Fix mach064 UAF by leaking imports

rizinorg · May 14, 2024 · 1a2f205 · 1a2f205
1 parent 3d0e7df
commit 1a2f205
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/librz/bin/bobj.c b/librz/bin/bobj.c
@@ -125,8 +125,13 @@ RZ_API RzBinRelocStorage *rz_bin_reloc_storage_new(RZ_OWN RzPVector /*<RzBinRelo
 	ret->target_relocs_count = rz_pvector_len(&target_sorter);
 	ret->target_relocs = (RzBinReloc **)rz_pvector_flush(&target_sorter);
 	rz_pvector_fini(&target_sorter);
-	if (plugin && !strcmp(plugin->name, "coff")) {
-		ret->sym_imp_shared = true;
+	if (plugin) {
+		if (!strcmp(plugin->name, "coff")) {
+			ret->imp_shared = true;
+			ret->sym_shared = true;
+		} else if (!strcmp(plugin->name, "mach064")) {
+			ret->imp_shared = true;
+		}
 	}
 	return ret;
 }
@@ -136,10 +141,14 @@ RZ_API void rz_bin_reloc_storage_free(RzBinRelocStorage *storage) {
 		return;
 	}
 	for (size_t i = 0; i < storage->relocs_count; i++) {
-		if (storage->sym_imp_shared) {
-			free(storage->relocs[i]); // Not freeing symbol and import
-		} else {
-			rz_bin_reloc_free(storage->relocs[i]);
+		if (storage->relocs[i]) {
+			if (!storage->imp_shared) {
+				rz_bin_import_free(storage->relocs[i]->import);
+			}
+			if (!storage->sym_shared) {
+				rz_bin_symbol_free(storage->relocs[i]->symbol);
+			}
+			free(storage->relocs[i]);
 		}
 	}
 	free(storage->relocs);

diff --git a/librz/include/rz_bin.h b/librz/include/rz_bin.h
@@ -682,7 +682,8 @@ struct rz_bin_reloc_storage_t {
 	size_t relocs_count;
 	RzBinReloc **target_relocs; ///< all relocs that have a valid target_vaddr, ordered by their target_vaddr. size is target_relocs_count!
 	size_t target_relocs_count;
-	bool sym_imp_shared; // plugin frees reloc symbols and imports
+	bool imp_shared; // plugin frees reloc imports
+	bool sym_shared; // plugin frees reloc symbols
 }; // RzBinRelocStorage
 
 RZ_API RzBinRelocStorage *rz_bin_reloc_storage_new(RZ_OWN RzPVector /*<RzBinReloc *>*/ *relocs, RzBinPlugin *plugin);