tint/resolver: Fix bad pointer deref (UAF)
Passing a dereferenced value from Hashmap::Find() directly into Hashmap::Add() is a potential cause of UAF, as the insertion may reallocate the map, invalidating the input reference.
I'll try to think of ways to make this foot-gun harder to do, but this CL fixes the immediate bug found by fuzzers.
Bug: chromium:1383755
Change-Id: I4f8b2fcb0745b008a47ef9947c330afb9ac4e78f
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/110020
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
diff --git a/src/tint/resolver/resolver.cc b/src/tint/resolver/resolver.cc
index 880d595..2a9b476 100644
--- a/src/tint/resolver/resolver.cc
+++ b/src/tint/resolver/resolver.cc
@@ -2688,7 +2688,7 @@
if (el_ty->Is<sem::Atomic>()) {
atomic_composite_info_.Add(out, &arr->type->source);
} else {
- if (auto* found = atomic_composite_info_.Find(el_ty)) {
+ if (auto found = atomic_composite_info_.Get(el_ty)) {
atomic_composite_info_.Add(out, *found);
}
}
@@ -3027,7 +3027,7 @@
atomic_composite_info_.Add(out, &sem_members[i]->Declaration()->source);
break;
} else {
- if (auto* found = atomic_composite_info_.Find(mem_type)) {
+ if (auto found = atomic_composite_info_.Get(mem_type)) {
atomic_composite_info_.Add(out, *found);
break;
}
diff --git a/test/tint/bug/chromium/1383755.wgsl b/test/tint/bug/chromium/1383755.wgsl
new file mode 100644
index 0000000..3836d81
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl
@@ -0,0 +1,30 @@
+struct TestDatabuMltin {functionatxa4 : array<atomic<i32>, 9
+>, data : array<atomic<i32>, 32772>,
+ a : array<atomic<i32>, 4>,
+dzet4rnaumtax2at : array<atomic<i32>, 1>,
+}
+
+struct Tc65535tDtint_symbol_7ata {
+ dtma1atxa4 : array<atomic< i32>, 72365>,
+ hata : array<atomic<i32>, 2>,
+ a : array<atomic<i32>, 3>,
+ returnma3tatxa92233720368547R758p8 : array<atomic<i32>, 35526>,
+}
+
+struct TzVfat0x32769tDvar {
+ dmat2axat2 : array<atomic<i32>, 39611>, }
+struct TestDauiltin {
+ dmat2a2axt : array<atomic<i32>, 9
+>, data : array<atomic<i32>, 32742>,
+ a : array<atomic<i32>, 4>,
+}
+
+struct Teec65538tDtint_sybom_l7ata {
+ dmat1atxainverseSqrt4 : array<atomic< i32>, 32768>,
+ hata : array< atomic<i32>, 2>,
+ a : array <atomic<i32>, 5>,
+ dreturnmc4tax2at : array<atomic<i32>, 1>,
+}
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+ dmat2axat1 : array<atomic<i32>, 39711>, }
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.dxc.hlsl b/test/tint/bug/chromium/1383755.wgsl.expected.dxc.hlsl
new file mode 100644
index 0000000..051e8c3
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.dxc.hlsl
@@ -0,0 +1,5 @@
+[numthreads(1, 1, 1)]
+void unused_entry_point() {
+ return;
+}
+
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.fxc.hlsl b/test/tint/bug/chromium/1383755.wgsl.expected.fxc.hlsl
new file mode 100644
index 0000000..051e8c3
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.fxc.hlsl
@@ -0,0 +1,5 @@
+[numthreads(1, 1, 1)]
+void unused_entry_point() {
+ return;
+}
+
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.glsl b/test/tint/bug/chromium/1383755.wgsl.expected.glsl
new file mode 100644
index 0000000..49beef4
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.glsl
@@ -0,0 +1,41 @@
+#version 310 es
+
+layout(local_size_x = 1, local_size_y = 1, local_size_z = 1) in;
+void unused_entry_point() {
+ return;
+}
+struct TestDatabuMltin {
+ int functionatxa4[9];
+ int data[32772];
+ int a[4];
+ int dzet4rnaumtax2at[1];
+};
+
+struct Tc65535tDtint_symbol_7ata {
+ int dtma1atxa4[72365];
+ int hata[2];
+ int a[3];
+ int returnma3tatxa92233720368547R758p8[35526];
+};
+
+struct TzVfat0x32769tDvar {
+ int dmat2axat2[39611];
+};
+
+struct TestDauiltin {
+ int dmat2a2axt[9];
+ int data[32742];
+ int a[4];
+};
+
+struct Teec65538tDtint_sybom_l7ata {
+ int dmat1atxainverseSqrt4[32768];
+ int hata[2];
+ int a[5];
+ int dreturnmc4tax2at[1];
+};
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+ int dmat2axat1[39711];
+};
+
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.msl b/test/tint/bug/chromium/1383755.wgsl.expected.msl
new file mode 100644
index 0000000..f51d876
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.msl
@@ -0,0 +1,51 @@
+#include <metal_stdlib>
+
+using namespace metal;
+
+template<typename T, size_t N>
+struct tint_array {
+ const constant T& operator[](size_t i) const constant { return elements[i]; }
+ device T& operator[](size_t i) device { return elements[i]; }
+ const device T& operator[](size_t i) const device { return elements[i]; }
+ thread T& operator[](size_t i) thread { return elements[i]; }
+ const thread T& operator[](size_t i) const thread { return elements[i]; }
+ threadgroup T& operator[](size_t i) threadgroup { return elements[i]; }
+ const threadgroup T& operator[](size_t i) const threadgroup { return elements[i]; }
+ T elements[N];
+};
+
+struct TestDatabuMltin {
+ tint_array<atomic_int, 9> functionatxa4;
+ tint_array<atomic_int, 32772> data;
+ tint_array<atomic_int, 4> a;
+ tint_array<atomic_int, 1> dzet4rnaumtax2at;
+};
+
+struct Tc65535tDtint_symbol_7ata {
+ tint_array<atomic_int, 72365> dtma1atxa4;
+ tint_array<atomic_int, 2> hata;
+ tint_array<atomic_int, 3> a;
+ tint_array<atomic_int, 35526> returnma3tatxa92233720368547R758p8;
+};
+
+struct TzVfat0x32769tDvar {
+ tint_array<atomic_int, 39611> dmat2axat2;
+};
+
+struct TestDauiltin {
+ tint_array<atomic_int, 9> dmat2a2axt;
+ tint_array<atomic_int, 32742> data;
+ tint_array<atomic_int, 4> a;
+};
+
+struct Teec65538tDtint_sybom_l7ata {
+ tint_array<atomic_int, 32768> dmat1atxainverseSqrt4;
+ tint_array<atomic_int, 2> hata;
+ tint_array<atomic_int, 5> a;
+ tint_array<atomic_int, 1> dreturnmc4tax2at;
+};
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+ tint_array<atomic_int, 39711> dmat2axat1;
+};
+
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.spvasm b/test/tint/bug/chromium/1383755.wgsl.expected.spvasm
new file mode 100644
index 0000000..65bef94
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.spvasm
@@ -0,0 +1,16 @@
+; SPIR-V
+; Version: 1.3
+; Generator: Google Tint Compiler; 0
+; Bound: 5
+; Schema: 0
+ OpCapability Shader
+ OpMemoryModel Logical GLSL450
+ OpEntryPoint GLCompute %unused_entry_point "unused_entry_point"
+ OpExecutionMode %unused_entry_point LocalSize 1 1 1
+ OpName %unused_entry_point "unused_entry_point"
+ %void = OpTypeVoid
+ %1 = OpTypeFunction %void
+%unused_entry_point = OpFunction %void None %1
+ %4 = OpLabel
+ OpReturn
+ OpFunctionEnd
diff --git a/test/tint/bug/chromium/1383755.wgsl.expected.wgsl b/test/tint/bug/chromium/1383755.wgsl.expected.wgsl
new file mode 100644
index 0000000..a772ddd
--- /dev/null
+++ b/test/tint/bug/chromium/1383755.wgsl.expected.wgsl
@@ -0,0 +1,34 @@
+struct TestDatabuMltin {
+ functionatxa4 : array<atomic<i32>, 9>,
+ data : array<atomic<i32>, 32772>,
+ a : array<atomic<i32>, 4>,
+ dzet4rnaumtax2at : array<atomic<i32>, 1>,
+}
+
+struct Tc65535tDtint_symbol_7ata {
+ dtma1atxa4 : array<atomic<i32>, 72365>,
+ hata : array<atomic<i32>, 2>,
+ a : array<atomic<i32>, 3>,
+ returnma3tatxa92233720368547R758p8 : array<atomic<i32>, 35526>,
+}
+
+struct TzVfat0x32769tDvar {
+ dmat2axat2 : array<atomic<i32>, 39611>,
+}
+
+struct TestDauiltin {
+ dmat2a2axt : array<atomic<i32>, 9>,
+ data : array<atomic<i32>, 32742>,
+ a : array<atomic<i32>, 4>,
+}
+
+struct Teec65538tDtint_sybom_l7ata {
+ dmat1atxainverseSqrt4 : array<atomic<i32>, 32768>,
+ hata : array<atomic<i32>, 2>,
+ a : array<atomic<i32>, 5>,
+ dreturnmc4tax2at : array<atomic<i32>, 1>,
+}
+
+struct TzfVatt0x0UDatasmvec65535tDtinvec4matomicMaxbol_fVatt0atomicMin3D9t672var {
+ dmat2axat1 : array<atomic<i32>, 39711>,
+}
