Skip to content

Commit

Permalink
Fix a recently introduced uaf in pdc ##crash
Browse files Browse the repository at this point in the history
  • Loading branch information
@radare @trufae
radare authored and trufae committed Jun 26, 2024
1 parent c13ede0 commit a541ec8
Show file tree
Hide file tree
Showing 4 changed files with 88 additions and 76 deletions.
26 changes: 13 additions & 13 deletions libr/anal/block.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,23 +87,23 @@ static RAnalBlock *block_new(RAnal *a, ut64 addr, ut64 size) {
return block;
}

static void block_free(RAnalBlock *block) {
if (!block) {
static void block_free(RAnalBlock *bb) {
if (!bb) {
return;
}
free (block->esil);
r_anal_cond_free (block->cond);
free (block->fingerprint);
r_anal_diff_free (block->diff);
free (block->op_bytes);
r_anal_switch_op_free (block->switch_op);
r_list_free (block->fcns);
free (block->op_pos);
free (block->parent_reg_arena);
free (block);
free (bb->esil);
r_anal_cond_free (bb->cond);
free (bb->fingerprint);
r_anal_diff_free (bb->diff);
free (bb->op_bytes);
r_anal_switch_op_free (bb->switch_op);
r_list_free (bb->fcns);
free (bb->op_pos);
free (bb->parent_reg_arena);
free (bb);
}

void __block_free_rb(RBNode *node, void *user) {
R_IPI void __block_free_rb(RBNode *node, void *user) {
RAnalBlock *block = unwrap (node);
r_anal_block_unref (block);
// block_free (block);
Expand Down
51 changes: 26 additions & 25 deletions libr/anal/function.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* radare - LGPL - Copyright 2019-2023 - pancake, thestr4ng3r */
/* radare - LGPL - Copyright 2019-2024 - pancake, thestr4ng3r */

#include <r_anal.h>

Expand All @@ -16,7 +16,7 @@ static bool get_functions_block_cb(RAnalBlock *block, void *user) {
}

R_API RList *r_anal_get_functions_in(RAnal *anal, ut64 addr) {
r_return_val_if_fail (anal, NULL);
R_RETURN_VAL_IF_FAIL (anal, NULL);
RList *list = r_list_new ();
if (list) {
r_anal_blocks_foreach_in (anal, addr, get_functions_block_cb, list);
Expand Down Expand Up @@ -104,7 +104,7 @@ R_API void r_anal_function_free(RAnalFunction *fcn) {
r_list_foreach_safe (fcn->bbs, iter, iter2, block) {
r_anal_function_remove_block (fcn, block);
// r_list_delete_data (block->fcns, fcn);
//r_anal_block_unref (block);
// r_anal_block_unref (block);
}
// fcn->bbs->free = r_anal_block_unref;
r_list_free (fcn->bbs);
Expand Down Expand Up @@ -133,7 +133,7 @@ R_API void r_anal_function_free(RAnalFunction *fcn) {
}

R_API bool r_anal_add_function(RAnal *anal, RAnalFunction *fcn) {
r_return_val_if_fail (anal && fcn, false);
R_RETURN_VAL_IF_FAIL (anal && fcn, false);
if (__fcn_exists (anal, fcn->name, fcn->addr)) {
return false;
}
Expand All @@ -151,7 +151,7 @@ R_API bool r_anal_add_function(RAnal *anal, RAnalFunction *fcn) {
}

R_API RAnalFunction *r_anal_create_function(RAnal *anal, const char *name, ut64 addr, int type, RAnalDiff *diff) {
r_return_val_if_fail (anal && addr != UT64_MAX, NULL);
R_RETURN_VAL_IF_FAIL (anal && addr != UT64_MAX, NULL);
RAnalFunction *fcn = r_anal_function_new (anal);
if (!fcn) {
return NULL;
Expand Down Expand Up @@ -186,12 +186,12 @@ R_API RAnalFunction *r_anal_create_function(RAnal *anal, const char *name, ut64
}

R_API bool r_anal_function_delete(RAnalFunction *fcn) {
r_return_val_if_fail (fcn, false);
R_RETURN_VAL_IF_FAIL (fcn, false);
return r_list_delete_data (fcn->anal->fcns, fcn);
}

R_API RAnalFunction *r_anal_get_function_at(RAnal *anal, ut64 addr) {
r_return_val_if_fail (anal, NULL);
R_RETURN_VAL_IF_FAIL (anal, NULL);
bool found = false;
RAnalFunction *f = ht_up_find (anal->ht_addr_fun, addr, &found);
if (f && found) {
Expand All @@ -201,7 +201,7 @@ R_API RAnalFunction *r_anal_get_function_at(RAnal *anal, ut64 addr) {
}

R_API bool r_anal_function_relocate(RAnalFunction *fcn, ut64 addr) {
r_return_val_if_fail (fcn, false);
R_RETURN_VAL_IF_FAIL (fcn, false);
if (fcn->addr == addr) {
return true;
}
Expand All @@ -215,7 +215,7 @@ R_API bool r_anal_function_relocate(RAnalFunction *fcn, ut64 addr) {
}

R_API bool r_anal_function_rename(RAnalFunction *fcn, const char *name) {
r_return_val_if_fail (fcn && name, false);
R_RETURN_VAL_IF_FAIL (fcn && name, false);
RAnal *anal = fcn->anal;
RAnalFunction *existing = ht_pp_find (anal->ht_name_fun, name, NULL);
if (existing) {
Expand All @@ -226,21 +226,22 @@ R_API bool r_anal_function_rename(RAnalFunction *fcn, const char *name) {
return false;
}
char *newname = strdup (name);
if (!newname) {
return false;
}
bool in_tree = ht_pp_delete (anal->ht_name_fun, fcn->name);
free (fcn->name);
fcn->name = newname;
if (in_tree) {
// only re-insert if it really was in the tree before
ht_pp_insert (anal->ht_name_fun, fcn->name, fcn);
if (R_LIKELY (newname)) {
bool in_tree = ht_pp_delete (anal->ht_name_fun, fcn->name);
free (fcn->name);
fcn->name = newname;
if (in_tree) {
// only re-insert if it really was in the tree before
ht_pp_insert (anal->ht_name_fun, fcn->name, fcn);
}
return true;
}
return true;
return false;
}

R_API void r_anal_function_add_block(RAnalFunction *fcn, RAnalBlock *bb) {
r_return_if_fail (fcn && bb);
R_RETURN_IF_FAIL (fcn && bb);
// XXX this is slow use skiplist or vector instead
if (r_list_contains (bb->fcns, fcn)) {
return;
}
Expand All @@ -263,7 +264,7 @@ R_API void r_anal_function_add_block(RAnalFunction *fcn, RAnalBlock *bb) {
}

R_API void r_anal_function_remove_block(RAnalFunction *fcn, RAnalBlock *bb) {
r_return_if_fail (fcn && bb);
R_RETURN_IF_FAIL (fcn && bb);
r_list_delete_data (bb->fcns, fcn);

if (fcn->meta._min != UT64_MAX
Expand Down Expand Up @@ -317,7 +318,7 @@ R_API ut64 r_anal_function_size_from_entry(RAnalFunction *fcn) {
}

R_API ut64 r_anal_function_realsize(const RAnalFunction *fcn) {
r_return_val_if_fail (fcn, UT64_MAX);
R_RETURN_VAL_IF_FAIL (fcn, UT64_MAX);
RListIter *iter;
RAnalBlock *bb;
ut64 sz = 0;
Expand All @@ -339,7 +340,7 @@ static bool fcn_in_cb(RAnalBlock *block, void *user) {
}

R_API bool r_anal_function_contains(RAnalFunction *fcn, ut64 addr) {
r_return_val_if_fail (fcn, false);
R_RETURN_VAL_IF_FAIL (fcn, false);
if (addr == UT64_MAX) {
return false;
}
Expand All @@ -348,7 +349,7 @@ R_API bool r_anal_function_contains(RAnalFunction *fcn, ut64 addr) {
}

R_API bool r_anal_function_was_modified(RAnalFunction *fcn) {
r_return_val_if_fail (fcn, false);
R_RETURN_VAL_IF_FAIL (fcn, false);
RListIter *it;
RAnalBlock *bb;
r_list_foreach (fcn->bbs, it, bb) {
Expand All @@ -373,7 +374,7 @@ R_API int r_anal_function_coverage(RAnalFunction *fcn) {
}

R_API RGraph *r_anal_function_get_graph(RAnalFunction *fcn, RGraphNode **node_ptr, ut64 addr) {
r_return_val_if_fail (fcn && fcn->bbs && r_list_length (fcn->bbs), NULL);
R_RETURN_VAL_IF_FAIL (fcn && fcn->bbs && r_list_length (fcn->bbs), NULL);
HtUP *nodes = ht_up_new0 ();
RGraph *g = r_graph_new ();
if (node_ptr) {
Expand Down
15 changes: 13 additions & 2 deletions libr/core/pseudo.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -638,6 +638,12 @@ R_API int r_core_pseudo_code(RCore *core, const char *input) {
if (r_list_contains (visited, bb)) {
continue;
}
ut64 nextbbaddr = UT64_MAX;
if (iter->n) {
RListIter *nit = (RListIter*)(iter->n);
RAnalBlock *nbb = (RAnalBlock*)(nit->data);
nextbbaddr = nbb->addr;
}
if (use_html) {
r_config_set_b (core->config, "scr.html", false);
}
Expand Down Expand Up @@ -699,11 +705,16 @@ R_API int r_core_pseudo_code(RCore *core, const char *input) {
} else {
PRINTF ("loc_0x%08"PFMT64x": // orphan\n%s", bb->addr, s);
}
ut64 nbbaddr = UT64_MAX;
ut64 nbbaddr = nextbbaddr; // UT64_MAX;
#if 0
eprintf ("iter %p %p\n", iter, iter->n);
if (nextbbaddr) {
}
if (iter->n) {
RAnalBlock *nbb = (RAnalBlock*)iter->n;
RAnalBlock *nbb = (RAnalBlock*)(iter->n);
nbbaddr = nbb->addr;
}
#endif
if (bb->jump == UT64_MAX) {
NEWLINE (bb->addr, indent);
if (r0) {
Expand Down
Loading

0 comments on commit a541ec8

Please sign in to comment.