Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29942: [mlir] Convert-spirv-to-llvm Pass trigger Segmentation fault in LLVMStructType verifier · Issue #59990 · llvm/llvm-project

llvm-project commit a0138390 was discovered to contain a segmentation fault via the component mlir::Type::isa<mlir::LLVM::LLVMVoidType.

CVE
Open in Source
#mac#git

MLIR built at commit a0138390
Reproduced with:
mlir-opt --convert-spirv-to-llvm temp.mlir

temp.mlir:

module { spirv.module Logical GLSL450 { spirv.GlobalVariable @var01_scalar bind(0, 1) {aliased} : !spirv.ptr<!spirv.struct<(!spirv.rtarray<f32, stride=4> [0])>, StorageBuffer> spirv.GlobalVariable @var01_vec2 bind(0, 1) {aliased} : !spirv.ptr<!spirv.struct<(!spirv.rtarray<vector<2xf32>, stride=8> [0])>, StorageBuffer> spirv.GlobalVariable @var01_vec4 bind(0, 1) {aliased} : !spirv.ptr<!spirv.struct<(!spirv.rtarray<vector<4xf32>, stride=16> [0])>, StorageBuffer>

spirv.func @load\_different\_vector\_sizes(%i0: i32) -> vector<4xf32\> "None" {
  %c0 = spirv.Constant 0 : i32

  %addr0 = spirv.mlir.addressof @var01\_vec4 : !spirv.ptr<!spirv.struct<(!spirv.rtarray<vector<4xf32\>, stride\=16\> \[0\])>, StorageBuffer\>
  %ac0 = spirv.AccessChain %addr0\[%c0, %i0\] : !spirv.ptr<!spirv.struct<(!spirv.rtarray<vector<4xf32\>, stride\=16\> \[0\])>, StorageBuffer\>, i32, i32
  %vec4val = spirv.Load "StorageBuffer" %ac0 : vector<4xf32\>

  %addr1 = spirv.mlir.addressof @var01\_scalar : !spirv.ptr<!spirv.struct<(!spirv.rtarray<f32, stride\=4\> \[0\])>, StorageBuffer\>
  %ac1 = spirv.AccessChain %addr1\[%c0, %i0\] : !spirv.ptr<!spirv.struct<(!spirv.rtarray<f32, stride\=4\> \[0\])>, StorageBuffer\>, i32, i32
  %scalarval = spirv.Load "StorageBuffer" %ac1 : f32

  %val = spirv.CompositeInsert %scalarval, %vec4val\[0 : i32\] : f32 into vector<4xf32\>
  spirv.ReturnValue %val : vector<4xf32\>
}

}

}

trace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace. Stack dump:

  1. Program arguments: mlir-opt --convert-spirv-to-llvm temp.mlir Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it): 0 mlir-opt 0x00000001023fc5bc llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 56 1 mlir-opt 0x00000001023fb624 llvm::sys::RunSignalHandlers() + 112 2 mlir-opt 0x00000001023fcc54 SignalHandler(int) + 344 3 libsystem_platform.dylib 0x00000001a56894c4 _sigtramp + 56 4 mlir-opt 0x0000000102a8a668 bool mlir::Type::isa<mlir::LLVM::LLVMVoidType, mlir::LLVM::LLVMLabelType, mlir::LLVM::LLVMMetadataType, mlir::LLVM::LLVMFunctionType, mlir::LLVM::LLVMTokenType, mlir::LLVM::LLVMScalableVectorType>() const + 24 5 mlir-opt 0x0000000102a8a668 bool mlir::Type::isa<mlir::LLVM::LLVMVoidType, mlir::LLVM::LLVMLabelType, mlir::LLVM::LLVMMetadataType, mlir::LLVM::LLVMFunctionType, mlir::LLVM::LLVMTokenType, mlir::LLVM::LLVMScalableVectorType>() const + 24 6 mlir-opt 0x0000000102a8bef8 mlir::LLVM::LLVMStructType::verify(llvm::function_ref<mlir::InFlightDiagnostic ()>, llvm::ArrayRef<mlir::Type>, bool) + 76 7 mlir-opt 0x0000000102a8bcc8 mlir::LLVM::LLVMStructType mlir::detail::StorageUserBase<mlir::LLVM::LLVMStructType, mlir::Type, mlir::LLVM::detail::LLVMStructTypeStorage, mlir::detail::TypeUniquer, mlir::DataLayoutTypeInterface::Trait, mlir::SubElementTypeInterface::Trait, mlir::TypeTrait::IsMutable>::get<llvm::ArrayRef<mlir::Type>, bool>(mlir::MLIRContext*, llvm::ArrayRef<mlir::Type>, bool) + 76 8 mlir-opt 0x000000010332d334 std::__1::__function::__func<std::__1::enable_if<std::is_invocable_v<mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5, mlir::spirv::StructType, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>>, std::__1::function<std::__1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>>::type mlir::TypeConverter::wrapCallback<mlir::spirv::StructType, std::__1::enable_if<std::is_invocable_v<mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5, mlir::spirv::StructType>, std::__1::function<std::__1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>>::type mlir::TypeConverter::wrapCallback<mlir::spirv::StructType, mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5>(mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5&&)::’lambda’(mlir::spirv::StructType, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>(mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5&&)::’lambda’(mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>), std::__1::allocator<std::__1::enable_if<std::is_invocable_v<mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5, mlir::spirv::StructType, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>>, std::__1::function<std::__1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>>::type mlir::TypeConverter::wrapCallback<mlir::spirv::StructType, std::__1::enable_if<std::is_invocable_v<mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5, mlir::spirv::StructType>, std::__1::function<std::__1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>>::type mlir::TypeConverter::wrapCallback<mlir::spirv::StructType, mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5>(mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5&&)::’lambda’(mlir::spirv::StructType, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>(mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$_5&&)::’lambda’(mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>, std::__1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>::operator()(mlir::Type&&, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>&&) + 776 9 mlir-opt 0x000000010363a9e4 mlir::TypeConverter::convertType(mlir::Type, llvm::SmallVectorImpl<mlir::Type>&) + 764 10 mlir-opt 0x000000010363f0f4 mlir::TypeConverter::convertType(mlir::Type) + 64 11 mlir-opt 0x0000000103346d14 (anonymous namespace)::GlobalVariablePattern::matchAndRewrite(mlir::spirv::GlobalVariableOp, mlir::spirv::GlobalVariableOpAdaptor, mlir::ConversionPatternRewriter&) const + 124 12 mlir-opt 0x0000000102f78af4 mlir::OpConversionPattern<mlir::spirv::GlobalVariableOp>::matchAndRewrite(mlir::Operation*, llvm::ArrayRef<mlir::Value>, mlir::ConversionPatternRewriter&) const + 144 13 mlir-opt 0x000000010363ee34 mlir::ConversionPattern::matchAndRewrite(mlir::Operation*, mlir::PatternRewriter&) const + 200 14 mlir-opt 0x000000010389bbd0 mlir::PatternApplicator::matchAndRewrite(mlir::Operation*, mlir::PatternRewriter&, llvm::function_ref<bool (mlir::Pattern const&)>, llvm::function_ref<void (mlir::Pattern const&)>, llvm::function_ref<mlir::LogicalResult (mlir::Pattern const&)>) + 1440 15 mlir-opt 0x00000001036494b0 (anonymous namespace)::OperationLegalizer::legalize(mlir::Operation*, mlir::ConversionPatternRewriter&) + 1948 16 mlir-opt 0x0000000103642b1c (anonymous namespace)::OperationConverter::convertOperations(llvm::ArrayRef<mlir::Operation*>, llvm::function_ref<void (mlir::Diagnostic&)>) + 928 17 mlir-opt 0x0000000103644d18 mlir::applyPartialConversion(mlir::Operation*, mlir::ConversionTarget&, mlir::FrozenRewritePatternSet const&, llvm::DenseSet<mlir::Operation*, llvm::DenseMapInfo<mlir::Operation*, void>>*) + 80 18 mlir-opt 0x000000010334dc20 (anonymous namespace)::ConvertSPIRVToLLVMPass::runOnOperation() + 600 19 mlir-opt 0x00000001036074dc mlir::detail::OpToOpPassAdaptor::run(mlir::Pass*, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int) + 420 20 mlir-opt 0x0000000103607a0c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor*, mlir::PassInstrumentation::PipelineParentInfo const*) + 320 21 mlir-opt 0x0000000103609388 mlir::PassManager::run(mlir::Operation*) + 1148 22 mlir-opt 0x0000000103602840 performActions(llvm::raw_ostream&, bool, bool, std::__1::shared_ptr<llvm::SourceMgr> const&, mlir::MLIRContext*, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 504 23 mlir-opt 0x0000000103602410 mlir::LogicalResult llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>::callback_fn<mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$_0>(long, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&) + 704 24 mlir-opt 0x000000010366d02c mlir::splitAndProcessBuffer(std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>, llvm::raw_ostream&, bool, bool) + 656 25 mlir-opt 0x0000000103600838 mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 216 26 mlir-opt 0x0000000103600d2c mlir::MlirOptMain(int, char**, llvm::StringRef, mlir::DialectRegistry&, bool) + 1208 27 mlir-opt 0x000000010229f0a0 main + 108 28 dyld 0x0000000106ad5088 start + 516

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE