Skip to content

Fix heap-use-after-free in PrimaDelayCalc copy constructor#380

Open
maliberty wants to merge 1 commit into
The-OpenROAD-Project:masterfrom
maliberty:fix-prima-dcalc-copy-uaf
Open

Fix heap-use-after-free in PrimaDelayCalc copy constructor#380
maliberty wants to merge 1 commit into
The-OpenROAD-Project:masterfrom
maliberty:fix-prima-dcalc-copy-uaf

Conversation

@maliberty

Copy link
Copy Markdown
Member

The copy constructor copied node_index_map_, a
std::map<const ParasiticNode*, size_t, ParasiticNodeLess>. Copying the map reconstructs its red-black tree, which invokes the ParasiticNodeLess comparator and dereferences the ParasiticNode* keys.

When a delay calculator is cloned for parallel delay calculation (GraphDelayCalc::findDelays -> FindVertexDelays -> ArcDelayCalc::copy), the source map can hold pointers to ParasiticNodes that were already freed because the net's parasitic network was rebuilt (e.g. during resizer repair). Dereferencing those freed keys is a heap-use-after-free.

node_index_map_ is transient state: findNodeCount() clears and rebuilds it from the current parasitic network before any read, and the primary constructor leaves it default-constructed. Copying it is therefore both unnecessary and the sole source of the dangling-pointer dereference, so leave it default-constructed in the copy constructor as well.

The copy constructor copied node_index_map_, a
std::map<const ParasiticNode*, size_t, ParasiticNodeLess>. Copying the
map reconstructs its red-black tree, which invokes the ParasiticNodeLess
comparator and dereferences the ParasiticNode* keys.

When a delay calculator is cloned for parallel delay calculation
(GraphDelayCalc::findDelays -> FindVertexDelays -> ArcDelayCalc::copy),
the source map can hold pointers to ParasiticNodes that were already
freed because the net's parasitic network was rebuilt (e.g. during
resizer repair). Dereferencing those freed keys is a heap-use-after-free.

node_index_map_ is transient state: findNodeCount() clears and rebuilds
it from the current parasitic network before any read, and the primary
constructor leaves it default-constructed. Copying it is therefore both
unnecessary and the sole source of the dangling-pointer dereference, so
leave it default-constructed in the copy constructor as well.

Signed-off-by: Matt Liberty <mliberty@precisioninno.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request modifies the copy constructor of PrimaDelayCalc to prevent copying node_index_map_. This avoids dereferencing potentially freed raw ParasiticNode pointers during copy operations, as the map is transient and rebuilt before use. There are no review comments to address, so I have no additional feedback to provide.

@maliberty

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Delightful!

Reviewed commit: c962a7692a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant