Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2024-10-07 02:23:58 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Fix 32 critical COVs (UAF, UB and OOB) (#18077)

Browse Source
This commit is contained in:
pancake 2020-12-21 01:10:22 +01:00 committed by GitHub
parent 38391b38cb
commit d3157e2ed3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 113 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
binr/r2r/r2r.c
View File

@ -80,6 +80,7 @@ static bool r2r_chdir(const char *argv0) {
char *r2r_path = r_file_path (argv0);
bool found = false;
if (readlink (r2r_path, src_path, sizeof (src_path)) != -1) {
src_path[sizeof (src_path) - 1] = 0;
char *p = strstr (src_path, R_SYS_DIR "binr"R_SYS_DIR"r2r"R_SYS_DIR"r2r");
if (p) {
*p = 0;

5
libr/anal/rtti_msvc.c
View File

@ -807,7 +807,6 @@ RecoveryTypeDescriptor *recovery_anal_type_descriptor(RRTTIMSVCAnalContext *cont
return td;
}
static char *unique_class_name(RAnal *anal, const char *original_name) {
if (!r_anal_class_exists (anal, original_name)) {
return strdup (original_name);
@ -835,9 +834,7 @@ static void recovery_apply_vtable(RAnal *anal, const char *class_name, RVTableIn
return;
}
RAnalVTable vtable;
vtable.id = NULL;
vtable.offset = 0;
RAnalVTable vtable = {0};
vtable.addr = vtable_info->saddr;
r_anal_class_vtable_set (anal, class_name, &vtable);
r_anal_class_vtable_fini (&vtable);

8
libr/anal/sign.c
View File

@ -868,8 +868,8 @@ static RSignBytes *r_sign_fcn_bytes(RAnal *a, RAnalFunction *fcn) {
RListIter *iter;
r_list_foreach (fcn->bbs, iter, bb) {
if (bb->addr >= ea) {
ut64 delta = bb->addr - ea;
ut64 rsize = bb->size;
size_t delta = bb->addr - ea;
size_t rsize = bb->size;
// bounds check
if (delta > size) {
@ -883,7 +883,9 @@ static RSignBytes *r_sign_fcn_bytes(RAnal *a, RAnalFunction *fcn) {
if (!(tmpmask = r_anal_mask (a, rsize, sig->bytes + delta, ea))) {
goto bytes_failed;
}
memcpy (sig->mask + delta, tmpmask, rsize);
if (rsize > 0) {
memcpy (sig->mask + delta, tmpmask, rsize);
}
free (tmpmask);
}
}

2
libr/asm/arch/pyc/opcode_arg_fmt.c
View File

@ -32,7 +32,7 @@ const char *format_MAKE_FUNCTION_arg_36(ut32 oparg) {
char *ret = r_str_new (" ");
for (i = 0; i < sizeof (MAKE_FUNCTION_FLAGS) / sizeof (char *); ++i) {
if (oparg & 0x1) {
r_str_appendf (ret, ", %s", MAKE_FUNCTION_FLAGS[i]);
ret = r_str_appendf (ret, ", %s", MAKE_FUNCTION_FLAGS[i]);
} else {
free (ret);
ret = r_str_new (MAKE_FUNCTION_FLAGS[i]);

1
libr/asm/asm.c
View File

@ -1021,6 +1021,7 @@ R_API RAsmCode *r_asm_massemble(RAsm *a, const char *assembly) {
if (op.buf_inc && r_buf_size (op.buf_inc) > 1) {
char *inc = r_buf_to_string (op.buf_inc);
r_buf_free (op.buf_inc);
op.buf_inc = NULL;
if (inc) {
ret += r_hex_str2bin (inc, acode->bytes + idx + ret);
free (inc);

3
libr/bin/p/bin_xnu_kernelcache.c
View File

@ -239,6 +239,7 @@ static bool load_buffer(RBinFile *bf, void **bin_obj, RBuffer *buf, ut64 loadadd
beach:
r_buf_free (fbuf);
obj->cache_buf = NULL;
MACH0_(mach0_free) (main_mach0);
return false;
}
@ -1499,7 +1500,7 @@ static RList *resolve_mig_subsystem(RKernelCacheObj *obj) {
continue;
}
ut64 *routines = (ut64 *) malloc (n_routines * sizeof (ut64));
ut64 *routines = (ut64 *) calloc (n_routines, sizeof (ut64));
if (!routines) {
goto beach;
}

4
libr/cons/dietline.c
View File

@ -919,7 +919,9 @@ static void __print_prompt(void) {
}
len = I.buffer.index - i;
if (len > 0 && (i + len) <= I.buffer.length) {
fwrite (I.buffer.data + i, 1, len, stdout);
if (i<I.buffer.length) {
fwrite (I.buffer.data + i, 1, len, stdout);
}
}
fflush (stdout);
}

2
libr/core/cmd_anal.c
View File

@ -4883,7 +4883,7 @@ R_API int r_core_esil_step(RCore *core, ut64 until_addr, const char *until_expr,
RAnalOp op = {0};
RAnalEsil *esil = core->anal->esil;
const char *name = r_reg_get_name (core->anal->reg, R_REG_NAME_PC);
ut64 addr;
ut64 addr = r_reg_getv (core->anal->reg, name);
bool breakoninvalid = r_config_get_i (core->config, "esil.breakoninvalid");
int esiltimeout = r_config_get_i (core->config, "esil.timeout");
ut64 startTime;

1
libr/core/cmd_eval.c
View File

@ -241,6 +241,7 @@ static void nextpal(RCore *core, int mode) {
}
}
r_list_free (files);
files = NULL;
R_FREE (home);
}

2
libr/core/disasm.c
View File

@ -5795,7 +5795,7 @@ toro:
if (ds->immtrim) {
free (ds->opstr);
ds->opstr = strdup (r_asm_op_get_asm (&ds->asmop));
r_parse_immtrim (ds->opstr);
ds->opstr = r_parse_immtrim (ds->opstr);
}
}
if (ds->asm_instr) {

45
libr/core/panels.c
View File

@ -2479,17 +2479,22 @@ static void __set_refresh_by_type(RCore *core, const char *cmd, bool clearCache)
}
}
static char *filter_arg(char *a) {
r_name_filter_print (a);
char *r = r_str_escape (a);
free (a);
return r;
}
static void __handleComment(RCore *core) {
RPanel *p = __get_cur_panel (core->panels);
if (!__check_panel_type (p, PANEL_CMD_DISASSEMBLY)) {
return;
}
char buf[4095];
int i;
char *cmd = NULL;
r_line_set_prompt ("[Comment]> ");
strcpy (buf, "\"CC ");
i = strlen (buf);
if (r_cons_fgets (buf + i, sizeof (buf) - i, 0, NULL) > 0) {
if (r_cons_fgets (buf, sizeof (buf), 0, NULL) > 0) {
ut64 addr, orig;
addr = orig = core->offset;
if (core->print->cur_enabled) {
@ -2497,40 +2502,30 @@ static void __handleComment(RCore *core) {
r_core_seek (core, addr, false);
r_core_cmdf (core, "s 0x%"PFMT64x, addr);
}
if (!strcmp (buf + i, "-")) {
strcpy (buf, "CC-");
if (!strcmp (buf, "-")) {
cmd = strdup ("CC-");
} else {
switch (buf[i]) {
char *arg = filter_arg (strdup (buf));
switch (buf[0]) {
case '-':
memcpy (buf, "\"CC-", 5);
cmd = r_str_newf ("\"CC-%s\"", arg);
break;
case '!':
memcpy (buf, "\"CC!", 5);
strcpy (buf, "\"CC!");
break;
default:
memcpy (buf, "\"CC ", 4);
cmd = r_str_newf ("\"CC %s\"", arg);
break;
}
strcat (buf, "\"");
free (arg);
}
if (buf[3] == ' ') {
int j, len = strlen (buf);
char *duped = strdup (buf);
for (i = 4, j = 4; i < len; i++, j++) {
char c = duped[i];
if (c == '"' && i != (len - 1)) {
buf[j++] = '\\';
buf[j] = '"';
} else {
buf[j] = c;
}
}
free (duped);
if (cmd) {
r_core_cmd (core, cmd, 1);
}
r_core_cmd (core, buf, 1);
if (core->print->cur_enabled) {
r_core_seek (core, orig, true);
}
free (cmd);
}
__set_refresh_by_type (core, p->model->cmd, true);
}

1
libr/core/visual.c
View File

@ -3525,6 +3525,7 @@ R_API int r_core_visual_cmd(RCore *core, const char *arg) {
buf[j] = c;
}
}
buf[j] = 0;
free (duped);
}
r_core_cmd (core, buf, 1);

2
libr/debug/p/native/linux/linux_debug.c
View File

@ -476,7 +476,7 @@ static void linux_dbg_wait_break(RDebug *dbg) {
RDebugReasonType linux_dbg_wait(RDebug *dbg, int pid) {
RDebugReasonType reason = R_DEBUG_REASON_UNKNOWN;
int tid;
int tid = pid;
int status, flags = __WALL;
int ret = -1;

6
libr/fs/shell.c
View File

@ -274,11 +274,11 @@ R_API int r_fs_shell_prompt(RFSShell* shell, RFS* fs, const char* root) {
r_file_dump (input, file->data, file->size, 0);
r_fs_close (fs, file);
} else {
input -= 2; //OMFG!!!! O_O
memcpy (input, "./", 2);
if (!r_fs_dir_dump (fs, s, input)) {
char *f = r_str_newf ("./%s", input);
if (!r_fs_dir_dump (fs, s, f)) {
eprintf ("Cannot open file\n");
}
free (f);
}
free (s);
} else if (!memcmp (buf, "help", 4) || !strcmp (buf, "?")) {

1
libr/include/r_util/r_name.h
View File

@ -11,6 +11,7 @@ R_API bool r_name_validate_first(const char ch);
R_API bool r_name_check(const char *s);
R_API const char *r_name_filter_ro(const char *a);
R_API bool r_name_filter_flag(char *s);
R_API bool r_name_filter_print(char *s);
R_API bool r_name_filter(char *name, int maxlen);
R_API char *r_name_filter2(const char *name);

6
libr/io/p/io_self.c
View File

@ -1,4 +1,4 @@
/* radare - LGPL - Copyright 2014-2016 - pancake */
/* radare - LGPL - Copyright 2014-2020 - pancake */
#include <r_userconf.h>
#include <r_io.h>
@ -106,8 +106,8 @@ static int update_self_regions(RIO *io, int pid) {
break;
}
path[0]='\0';
sscanf (line, "%s %s %*s %*s %*s %[^\n]", region+2, perms, path);
memcpy (region, "0x", 2);
strcpy (region, "0x");
sscanf (line, "%s %s %*s %*s %*s %[^\n]", region + 2, perms, path);
pos_c = strchr (region + 2, '-');
if (pos_c) {
*pos_c++ = 0;

6
libr/main/rafind2.c
View File

@ -69,7 +69,7 @@ static int hit(RSearchKeyword *kw, void *user, ut64 addr) {
if (ro->widestr) {
str = _str;
int i, j = 0;
for (i = delta; ro->buf[i] && i < sizeof (_str); i++) {
for (i = delta; ro->buf[i] && i < sizeof (_str) - 1; i++) {
char ch = ro->buf[i];
if (ch == '"' || ch == '\\') {
ch = '\'';
@ -91,7 +91,7 @@ static int hit(RSearchKeyword *kw, void *user, ut64 addr) {
str[j] = 0;
} else {
size_t i;
for (i = 0; i < sizeof (_str); i++) {
for (i = 0; i < sizeof (_str) - 1; i++) {
char ch = ro->buf[delta + i];
if (ch == '"' || ch == '\\') {
ch = '\'';
@ -105,7 +105,7 @@ static int hit(RSearchKeyword *kw, void *user, ut64 addr) {
}
} else {
size_t i;
for (i = 0; i < sizeof (_str); i++) {
for (i = 0; i < sizeof (_str) - 1; i++) {
char ch = ro->buf[delta + i];
if (ch == '"' || ch == '\\') {
ch = '\'';

2
libr/parse/parse.c
View File

@ -105,7 +105,7 @@ R_API bool r_parse_parse(RParse *p, const char *data, char *str) {
}
R_API char *r_parse_immtrim(char *opstr) {
if (!opstr || !*opstr) {
if (R_STR_ISEMPTY (opstr)) {
return NULL;
}
char *n = strstr (opstr, "0x");

1
libr/reg/profile.c
View File

@ -391,7 +391,6 @@ R_API char *r_reg_parse_gdb_profile(const char *profile_file) {
str = r_file_slurp (file, NULL);
free (file);
}
free (base);
}
}
if (str) {

19
libr/socket/run.c
View File

@ -724,7 +724,7 @@ static int redirect_socket_to_pty(RSocket *sock) {
#if HAVE_PTY
// directly duplicating the fds using dup2() creates problems
// in case of interactive applications
int fdm, fds;
int fdm = -1, fds = -1;
if (dyn_openpty && dyn_openpty (&fdm, &fds, NULL, NULL, NULL) == -1) {
perror ("opening pty");
@ -735,8 +735,12 @@ static int redirect_socket_to_pty(RSocket *sock) {
if (child_pid == -1) {
eprintf ("cannot fork\n");
close(fdm);
close(fds);
if (fdm != -1) {
close (fdm);
}
if (fds != -1) {
close (fds);
}
return -1;
}
@ -773,7 +777,10 @@ static int redirect_socket_to_pty(RSocket *sock) {
}
free (buff);
close (fdm);
if (fdm != -1) {
close (fdm);
fdm = -1;
}
r_socket_free (sock);
exit (0);
}
@ -783,7 +790,9 @@ static int redirect_socket_to_pty(RSocket *sock) {
if (dyn_login_tty) {
dyn_login_tty (fds);
}
close (fdm);
if (fdm != -1) {
close (fdm);
}
// disable the echo on slave stdin
struct termios t;

1
libr/socket/socket.c
View File

@ -135,7 +135,6 @@ static bool __connect_unix(RSocket *s, const char *file) {
if (connect (sock, (struct sockaddr *)&addr, sizeof(addr))==-1) {
close (sock);
free (s);
return false;
}
s->fd = sock;

2
libr/util/file.c
View File

@ -907,7 +907,7 @@ static RMmap *r_file_mmap_unix (RMmap *m, int fd) {
m->rw?PROT_READ|PROT_WRITE:PROT_READ,
MAP_SHARED, fd, (off_t)m->base);
if (m->buf == MAP_FAILED) {
R_FREE (m);
m->buf = NULL;
}
return m;
}

18
libr/util/name.c
View File

@ -4,6 +4,7 @@
/* Validate if char is printable , why not use ISPRINTABLE() ?? */
R_API bool r_name_validate_print(const char ch) {
// TODO: support utf8
if ((ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z') || IS_DIGIT (ch)) {
return true;
}
@ -109,6 +110,23 @@ R_API const char *r_name_filter_ro(const char *a) {
return a - 1;
}
// filter string for printing purposes
R_API bool r_name_filter_print(char *s) {
char *es = s + strlen (s);
char *os = s;
while (*s && s < es) {
int us = r_utf8_size ((const ut8*)s);
if (us > 1) {
s += us;
continue;
}
if (!r_name_validate_print (*s)) {
r_str_cpy (s, s + 1);
}
s++;
}
return os;
}
R_API bool r_name_filter(char *s, int maxlen) {
// if maxlen == -1 : R_FLAG_NAME_SIZE

13
libr/util/strpool.c
View File

@ -1,8 +1,8 @@
/* radare - LGPL - Copyright 2012 - pancake */
/* radare - LGPL - Copyright 2012-2020 - pancake */
#include <r_util.h>
R_API RStrpool* r_strpool_new (int sz) {
R_API RStrpool* r_strpool_new(int sz) {
RStrpool *p = R_NEW (RStrpool);
if (!p) {
eprintf ("Malloc failed!\n");
@ -23,14 +23,14 @@ R_API RStrpool* r_strpool_new (int sz) {
return p;
}
R_API char *r_strpool_empty (RStrpool *p) {
R_API char *r_strpool_empty(RStrpool *p) {
p->len = 0;
p->str[0] = 0;
p->str[1] = 0;
return p->str;
}
R_API char *r_strpool_alloc (RStrpool *p, int l) {
R_API char *r_strpool_alloc(RStrpool *p, int l) {
char *ret = p->str + p->len;
if ((p->len + l) >= p->size) {
ut64 osize = p->size;
@ -48,6 +48,7 @@ R_API char *r_strpool_alloc (RStrpool *p, int l) {
if (!ret) {
eprintf ("Realloc failed!\n");
free (p->str);
p->str = NULL;
return NULL;
}
p->str = ret;
@ -78,7 +79,7 @@ R_API int r_strpool_ansi_chop(RStrpool *p, int n){
return i;
}
R_API void r_strpool_free (RStrpool *p) {
R_API void r_strpool_free(RStrpool *p) {
free (p->str);
free (p);
}
@ -139,7 +140,7 @@ R_API char *r_strpool_next(RStrpool *p, int index) {
return ptr;
}
R_API char *r_strpool_slice (RStrpool *p, int index) {
R_API char *r_strpool_slice(RStrpool *p, int index) {
int idx, len;
char *o, *x = r_strpool_get_i (p, index + 1);
if (!x || !*x) {

2
libr/util/syscmd.c
View File

@ -1,4 +1,4 @@
/* radare - LGPL - Copyright 2013-2018 - pancake */
/* radare - LGPL - Copyright 2013-2020 - pancake */
#include <r_core.h>
#include <errno.h>

33
shlr/java/class.c
View File

@ -650,23 +650,26 @@ R_API DsoJsonObj *r_bin_java_get_bin_obj_json(RBinJavaObj *bin) {
char *res = dso_json_obj_to_str (methods_list);
// eprintf ("Resulting methods json: \n%s\n", res);
free (res);
dso_json_dict_insert_str_key_obj (class_dict, "methods", methods_list);
// dso_json_list_free (methods_list);
dso_json_obj_del (methods_list);
if (dso_json_dict_insert_str_key_obj (class_dict, "methods", methods_list)) {
// dso_json_list_free (methods_list);
dso_json_obj_del (methods_list);
}
res = dso_json_obj_to_str (fields_list);
// eprintf ("Resulting fields json: \n%s\n", res);
free (res);
dso_json_dict_insert_str_key_obj (class_dict, "fields", fields_list);
// dso_json_list_free (fields_list);
dso_json_obj_del (fields_list);
if (dso_json_dict_insert_str_key_obj (class_dict, "fields", fields_list)) {
// dso_json_list_free (fields_list);
dso_json_obj_del (fields_list);
}
res = dso_json_obj_to_str (imports_list);
// eprintf ("Resulting imports json: \n%s\n", res);
free (res);
dso_json_dict_insert_str_key_obj (class_dict, "imports", imports_list);
// dso_json_list_free (imports_list);
dso_json_obj_del (imports_list);
if (dso_json_dict_insert_str_key_obj (class_dict, "imports", imports_list)) {
// dso_json_list_free (imports_list);
dso_json_obj_del (imports_list);
}
// res = dso_json_obj_to_str (interfaces_list);
// eprintf ("Resulting interfaces json: \n%s\n", res);
@ -739,8 +742,9 @@ R_API DsoJsonObj *r_bin_java_get_class_info_json(RBinJavaObj *bin) {
if (!class_->super) {
DsoJsonObj *str = dso_json_str_new ();
dso_json_dict_insert_str_key_obj (class_info_dict, "super", str);
dso_json_str_free (str);
if (dso_json_dict_insert_str_key_obj (class_info_dict, "super", str)) {
dso_json_str_free (str);
}
} else {
dso_json_dict_insert_str_key_str (class_info_dict, "super", class_->super);
}
@ -756,10 +760,11 @@ R_API DsoJsonObj *r_bin_java_get_class_info_json(RBinJavaObj *bin) {
}
}
}
dso_json_dict_insert_str_key_obj (class_info_dict, "interfaces", interfaces_list);
if (dso_json_dict_insert_str_key_obj (class_info_dict, "interfaces", interfaces_list)) {
// dso_json_list_free (interfaces_list);
dso_json_obj_del (interfaces_list);
}
r_list_free (classes);
// dso_json_list_free (interfaces_list);
dso_json_obj_del (interfaces_list);
return class_info_dict;
}

4
shlr/java/dsojson.c
View File

@ -504,7 +504,7 @@ char * dso_json_dict_to_str (DsoJsonDict *dict) {
return strdup ("{}");
}
int dso_json_dict_insert_str_key_obj (DsoJsonObj *dict, char *key, DsoJsonObj *val_obj) {
int dso_json_dict_insert_str_key_obj(DsoJsonObj *dict, char *key, DsoJsonObj *val_obj) {
DsoJsonObj *key_obj = dso_json_str_new_from_str (key);
int res = dso_json_dict_insert_key_obj (dict, key_obj, val_obj);
if (!res) {
@ -513,7 +513,7 @@ int dso_json_dict_insert_str_key_obj (DsoJsonObj *dict, char *key, DsoJsonObj *v
return res;
}
int dso_json_dict_insert_str_key_num (DsoJsonObj *dict, char *key, int val) {
int dso_json_dict_insert_str_key_num(DsoJsonObj *dict, char *key, int val) {
DsoJsonObj *key_obj = dso_json_str_new_from_str (key);
DsoJsonObj *val_obj = dso_json_num_new_from_num (val);
int res = dso_json_dict_insert_key_obj (dict, key_obj, val_obj);

1
shlr/winkd/iob_net.c
View File

@ -348,6 +348,7 @@ static bool _sendResponsePacket(iobnet_t *obj, const ut8 *pokedata) {
ut8 *pkt = _createKDNetPacket (obj, resbuf, 322, &size, seqno, 1);
if (!pkt) {
free (resbuf);
resbuf = NULL;
}
if (r_socket_write (obj->sock, (void *)pkt, size) < 0) {