Headline
CVE-2023-29934: [mlir] convert-scf-to-spirv Pass crashed with segmentation fault · Issue #59136 · llvm/llvm-project
llvm-project commit 6c01b5c was discovered to contain a segmentation fault via the component mlir::Type::getDialect().
MLIR built at commit 6c01b5c
Reproduced with:
mlir-opt --convert-scf-to-spirv temp.mlir
module { func.func @func1(%arg0: tensor<2x2xi1>, %arg1: f32) -> f32 { %true = arith.constant true %c36976552_i32 = arith.constant 36976552 : i32 %cst_4 = arith.constant 1.59615526E+9 : f32 %true_5 = arith.constant true %c1998615473_i32 = arith.constant 1998615473 : i32 %alloc_46 = memref.alloc() : memref<3xi32> %alloc_107 = memref.alloc() : memref<2xi32> %94 = scf.if %true_5 -> (i32) { scf.yield %c36976552_i32 : i32 } else { scf.yield %c1998615473_i32 : i32 } %214 = scf.if %true -> (memref<3xi32>) { scf.yield %alloc_46 : memref<3xi32> } else { %264 = arith.shrsi %94, %c36976552_i32 : i32 scf.yield %alloc_46 : memref<3xi32> } memref.assume_alignment %alloc_107, 8 : memref<2xi32> return %cst_4 : f32 } }
trace:
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace. Stack dump:
- Program arguments: mlir-opt --convert-scf-to-spirv temp.mlir Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it): 0 mlir-opt 0x00000001032c76f8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 72 1 mlir-opt 0x00000001032c7c14 PrintStackTraceSignalHandler(void*) + 28 2 mlir-opt 0x00000001032c5d18 llvm::sys::RunSignalHandlers() + 148 3 mlir-opt 0x00000001032c94e4 SignalHandler(int) + 252 4 libsystem_platform.dylib 0x000000019fc254c4 _sigtramp + 56 5 mlir-opt 0x0000000103a6c974 mlir::Type::getDialect() const + 28 6 mlir-opt 0x0000000103a6c974 mlir::Type::getDialect() const + 28 7 mlir-opt 0x00000001073813b0 mlir::Type::getContext() const + 24 8 mlir-opt 0x000000010552bd84 mlir::spirv::PointerType::get(mlir::Type, mlir::spirv::StorageClass) + 32 9 mlir-opt 0x00000001061a1388 void replaceSCFOutputValue<mlir::scf::IfOp, mlir::spirv::SelectionOp>(mlir::scf::IfOp, mlir::spirv::SelectionOp, mlir::ConversionPatternRewriter&, mlir::ScfToSPIRVContextImpl*, llvm::ArrayRef<mlir::Type>) + 240 10 mlir-opt 0x00000001061a0b24 (anonymous namespace)::IfOpConversion::matchAndRewrite(mlir::scf::IfOp, mlir::scf::IfOpAdaptor, mlir::ConversionPatternRewriter&) const + 1016 11 mlir-opt 0x00000001061a06bc mlir::OpConversionPattern<mlir::scf::IfOp>::matchAndRewrite(mlir::Operation*, llvm::ArrayRef<mlir::Value>, mlir::ConversionPatternRewriter&) const + 176 12 mlir-opt 0x0000000107000b24 mlir::ConversionPattern::matchAndRewrite(mlir::Operation*, mlir::PatternRewriter&) const + 368 13 mlir-opt 0x0000000107d211e8 mlir::PatternApplicator::matchAndRewrite(mlir::Operation*, mlir::PatternRewriter&, llvm::function_ref<bool (mlir::Pattern const&)>, llvm::function_ref<void (mlir::Pattern const&)>, llvm::function_ref<mlir::LogicalResult (mlir::Pattern const&)>) + 1356 14 mlir-opt 0x0000000107021a78 (anonymous namespace)::OperationLegalizer::legalizeWithPattern(mlir::Operation*, mlir::ConversionPatternRewriter&) + 328 15 mlir-opt 0x00000001070211cc (anonymous namespace)::OperationLegalizer::legalize(mlir::Operation*, mlir::ConversionPatternRewriter&) + 996 16 mlir-opt 0x00000001070207bc (anonymous namespace)::OperationConverter::convert(mlir::ConversionPatternRewriter&, mlir::Operation*) + 64 17 mlir-opt 0x0000000107004c58 (anonymous namespace)::OperationConverter::convertOperations(llvm::ArrayRef<mlir::Operation*>, llvm::function_ref<void (mlir::Diagnostic&)>) + 568 18 mlir-opt 0x0000000107004988 mlir::applyPartialConversion(llvm::ArrayRef<mlir::Operation*>, mlir::ConversionTarget&, mlir::FrozenRewritePatternSet const&, llvm::DenseSet<mlir::Operation*, llvm::DenseMapInfo<mlir::Operation*, void>>*) + 124 19 mlir-opt 0x0000000107004e7c mlir::applyPartialConversion(mlir::Operation*, mlir::ConversionTarget&, mlir::FrozenRewritePatternSet const&, llvm::DenseSet<mlir::Operation*, llvm::DenseMapInfo<mlir::Operation*, void>>*) + 72 20 mlir-opt 0x00000001061a5ed4 (anonymous namespace)::SCFToSPIRVPass::runOnOperation() + 392 21 mlir-opt 0x0000000106ec44ac mlir::detail::OpToOpPassAdaptor::run(mlir::Pass*, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int) + 512 22 mlir-opt 0x0000000106ec4b7c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor*, mlir::PassInstrumentation::PipelineParentInfo const*) + 364 23 mlir-opt 0x0000000106ec6dc0 mlir::PassManager::runPasses(mlir::Operation*, mlir::AnalysisManager) + 108 24 mlir-opt 0x0000000106ec6b98 mlir::PassManager::run(mlir::Operation*) + 864 25 mlir-opt 0x0000000106eabf94 performActions(llvm::raw_ostream&, bool, bool, llvm::SourceMgr&, mlir::MLIRContext*, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 560 26 mlir-opt 0x0000000106eabb28 processBuffer(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, bool, bool, bool, bool, bool, bool, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, llvm::ThreadPool*) + 496 27 mlir-opt 0x0000000106eab8f0 mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$_0::operator()(std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&) const + 204 28 mlir-opt 0x0000000106eab804 mlir::LogicalResult llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>::callback_fn<mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$_0>(long, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&) + 80 29 mlir-opt 0x00000001070b692c llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>::operator()(std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&) const + 96 30 mlir-opt 0x00000001070b6410 mlir::splitAndProcessBuffer(std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>, llvm::raw_ostream&, bool, bool) + 128 31 mlir-opt 0x0000000106ea9244 mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 320 32 mlir-opt 0x0000000106ea944c mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, mlir::PassPipelineCLParser const&, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool, bool) + 296 33 mlir-opt 0x0000000106eaa010 mlir::MlirOptMain(int, char**, llvm::StringRef, mlir::DialectRegistry&, bool) + 2912 34 mlir-opt 0x0000000102ae9278 main + 148 35 dyld 0x0000000120745088 start + 516
Related news
Ubuntu Security Notice 6258-1 - It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. This issue only affected llvm-toolchain-15.