c33d10ae79
8 changed files with 184 additions and 2 deletions
--- a/src/tint/resolver/resolver.cc
+++ b/src/tint/resolver/resolver.cc
@ -2688,7 +2688,7 @@ sem::Array* Resolver::Array(const ast::Array* arr) {
    if (el_ty->Is<sem::Atomic>()) {
        atomic_composite_info_.Add(out, &arr->type->source);
    } else {
-        if (auto* found = atomic_composite_info_.Find(el_ty)) {
+        if (auto found = atomic_composite_info_.Get(el_ty)) {
            atomic_composite_info_.Add(out, *found);
        }
    }
@ -3027,7 +3027,7 @@ sem::Struct* Resolver::Structure(const ast::Struct* str) {
            atomic_composite_info_.Add(out, &sem_members[i]->Declaration()->source);
            break;
        } else {
-            if (auto* found = atomic_composite_info_.Find(mem_type)) {
+            if (auto found = atomic_composite_info_.Get(mem_type)) {
                atomic_composite_info_.Add(out, *found);
                break;
            }
--- a/test/tint/bug/chromium/1383755.wgsl
+++ b/test/tint/bug/chromium/1383755.wgsl
@ -0,0 +1,30 @@
+struct TestDatabuMltin {functionatxa4 : array<atomic<i32>, 9
+>,  data : array<atomic<i32>,                                    32772>,
+  a : array<atomic<i32>, 4>,
+dzet4rnaumtax2at : array<atomic<i32>, 1>,
+}
+
+struct Tc65535tDtint_symbol_7ata {
+  dtma1atxa4 : array<atomic<        i32>, 72365>,
+  hata : array<atomic<i32>, 2>,
+  a : array<atomic<i32>, 3>,
+   returnma3tatxa92233720368547R758p8 : array<atomic<i32>, 35526>,
+}
+
+struct TzVfat0x32769tDvar {
+  dmat2axat2 : array<atomic<i32>, 39611>, }
+struct TestDauiltin {
+  dmat2a2axt : array<atomic<i32>, 9
+>,  data : array<atomic<i32>, 32742>,
+  a : array<atomic<i32>, 4>,
+}
+
+struct Teec65538tDtint_sybom_l7ata {
+  dmat1atxainverseSqrt4                                                        : array<atomic<        i32>, 32768>,
+  hata : array< atomic<i32>, 2>,
+  a : array                                                                                                                                    <atomic<i32>, 5>,
+  dreturnmc4tax2at : array<atomic<i32>, 1>,
+}
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+  dmat2axat1 : array<atomic<i32>, 39711>, }
--- a/test/tint/bug/chromium/1383755.wgsl.expected.dxc.hlsl
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.dxc.hlsl
@ -0,0 +1,5 @@
+[numthreads(1, 1, 1)]
+void unused_entry_point() {
+  return;
+}
+
--- a/test/tint/bug/chromium/1383755.wgsl.expected.fxc.hlsl
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.fxc.hlsl
@ -0,0 +1,5 @@
+[numthreads(1, 1, 1)]
+void unused_entry_point() {
+  return;
+}
+
--- a/test/tint/bug/chromium/1383755.wgsl.expected.glsl
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.glsl
@ -0,0 +1,41 @@
+#version 310 es
+
+layout(local_size_x = 1, local_size_y = 1, local_size_z = 1) in;
+void unused_entry_point() {
+  return;
+}
+struct TestDatabuMltin {
+  int functionatxa4[9];
+  int data[32772];
+  int a[4];
+  int dzet4rnaumtax2at[1];
+};
+
+struct Tc65535tDtint_symbol_7ata {
+  int dtma1atxa4[72365];
+  int hata[2];
+  int a[3];
+  int returnma3tatxa92233720368547R758p8[35526];
+};
+
+struct TzVfat0x32769tDvar {
+  int dmat2axat2[39611];
+};
+
+struct TestDauiltin {
+  int dmat2a2axt[9];
+  int data[32742];
+  int a[4];
+};
+
+struct Teec65538tDtint_sybom_l7ata {
+  int dmat1atxainverseSqrt4[32768];
+  int hata[2];
+  int a[5];
+  int dreturnmc4tax2at[1];
+};
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+  int dmat2axat1[39711];
+};
+
--- a/test/tint/bug/chromium/1383755.wgsl.expected.msl
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.msl
@ -0,0 +1,51 @@
+#include <metal_stdlib>
+
+using namespace metal;
+
+template<typename T, size_t N>
+struct tint_array {
+    const constant T& operator[](size_t i) const constant { return elements[i]; }
+    device T& operator[](size_t i) device { return elements[i]; }
+    const device T& operator[](size_t i) const device { return elements[i]; }
+    thread T& operator[](size_t i) thread { return elements[i]; }
+    const thread T& operator[](size_t i) const thread { return elements[i]; }
+    threadgroup T& operator[](size_t i) threadgroup { return elements[i]; }
+    const threadgroup T& operator[](size_t i) const threadgroup { return elements[i]; }
+    T elements[N];
+};
+
+struct TestDatabuMltin {
+  tint_array<atomic_int, 9> functionatxa4;
+  tint_array<atomic_int, 32772> data;
+  tint_array<atomic_int, 4> a;
+  tint_array<atomic_int, 1> dzet4rnaumtax2at;
+};
+
+struct Tc65535tDtint_symbol_7ata {
+  tint_array<atomic_int, 72365> dtma1atxa4;
+  tint_array<atomic_int, 2> hata;
+  tint_array<atomic_int, 3> a;
+  tint_array<atomic_int, 35526> returnma3tatxa92233720368547R758p8;
+};
+
+struct TzVfat0x32769tDvar {
+  tint_array<atomic_int, 39611> dmat2axat2;
+};
+
+struct TestDauiltin {
+  tint_array<atomic_int, 9> dmat2a2axt;
+  tint_array<atomic_int, 32742> data;
+  tint_array<atomic_int, 4> a;
+};
+
+struct Teec65538tDtint_sybom_l7ata {
+  tint_array<atomic_int, 32768> dmat1atxainverseSqrt4;
+  tint_array<atomic_int, 2> hata;
+  tint_array<atomic_int, 5> a;
+  tint_array<atomic_int, 1> dreturnmc4tax2at;
+};
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+  tint_array<atomic_int, 39711> dmat2axat1;
+};
+
--- a/test/tint/bug/chromium/1383755.wgsl.expected.spvasm
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.spvasm
@ -0,0 +1,16 @@
+; SPIR-V
+; Version: 1.3
+; Generator: Google Tint Compiler; 0
+; Bound: 5
+; Schema: 0
+               OpCapability Shader
+               OpMemoryModel Logical GLSL450
+               OpEntryPoint GLCompute %unused_entry_point "unused_entry_point"
+               OpExecutionMode %unused_entry_point LocalSize 1 1 1
+               OpName %unused_entry_point "unused_entry_point"
+       %void = OpTypeVoid
+          %1 = OpTypeFunction %void
+%unused_entry_point = OpFunction %void None %1
+          %4 = OpLabel
+               OpReturn
+               OpFunctionEnd
--- a/test/tint/bug/chromium/1383755.wgsl.expected.wgsl
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.wgsl
@ -0,0 +1,34 @@
+struct TestDatabuMltin {
+  functionatxa4 : array<atomic<i32>, 9>,
+  data : array<atomic<i32>, 32772>,
+  a : array<atomic<i32>, 4>,
+  dzet4rnaumtax2at : array<atomic<i32>, 1>,
+}
+
+struct Tc65535tDtint_symbol_7ata {
+  dtma1atxa4 : array<atomic<i32>, 72365>,
+  hata : array<atomic<i32>, 2>,
+  a : array<atomic<i32>, 3>,
+  returnma3tatxa92233720368547R758p8 : array<atomic<i32>, 35526>,
+}
+
+struct TzVfat0x32769tDvar {
+  dmat2axat2 : array<atomic<i32>, 39611>,
+}
+
+struct TestDauiltin {
+  dmat2a2axt : array<atomic<i32>, 9>,
+  data : array<atomic<i32>, 32742>,
+  a : array<atomic<i32>, 4>,
+}
+
+struct Teec65538tDtint_sybom_l7ata {
+  dmat1atxainverseSqrt4 : array<atomic<i32>, 32768>,
+  hata : array<atomic<i32>, 2>,
+  a : array<atomic<i32>, 5>,
+  dreturnmc4tax2at : array<atomic<i32>, 1>,
+}
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+  dmat2axat1 : array<atomic<i32>, 39711>,
+}