Skip to content

Commit

Permalink
Prefer memleak over usaf in io.bank's rbtree bug ##crash
Browse files Browse the repository at this point in the history
* That's a workaround, proper fix will come later
* Reproducer: bins/fuzzed/iobank-crash
* Reported by Akyne Choi via huntr.dev
  • Loading branch information
radare committed Feb 13, 2022
1 parent d843f07 commit b5cb90b
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
8 changes: 7 additions & 1 deletion libr/io/io_bank.c
Original file line number Diff line number Diff line change
Expand Up @@ -226,12 +226,18 @@ R_API bool r_io_bank_map_add_top(RIO *io, const ut32 bankid, const ut32 mapid) {
r_io_submap_set_to (bd, r_io_submap_from (sm) - 1);
entry = r_rbnode_next (entry);
}
while (entry && r_io_submap_to (((RIOSubMap *)entry->data)) <= r_io_submap_to (sm)) {
ut64 smto = r_io_submap_to (sm);
while (entry && r_io_submap_to (((RIOSubMap *)entry->data)) <= smto) {
//delete all submaps that are completly included in sm
RRBNode *next = r_rbnode_next (entry);
// this can be optimized, there is no need to do search here
// XXX this is a workaround to avoid an UAF in Reproducer: iobank-crash
void *smfree = bank->submaps->free;
bank->submaps->free = NULL;
bool a = r_crbtree_delete (bank->submaps, entry->data, _find_sm_by_from_vaddr_cb, NULL);
bank->submaps->free = smfree;
if (!a) {
entry = NULL;
break;
}
entry = next;
Expand Down
4 changes: 2 additions & 2 deletions libr/util/new_rbtree.c
Original file line number Diff line number Diff line change
Expand Up @@ -138,9 +138,9 @@ R_API bool r_crbtree_insert(RRBTree *tree, void *data, RRBComparator cmp, void *
r_return_val_if_fail (tree && data && cmp, false);
bool inserted = false;

if (tree->root == NULL) {
if (!tree->root) {
tree->root = _node_new (data, NULL);
if (tree->root == NULL) {
if (!tree->root) {
return false;
}
inserted = true;
Expand Down

0 comments on commit b5cb90b

Please sign in to comment.