Skip to content

Commit

Permalink
Fix uaf crash in aaft (tests_64927) ##crash
Browse files Browse the repository at this point in the history
Reported by giantbranch of NSFOCUS TIANJI Lab
  • Loading branch information
trufae committed Oct 30, 2021
1 parent 65527b8 commit 59a9dfb
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 9 deletions.
15 changes: 10 additions & 5 deletions libr/core/anal_tp.c
Original file line number Diff line number Diff line change
Expand Up @@ -510,16 +510,16 @@ R_API void r_core_anal_type_match(RCore *core, RAnalFunction *fcn) {
return;
}
char *pc = strdup (_pc);
RRegItem *r = r_reg_get (core->dbg->reg, pc, -1);
if (!r) {
free (buf);
return;
}
r_cons_break_push (NULL, NULL);
r_list_sort (fcn->bbs, bb_cmpaddr); // TODO: The algorithm can be more accurate if blocks are followed by their jmp/fail, not just by address
r_list_foreach (fcn->bbs, it, bb) {
ut64 addr = bb->addr;
int i = 0;
RRegItem *r = r_reg_get (core->dbg->reg, pc, -1);
if (!r) {
free (buf);
return;
}
r_reg_set_value (core->dbg->reg, r, addr);
while (1) {
if (r_cons_is_breaked ()) {
Expand Down Expand Up @@ -549,6 +549,11 @@ R_API void r_core_anal_type_match(RCore *core, RAnalFunction *fcn) {
}
sdb_num_set (anal->esil->trace->db, sdb_fmt ("0x%"PFMT64x".count", addr), loop_count + 1, 0);
if (r_anal_op_nonlinear (aop.type)) { // skip the instr
RRegItem *r = r_reg_get (core->dbg->reg, pc, -1);
if (!r) {
free (buf);
return;
}
r_reg_set_value (core->dbg->reg, r, addr + ret);
} else {
r_core_esil_step (core, UT64_MAX, NULL, NULL, false);
Expand Down
6 changes: 3 additions & 3 deletions libr/core/cmd_anal.c
Original file line number Diff line number Diff line change
Expand Up @@ -4766,7 +4766,7 @@ void cmd_anal_reg(RCore *core, const char *str) {
int size = 0, i, type = R_REG_TYPE_GPR;
int bits = (core->anal->bits & R_SYS_BITS_64)? 64: 32;
int use_colors = r_config_get_i (core->config, "scr.color");
RRegItem *r;
RRegItem *r = NULL;
const char *use_color;
const char *name;
char *arg;
Expand Down Expand Up @@ -5098,6 +5098,7 @@ void cmd_anal_reg(RCore *core, const char *str) {
arg = strchr (str + 1, '=');
if (arg) {
*arg = 0;
ut64 n = r_num_math (core->num, arg + 1);
char *ostr = r_str_trim_dup (str + 1);
char *regname = r_str_trim_nc (ostr);
r = r_reg_get (core->dbg->reg, regname, -1);
Expand All @@ -5113,8 +5114,7 @@ void cmd_anal_reg(RCore *core, const char *str) {
if (r) {
//eprintf ("%s 0x%08"PFMT64x" -> ", str,
// r_reg_get_value (core->dbg->reg, r));
r_reg_set_value (core->dbg->reg, r,
r_num_math (core->num, arg + 1));
r_reg_set_value (core->dbg->reg, r, n);
r_debug_reg_sync (core->dbg, R_REG_TYPE_ALL, true);
//eprintf ("0x%08"PFMT64x"\n",
// r_reg_get_value (core->dbg->reg, r));
Expand Down
3 changes: 2 additions & 1 deletion libr/reg/rvalue.c
Original file line number Diff line number Diff line change
Expand Up @@ -141,9 +141,10 @@ R_API ut64 r_reg_get_value_by_role(RReg *reg, RRegisterId role) {
}

R_API bool r_reg_set_value(RReg *reg, RRegItem *item, ut64 value) {
r_return_val_if_fail (reg && item, false);

ut8 bytes[12];
ut8 *src = bytes;
r_return_val_if_fail (reg && item, false);

if (r_reg_is_readonly (reg, item)) {
return true;
Expand Down

0 comments on commit 59a9dfb

Please sign in to comment.