Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2025-02-16 04:08:23 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Properly fix the UAF in r_io_bank_map_add_top ##crash

Browse Source 
* Associated with the CVE-2022-0559
* Reported by alkyne Choi via huntr.dev
This commit is contained in:
pancake 2022-02-15 12:46:20 +01:00 committed by GitHub
parent a88843e989
commit 3345147916
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
libr/io/io_bank.c
View File

@ -227,20 +227,20 @@ R_API bool r_io_bank_map_add_top(RIO *io, const ut32 bankid, const ut32 mapid) {
entry = r_rbnode_next (entry);
}
ut64 smto = r_io_submap_to (sm);
while (entry && r_io_submap_to (((RIOSubMap *)entry->data)) <= smto) {
//delete all submaps that are completly included in sm
RRBNode *next = r_rbnode_next (entry);
// this can be optimized, there is no need to do search here
// XXX this is a workaround to avoid an UAF in Reproducer: iobank-crash
void *smfree = bank->submaps->free;
bank->submaps->free = NULL;
bool a = r_crbtree_delete (bank->submaps, entry->data, _find_sm_by_from_vaddr_cb, NULL);
bank->submaps->free = smfree;
if (!a) {
entry = NULL;
break;
if (entry) {
ut64 ento = r_io_submap_to (((RIOSubMap*)entry->data));
while (entry && ento <= smto) {
//delete all submaps that are completly included in sm
RRBNode *next = r_rbnode_next (entry);
// this can be optimized, there is no need to do search here
// XXX this is a workaround to avoid an UAF in Reproducer: iobank-crash
ento = r_io_submap_to (((RIOSubMap*)entry->data));
bool a = r_crbtree_delete (bank->submaps, entry->data, _find_sm_by_from_vaddr_cb, NULL);
if (!a) {
next = NULL;
}
entry = next;
}
entry = next;
}
if (entry && r_io_submap_from (((RIOSubMap *)entry->data)) <= r_io_submap_to (sm)) {
bd = (RIOSubMap *)entry->data;