Fix UAF in om= (#16149)

2024-11-24 05:40:10 +00:00 · 2020-03-05 18:07:03 +01:00 · 2020-03-05 18:07:03 +01:00 · e37a2e1b9c
commit e37a2e1b9c
parent d96120799d
7 changed files with 60 additions and 44 deletions
--- a/libr/asm/p/asm_or1k.c
+++ b/libr/asm/p/asm_or1k.c
@ -37,9 +37,9 @@ static int insn_to_str(RAsm *a, char **line, insn_t *descr, insn_extra_t *extra,
 	o.i = get_operand_value(insn, type_descr, INSN_OPER_I);
 	o.l = get_operand_value(insn, type_descr, INSN_OPER_L);

-	name = (extra == NULL) ? descr->name : extra->name;
+	name = extra? extra->name: descr->name;

-	if (name == NULL || type_descr->format == NULL) {
+	if (!name || !type_descr->format) {
 		/* this should not happen, give up */
 		*line = sdb_fmt("invalid");
 		return 4;
@ -142,21 +142,18 @@ static int disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len) {

 	/* if name is null, but extra is present, it means 6 most significant bits
 	 * are not enough to decode instruction */
-	if ((insn_descr->name == NULL) && (insn_descr->extra != NULL)) {
+	if (!insn_descr->name && insn_descr->extra) {
 		if ((extra_descr = find_extra_descriptor(insn_descr->extra, insn)) != NULL) {
-			insn_to_str(a, &line, insn_descr, extra_descr, insn);
-		}
-		else {
-			line = sdb_fmt("invalid");
+			insn_to_str (a, &line, insn_descr, extra_descr, insn);
+		} else {
+			line = "invalid";
 		}
 		r_strbuf_set (&op->buf_asm, line);
-	}
-	else {
+	} else {
 		/* otherwise basic descriptor is enough */
 		insn_to_str(a, &line, insn_descr, NULL, insn);
 		r_strbuf_set (&op->buf_asm, line);
 	}
-
 	return op->size;
 }

@ -167,7 +164,6 @@ RAsmPlugin r_asm_plugin_or1k = {
 	.arch = "or1k",
 	.bits = 32,
 	.endian = R_SYS_ENDIAN_BIG,
-	.fini = NULL,
 	.disassemble = &disassemble,
 };

--- a/libr/core/cmd_open.c
+++ b/libr/core/cmd_open.c
@ -816,8 +816,9 @@ static void cmd_open_map(RCore *core, const char *input) {
 		SdbListIter *iter;
 		RIOMap *map;
 		ls_foreach_prev (core->io->maps, iter, map) {
-			char temp[4];
-			RListInfo *info = r_listinfo_new (map->name, map->itv, map->itv, map->perm, sdb_itoa (map->fd, temp, 10));
+			char temp[32];
+			snprintf (temp, sizeof (temp), "%d", map->fd);
+			RListInfo *info = r_listinfo_new (map->name, map->itv, map->itv, map->perm, temp);
 			if (!info) {
 				break;
 			}
--- a/libr/core/visual.c
+++ b/libr/core/visual.c
@ -4354,16 +4354,15 @@ dodo:
 	return 0;
 }

-R_API RListInfo *r_listinfo_new(char *name, RInterval pitv, RInterval vitv, int perm, char *extra) {
+R_API RListInfo *r_listinfo_new(const char *name, RInterval pitv, RInterval vitv, int perm, const char *extra) {
 	RListInfo *info = R_NEW (RListInfo);
-	if (!info) {
-		return NULL;
+	if (info) {
+		info->name = strdup (name);
+		info->pitv = pitv;
+		info->vitv = vitv;
+		info->perm = perm;
+		info->extra = strdup (extra);
 	}
-	info->name = name;
-	info->pitv = pitv;
-	info->vitv = vitv;
-	info->perm = perm;
-	info->extra = extra;
 	return info;
 }

@ -4371,5 +4370,7 @@ R_API void r_listinfo_free (RListInfo *info) {
 	if (!info) {
 		return;
 	}
+	free (info->name);
+	free (info->extra);
 	R_FREE (info);
 }
--- a/libr/include/r_core.h
+++ b/libr/include/r_core.h
@ -472,7 +472,7 @@ R_API void r_core_anal_paths(RCore *core, ut64 from, ut64 to, bool followCalls,
 R_API void r_core_anal_esil_graph(RCore *core, const char *expr);

 R_API void r_core_list_io(RCore *core);
-R_API RListInfo *r_listinfo_new (char *name, RInterval pitv, RInterval vitv, int perm, char *extra);
+R_API RListInfo *r_listinfo_new (const char *name, RInterval pitv, RInterval vitv, int perm, const char *extra);
 R_API void r_listinfo_free (RListInfo *info);
 /* visual marks */
 R_API void r_core_visual_mark_seek(RCore *core, ut8 ch);
--- a/libr/include/r_util/r_table.h
+++ b/libr/include/r_util/r_table.h
@ -18,13 +18,12 @@ typedef struct {
 	int total;
 } RTableColumn;

-
 typedef struct {
-    char *name;
-    RInterval pitv;
-    RInterval vitv;
-    int perm;
-    char *extra;
+	char *name;
+	RInterval pitv;
+	RInterval vitv;
+	int perm;
+	char *extra;
 } RListInfo;

 enum {
--- a/libr/util/table.c
+++ b/libr/util/table.c
@ -914,23 +914,27 @@ R_API void r_table_visual_list(RTable *table, RList *list, ut64 seek, ut64 len,
 			for (j = 0; j < width; j++) {
 				ut64 pos = min + j * mul;
 				ut64 npos = min + (j + 1) * mul;
-				if (info->pitv.addr < npos && (info->pitv.addr + info->pitv.size) > pos) {
-					r_strbuf_append (buf, block);
-				} else {
-					r_strbuf_append (buf, h_line);
-				}
+				const char *arg = (info->pitv.addr < npos && (info->pitv.addr + info->pitv.size) > pos)
+					? block: h_line;
+				r_strbuf_append (buf, arg);
 			}
+			char *b = r_strbuf_drain (buf);
 			if (va) {
-				r_table_add_rowf (table, "sssssss", sdb_fmt ("%d%c", i, r_itv_contain (info->vitv, seek) ? '*' : ' '),
-				    sdb_fmt ("%s0x%"PFMT64x"%s", "", info->vitv.addr, ""), r_strbuf_drain (buf),
-				    sdb_fmt ("%s0x%"PFMT64x"%s", "", r_itv_end (info->vitv), ""),
-				    (info->perm != -1)? r_str_rwx_i (info->perm) : "",(info->extra)?info->extra : "", (info->name)?info->name :"");
+				r_table_add_rowf (table, "sssssss",
+					sdb_fmt ("%d%c", i, r_itv_contain (info->vitv, seek) ? '*' : ' '),
+					sdb_fmt ("0x%"PFMT64x, info->vitv.addr),
+					b,
+					sdb_fmt ("0x%"PFMT64x, r_itv_end (info->vitv)),
+					(info->perm != -1)? r_str_rwx_i (info->perm) : "",
+					(info->extra)?info->extra : "",
+					(info->name)?info->name :"");
 			} else {
 				r_table_add_rowf (table, "sssssss", sdb_fmt ("%d%c", i, r_itv_contain (info->pitv, seek) ? '*' : ' '),
-				    sdb_fmt ("%s0x%"PFMT64x"%s", "", info->pitv.addr, ""), r_strbuf_drain (buf),
-				    sdb_fmt ("%s0x%"PFMT64x"%s", "", r_itv_end (info->pitv), ""),
-				    (info->perm != -1)? r_str_rwx_i (info->perm) : "",(info->extra)?info->extra : "", (info->name)?info->name :"");
+					sdb_fmt ("0x%"PFMT64x, info->pitv.addr), b,
+					sdb_fmt ("0x%"PFMT64x, r_itv_end (info->pitv)),
+					(info->perm != -1)? r_str_rwx_i (info->perm) : "",(info->extra)?info->extra : "", (info->name)?info->name :"");
 			}
+			free (b);
 			i++;
 		}
 		RStrBuf *buf = r_strbuf_new ("");
@ -943,11 +947,11 @@ R_API void r_table_visual_list(RTable *table, RList *list, ut64 seek, ut64 len,
 				r_strbuf_append (buf,((j * mul) + min >= seek &&
 						     (j * mul) + min <= seek + len) ? "^" : h_line);
 			}
-			r_table_add_rowf (table, "sssssss", "=>", sdb_fmt ("0x%08"PFMT64x"", seek),
-			    r_strbuf_drain (buf),  sdb_fmt ("0x%08"PFMT64x"", seek + len), "", "", "");
+			r_table_add_rowf (table, "sssssss", "=>", sdb_fmt ("0x%08"PFMT64x, seek),
+					r_strbuf_drain (buf),  sdb_fmt ("0x%08"PFMT64x, seek + len), "", "", "");
 		} else {
-            r_strbuf_free (buf);
-        }
+			r_strbuf_free (buf);
+		}
 	}
 }

--- a/test/new/db/cmd/cmd_open
+++ b/test/new/db/cmd/cmd_open
@ -1,3 +1,18 @@
+NAME=om=
+FILE=../bins/mach0/mac-ls2
+BROKEN=1
+CMDS=<<EOF
+om=
+EOF
+EXPECT=<<EOF
+
+0*  0x100000000 ################-------------- 0x100005000 r-x   3     fmap.TEXT
+1   0x100005000 ---------------####----------- 0x100006000 r--   3     fmap.DATA
+2   0x100006000 ------------------############ 0x10000a000 r--   3     fmap.LINKEDIT
+=>  0x1000011e8 ------------------------------ 0x1000012e8             
+EOF
+RUN
+
 NAME=obb baddrs
 FILE=../bins/mach0/mac-ls2
 ARGS=-B0x50000