Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29933: [mlir] One shot bufferize crashed with segmentation fault. · Issue #59442 · llvm/llvm-project

llvm-project commit bd456297 was discovered to contain a segmentation fault via the component mlir::Block::getArgument.

CVE
#mac#git

MLIR built at commit 0ee6bad
Reproduced with:
mlir-opt --one-shot-bufferize temp.mlir

temp.mlir:

module { func.func @func() { %false = arith.constant false %8 = tensor.empty() : tensor<10x10xf32> scf.while (%arg0 = %8) : (tensor<10x10xf32>) -> () { scf.condition(%false) } do { scf.yield %8 : tensor<10x10xf32> } return } }

trace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace. Stack dump: 0. Program arguments: mlir-opt --one-shot-bufferize temp.mlir Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it): 0 mlir-opt 0x000000010152e568 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 72 1 mlir-opt 0x000000010152ea84 PrintStackTraceSignalHandler(void*) + 28 2 mlir-opt 0x000000010152cb34 llvm::sys::RunSignalHandlers() + 148 3 mlir-opt 0x00000001015306f0 SignalHandler(int) + 252 4 libsystem_platform.dylib 0x000000019970d4c4 _sigtramp + 56 5 mlir-opt 0x0000000102c160b8 mlir::Block::getArgument(unsigned int) + 40 6 mlir-opt 0x0000000102f5fa2c mlir::scf::(anonymous namespace)::WhileOpInterface::verifyAnalysis(mlir::Operation*, mlir::bufferization::AnalysisState const&) const + 760 7 mlir-opt 0x0000000102f5d2ac mlir::bufferization::detail::BufferizableOpInterfaceInterfaceTraits::FallbackModel<mlir::scf::(anonymous namespace)::WhileOpInterface>::verifyAnalysis(mlir::bufferization::detail::BufferizableOpInterfaceInterfaceTraits::Concept const*, mlir::Operation*, mlir::bufferization::AnalysisState const&) + 40 8 mlir-opt 0x0000000101b053d4 mlir::bufferization::BufferizableOpInterface::verifyAnalysis(mlir::bufferization::AnalysisState const&) + 88 9 mlir-opt 0x0000000101c36c84 mlir::bufferization::analyzeOp(mlir::Operation*, mlir::bufferization::OneShotAnalysisState&)::$_5::operator()(mlir::Operation*) const + 84 10 mlir-opt 0x0000000101c36c24 void llvm::function_ref<void (mlir::Operation*)>::callback_fn<mlir::bufferization::analyzeOp(mlir::Operation*, mlir::bufferization::OneShotAnalysisState&)::$_5>(long, mlir::Operation*) + 52 11 mlir-opt 0x0000000105423bf8 llvm::function_ref<void (mlir::Operation*)>::operator()(mlir::Operation*) const + 68 12 mlir-opt 0x000000010576a6d8 mlir::detail::walk(mlir::Operation*, llvm::function_ref<void (mlir::Operation*)>, mlir::WalkOrder) + 404 13 mlir-opt 0x000000010576a688 mlir::detail::walk(mlir::Operation*, llvm::function_ref<void (mlir::Operation*)>, mlir::WalkOrder) + 324 14 mlir-opt 0x000000010576a688 mlir::detail::walk(mlir::Operation*, llvm::function_ref<void (mlir::Operation*)>, mlir::WalkOrder) + 324 15 mlir-opt 0x0000000101c36b58 std::__1::enable_if<llvm::is_one_of<mlir::Operation*, mlir::Operation*, mlir::Region*, mlir::Block*>::value, void>::type mlir::detail::walk<(mlir::WalkOrder)1, mlir::bufferization::analyzeOp(mlir::Operation*, mlir::bufferization::OneShotAnalysisState&)::$_5, mlir::Operation*, void>(mlir::Operation*, mlir::bufferization::analyzeOp(mlir::Operation*, mlir::bufferization::OneShotAnalysisState&)::$_5&&) + 68 16 mlir-opt 0x0000000101c2b39c std::__1::enable_if<llvm::function_traits<std::__1::decay<mlir::bufferization::analyzeOp(mlir::Operation*, mlir::bufferization::OneShotAnalysisState&)::$_5>::type>::num_args == 1, void>::type mlir::Operation::walk<(mlir::WalkOrder)1, mlir::bufferization::analyzeOp(mlir::Operation*, mlir::bufferization::OneShotAnalysisState&)::$_5, void>(mlir::bufferization::analyzeOp(mlir::Operation*, mlir::bufferization::OneShotAnalysisState&)::$_5&&) + 48 17 mlir-opt 0x0000000101c2b0ac mlir::bufferization::analyzeOp(mlir::Operation*, mlir::bufferization::OneShotAnalysisState&) + 380 18 mlir-opt 0x0000000101c4453c mlir::bufferization::insertTensorCopies(mlir::Operation*, mlir::bufferization::OneShotBufferizationOptions const&) + 184 19 mlir-opt 0x0000000101c2b47c mlir::bufferization::runOneShotBufferize(mlir::Operation*, mlir::bufferization::OneShotBufferizationOptions const&) + 148 20 mlir-opt 0x0000000101b7e82c (anonymous namespace)::OneShotBufferizePass::runOnOperation() + 612 21 mlir-opt 0x0000000105294c58 mlir::detail::OpToOpPassAdaptor::run(mlir::Pass*, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int) + 512 22 mlir-opt 0x0000000105295328 mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor*, mlir::PassInstrumentation::PipelineParentInfo const*) + 364 23 mlir-opt 0x000000010529756c mlir::PassManager::runPasses(mlir::Operation*, mlir::AnalysisManager) + 108 24 mlir-opt 0x0000000105297344 mlir::PassManager::run(mlir::Operation*) + 864 25 mlir-opt 0x000000010527c61c performActions(llvm::raw_ostream&, bool, bool, llvm::SourceMgr&, mlir::MLIRContext*, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 560 26 mlir-opt 0x000000010527c1b0 processBuffer(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, bool, bool, bool, bool, bool, bool, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, llvm::ThreadPool*) + 496 27 mlir-opt 0x000000010527bf78 mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$_0::operator()(std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&) const + 204 28 mlir-opt 0x000000010527be8c mlir::LogicalResult llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>::callback_fn<mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$_0>(long, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&) + 80 29 mlir-opt 0x0000000105487440 llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>::operator()(std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&) const + 96 30 mlir-opt 0x0000000105486f24 mlir::splitAndProcessBuffer(std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>, llvm::raw_ostream&, bool, bool) + 128 31 mlir-opt 0x00000001052798cc mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 320 32 mlir-opt 0x0000000105279ad4 mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, mlir::PassPipelineCLParser const&, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool, bool) + 296 33 mlir-opt 0x000000010527a698 mlir::MlirOptMain(int, char**, llvm::StringRef, mlir::DialectRegistry&, bool) + 2912 34 mlir-opt 0x0000000100d44f50 main + 148 35 dyld 0x000000011f271088 start + 516

Related news

Ubuntu Security Notice USN-6258-1

Ubuntu Security Notice 6258-1 - It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. This issue only affected llvm-toolchain-15.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907