From 37838c180a138941b5c0c24f9bf0c7920663ca7b Mon Sep 17 00:00:00 2001 From: Bill Bierman Date: Fri, 6 Sep 2024 08:49:10 -1000 Subject: [PATCH 1/3] Corrected use after free vulnerability in Sleigh decompiler backend --- .../src/decompile/cpp/sleigh_arch.cc | 20 +++++++------------ .../src/decompile/cpp/sleigh_arch.hh | 2 +- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc b/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc index bc6cf65ddd..f628a6ff19 100644 --- a/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc +++ b/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc @@ -33,7 +33,7 @@ ElementId ELEM_DESCRIPTION = ElementId("description",233); ElementId ELEM_LANGUAGE = ElementId("language",234); ElementId ELEM_LANGUAGE_DEFINITIONS = ElementId("language_definitions",235); -map SleighArchitecture::translators; +map SleighArchitecture::translators; vector SleighArchitecture::description; FileManage SleighArchitecture::specpaths; // Global specfile manager @@ -174,17 +174,15 @@ bool SleighArchitecture::isTranslateReused(void) Translate *SleighArchitecture::buildTranslator(DocumentStorage &store) { // Build a sleigh translator - map::const_iterator iter; - Sleigh *sleigh; + map::iterator iter; + iter = translators.find(languageindex); if (iter != translators.end()) { - sleigh = (*iter).second; - sleigh->reset(loader,context); - return sleigh; + iter->second.reset(loader, context); + return &iter->second; } - sleigh = new Sleigh(loader,context); - translators[languageindex] = sleigh; - return sleigh; + translators[languageindex] = Sleigh(loader,context); + return &translators[languageindex]; } PcodeInjectLibrary *SleighArchitecture::buildPcodeInjectLibrary(void) @@ -627,10 +625,6 @@ const vector &SleighArchitecture::getDescriptions(void) void SleighArchitecture::shutdown(void) { - if (translators.empty()) return; // Already cleared - for(map::const_iterator iter=translators.begin();iter!=translators.end();++iter) - delete (*iter).second; - translators.clear(); // description.clear(); // static vector is destroyed by the normal exit handler } diff --git a/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.hh b/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.hh index a0f20d934f..dd5929d14b 100644 --- a/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.hh +++ b/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.hh @@ -106,7 +106,7 @@ public: /// Generally a \e language \e id (i.e. x86:LE:64:default) is provided, then this /// object is able to automatically load in configuration and construct the Translate object. class SleighArchitecture : public Architecture { - static map translators; ///< Map from language index to instantiated translators + static map translators; ///< Map from language index to instantiated translators static vector description; ///< List of languages we know about int4 languageindex; ///< Index (within LanguageDescription array) of the active language string filename; ///< Name of active load-image file From f56473e6047e3086d69be250f372fd7657efe5bd Mon Sep 17 00:00:00 2001 From: Bill Bierman Date: Thu, 12 Sep 2024 07:07:24 -1000 Subject: [PATCH 2/3] Use emplace instead of copy constructor --- Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc b/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc index f628a6ff19..cb0848a4de 100644 --- a/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc +++ b/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc @@ -181,8 +181,9 @@ Translate *SleighArchitecture::buildTranslator(DocumentStorage &store) iter->second.reset(loader, context); return &iter->second; } - translators[languageindex] = Sleigh(loader,context); - return &translators[languageindex]; + pair::iterator,bool> res; + res = translators.emplace(piecewise_construct,forward_as_tuple(languageindex),forward_as_tuple(loader,context)); + return &(*res.first).second; } PcodeInjectLibrary *SleighArchitecture::buildPcodeInjectLibrary(void) From fe70b400b66d5302d90bb7d1fee2079001002bc9 Mon Sep 17 00:00:00 2001 From: Ryan Kurtz Date: Fri, 13 Sep 2024 11:51:28 -0400 Subject: [PATCH 3/3] GP-4929: Certify --- Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.hh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.hh b/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.hh index dd5929d14b..3ee506bfa6 100644 --- a/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.hh +++ b/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.hh @@ -4,9 +4,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.