Skip to content

Commit 21584e4

Browse files
ret2libcXVilka
ret2libc
authored and
XVilka
committed
Initialize retctx,ctx before freeing the inner elements
In rz_core_analysis_type_match retctx structure was initialized on the stack only after a "goto out_function", where a field of that structure was freed. When the goto path is taken, the field is not properly initialized and it cause cause a crash of Rizin or have other effects. Fixes: CVE-2021-4022
1 parent 4295cfe commit 21584e4

File tree

3 files changed

+21
-15
lines changed

3 files changed

+21
-15
lines changed

librz/analysis/var.c

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1103,13 +1103,15 @@ RZ_API void rz_analysis_extract_rarg(RzAnalysis *analysis, RzAnalysisOp *op, RzA
11031103
RZ_API void rz_analysis_extract_vars(RzAnalysis *analysis, RzAnalysisFunction *fcn, RzAnalysisOp *op) {
11041104
rz_return_if_fail(analysis && fcn && op);
11051105

1106-
const char *BP = analysis->reg->name[RZ_REG_NAME_BP];
1107-
const char *SP = analysis->reg->name[RZ_REG_NAME_SP];
1106+
const char *BP = rz_reg_get_name(analysis->reg, RZ_REG_NAME_BP);
1107+
const char *SP = rz_reg_get_name(analysis->reg, RZ_REG_NAME_SP);
11081108
if (BP) {
11091109
extract_arg(analysis, fcn, op, BP, "+", RZ_ANALYSIS_VAR_KIND_BPV);
11101110
extract_arg(analysis, fcn, op, BP, "-", RZ_ANALYSIS_VAR_KIND_BPV);
11111111
}
1112-
extract_arg(analysis, fcn, op, SP, "+", RZ_ANALYSIS_VAR_KIND_SPV);
1112+
if (SP) {
1113+
extract_arg(analysis, fcn, op, SP, "+", RZ_ANALYSIS_VAR_KIND_SPV);
1114+
}
11131115
}
11141116

11151117
static RzList *var_generate_list(RzAnalysis *a, RzAnalysisFunction *fcn, int kind) {

librz/core/analysis_tp.c

Lines changed: 13 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -843,6 +843,19 @@ RZ_API void rz_core_analysis_type_match(RzCore *core, RzAnalysisFunction *fcn, H
843843
dtrace->ht = ht_pp_new_size(fcn->ninstr, opt.dupvalue, opt.freefn, opt.calcsizeV);
844844
dtrace->ht->opt = opt;
845845

846+
// Create a new context to store the return type propagation state
847+
struct ReturnTypeAnalysisCtx retctx = {
848+
.resolved = false,
849+
.ret_type = NULL,
850+
.ret_reg = NULL,
851+
};
852+
struct TypeAnalysisCtx ctx = {
853+
.retctx = &retctx,
854+
.cur_idx = 0,
855+
.prev_dest = NULL,
856+
.str_flag = false
857+
};
858+
846859
HtUP *op_cache = NULL;
847860
const char *pc = rz_reg_get_name(core->dbg->reg, RZ_REG_NAME_PC);
848861
if (!pc) {
@@ -856,18 +869,6 @@ RZ_API void rz_core_analysis_type_match(RzCore *core, RzAnalysisFunction *fcn, H
856869
rz_list_sort(fcn->bbs, bb_cmpaddr);
857870
// TODO: The algorithm can be more accurate if blocks are followed by their jmp/fail, not just by address
858871
RzAnalysisBlock *bb;
859-
// Create a new context to store the return type propagation state
860-
struct ReturnTypeAnalysisCtx retctx = {
861-
.resolved = false,
862-
.ret_type = NULL,
863-
.ret_reg = NULL
864-
};
865-
struct TypeAnalysisCtx ctx = {
866-
.retctx = &retctx,
867-
.cur_idx = 0,
868-
.prev_dest = NULL,
869-
.str_flag = false
870-
};
871872
rz_list_foreach (fcn->bbs, it, bb) {
872873
ut64 addr = bb->addr;
873874
rz_reg_set_value(core->dbg->reg, r, addr);

librz/core/canalysis.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5371,6 +5371,9 @@ RZ_API void rz_core_analysis_esil(RzCore *core, const char *str, const char *tar
53715371
rz_core_analysis_esil_init_mem(core, NULL, UT64_MAX, UT32_MAX);
53725372
}
53735373
const char *spname = rz_reg_get_name(core->analysis->reg, RZ_REG_NAME_SP);
5374+
if (!spname) {
5375+
goto out_pop_regs;
5376+
}
53745377
EsilBreakCtx ctx = {
53755378
&op,
53765379
fcn,

0 commit comments

Comments
 (0)