Headline
CVE-2023-29939: [mlir] spirv-lower-abi-attrs crashes with segmentation faults · Issue #59983 · llvm/llvm-project
llvm-project commit a0138390 was discovered to contain a segmentation fault via the component mlir::spirv::TargetEnv::TargetEnv(mlir::spirv::TargetEnvAttr).
MLIR built at commit a0138390
Reproduced with:
mlir-opt --spirv-lower-abi-attrs temp.mlir
temp.mlir:
spirv.module Logical GLSL450 {
spirv.SpecConstant @sc1 = 1.500000e+00 : f32
spirv.SpecConstant @sc2 = 2.500000e+00 : f32
spirv.SpecConstantComposite @scc (@sc1, @sc2) : vector<2xf32>
}
trace:
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace. Stack dump: 0. Program arguments: mlir-opt --spirv-lower-abi-attrs temp.mlir Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it): 0 mlir-opt 0x0000000102dc05bc llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 56 1 mlir-opt 0x0000000102dbf624 llvm::sys::RunSignalHandlers() + 112 2 mlir-opt 0x0000000102dc0c54 SignalHandler(int) + 344 3 libsystem_platform.dylib 0x00000001a56894c4 _sigtramp + 56 4 mlir-opt 0x0000000103927344 mlir::spirv::TargetEnv::TargetEnv(mlir::spirv::TargetEnvAttr) + 136 5 mlir-opt 0x0000000103927344 mlir::spirv::TargetEnv::TargetEnv(mlir::spirv::TargetEnvAttr) + 136 6 mlir-opt 0x0000000103932a80 (anonymous namespace)::LowerABIAttributesPass::runOnOperation() + 132 7 mlir-opt 0x0000000103fcb4dc mlir::detail::OpToOpPassAdaptor::run(mlir::Pass*, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int) + 420 8 mlir-opt 0x0000000103fcba0c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor*, mlir::PassInstrumentation::PipelineParentInfo const*) + 320 9 mlir-opt 0x0000000103fcfa90 mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::$_14::operator()(mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::OpPMInfo&) const + 176 10 mlir-opt 0x0000000103fcf90c mlir::LogicalResult mlir::failableParallelForEach<std::__1::__wrap_iter<mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::OpPMInfo*>, mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::$_14&>(mlir::MLIRContext*, std::__1::__wrap_iter<mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::OpPMInfo*>, std::__1::__wrap_iter<mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::OpPMInfo*>, mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::$_14&) + 360 11 mlir-opt 0x0000000103fcc6d4 mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool) + 1396 12 mlir-opt 0x0000000103fcb60c mlir::detail::OpToOpPassAdaptor::run(mlir::Pass*, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int) + 724 13 mlir-opt 0x0000000103fcba0c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor*, mlir::PassInstrumentation::PipelineParentInfo const*) + 320 14 mlir-opt 0x0000000103fcd388 mlir::PassManager::run(mlir::Operation*) + 1148 15 mlir-opt 0x0000000103fc6840 performActions(llvm::raw_ostream&, bool, bool, std::__1::shared_ptr<llvm::SourceMgr> const&, mlir::MLIRContext*, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 504 16 mlir-opt 0x0000000103fc6410 mlir::LogicalResult llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>::callback_fn<mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$_0>(long, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&) + 704 17 mlir-opt 0x000000010403102c mlir::splitAndProcessBuffer(std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::raw_ostream&)>, llvm::raw_ostream&, bool, bool) + 656 18 mlir-opt 0x0000000103fc4838 mlir::MlirOptMain(llvm::raw_ostream&, std::__1::unique_ptr<llvm::MemoryBuffer, std::__1::default_delete<llvm::MemoryBuffer>>, llvm::function_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 216 19 mlir-opt 0x0000000103fc4d2c mlir::MlirOptMain(int, char**, llvm::StringRef, mlir::DialectRegistry&, bool) + 1208 20 mlir-opt 0x0000000102c630a0 main + 108 21 dyld 0x000000010746d088 start + 516 zsh: segmentation fault mlir-opt --spirv-lower-abi-attrs temp.mlir
Related news
Ubuntu Security Notice 6258-1 - It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. This issue only affected llvm-toolchain-15.