Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix memory leaks in linux heap flow #4426

Merged
merged 7 commits into from
Apr 21, 2024
Merged

Fix memory leaks in linux heap flow #4426

merged 7 commits into from
Apr 21, 2024

Conversation

giridharprasath
Copy link
Contributor

@giridharprasath giridharprasath commented Apr 10, 2024
edited by XVilka
Loading

SQUASH ME

Your checklist for this pull request

  • I've read the guidelines for contributing to this repository
  • I made sure to follow the project's coding style
  • I've documented or updated the documentation of every function and struct this PR changes. If not so I've explained why.
  • I've added tests that prove my fix is effective or that my feature works (if possible)
  • I've updated the rizin book with the relevant information (if needed)

Detailed description

Fix memory leak in bin_elf and fix a leak in dmht
Add support for aarch64 tcache parsing
...

Test plan

Tested on ARM64 build

...

Closing issues

...

@giridharprasath giridharprasath marked this pull request as draft April 10, 2024 02:13
wargio
wargio reviewed Apr 10, 2024
View reviewed changes
librz/bin/bin.c Outdated Show resolved Hide resolved
@giridharprasath
Copy link
Contributor Author

@wargio @imbillow

Please review(one testcase failure) and lmk if we have to change this testcase output?

[XX] db/formats/pe/imports_tinyW7 PE: resolve reloc name by ordinal from sdb
RZ_NOPLUGINS=1 /usr/bin/rizin -escr.utf8=0 -escr.color=0 -escr.interactive=0 -eflirt.sigdb.load.system=false -eflirt.sigdb.load.home=false -N -Qc 'ir
ii
' bins/pe/imports_tinyW7.exe
-- stdout
--- expected
+++ actual
@@ -4,5 +4,5 @@
 0x800004f4 0x00000234 SET_32 msvcrt_Ordinal_1268
 nth  vaddr      bind type lib      name         
 ------------------------------------------------
-284  ---------- NONE FUNC kernel32 FindAtomW
+284  0x00401048 NONE FUNC kernel32 Ordinal_284
 1268 0x00401034 NONE FUNC msvcrt   Ordinal_1268

@giridharprasath giridharprasath marked this pull request as ready for review April 13, 2024 02:55
@imbillow
Copy link
Contributor

@giridharprasath There's something wrong with this test.

[XX] db/formats/pe/imports_tinyW7 PE: resolve reloc name by ordinal from sdb
RZ_NOPLUGINS=1 /usr/bin/rizin -escr.utf8=0 -escr.color=0 -escr.interactive=0 -eflirt.sigdb.load.system=false -eflirt.sigdb.load.home=false -N -Qc 'ir
ii
' bins/pe/imports_tinyW7.exe
-- stdout
--- expected
+++ actual
@@ -4,5 +4,5 @@
 0x800004f4 0x00000234 SET_32 msvcrt_Ordinal_1268
 nth  vaddr      bind type lib      name         
 ------------------------------------------------
-284  ---------- NONE FUNC kernel32 FindAtomW
+284  0x00401048 NONE FUNC kernel32 Ordinal_284
 1268 0x00401034 NONE FUNC msvcrt   Ordinal_1268

wargio
wargio reviewed Apr 16, 2024
View reviewed changes
librz/bin/p/bin_mach0.c Outdated Show resolved Hide resolved
wargio
wargio reviewed Apr 16, 2024
View reviewed changes
librz/bin/bin.c Outdated Show resolved Hide resolved
@XVilka
Copy link
Member

XVilka commented Apr 16, 2024

Interesting, FindAtomW is 283 ordinal, not 284, see librz/bin/d/dll/kernel32.sdb.txt. So the previous output was a bug it seems?

@giridharprasath
Copy link
Contributor Author

Ghidra's imports:

ScreenShot_2024-04-18_at_09:55:57-PM

ScreenShot_2024-04-18_at_09:49:34-PM

@giridharprasath
Copy link
Contributor Author

Debug binary with dmht command:
Before fix:
ScreenShot_2024-04-18_at_10:04:48-PM

After fix:
ScreenShot_2024-04-18_at_10:05:05-PM

XVilka
XVilka approved these changes Apr 19, 2024
View reviewed changes
librz/core/linux_heap_glibc.c
if (tcache_guess < map->addr || tcache_guess > map->addr_end) {
continue;
}

#if __aarch64__
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the future, parsing should not depend on the architecture Rizin was built on.

@XVilka XVilka requested a review from wargio April 19, 2024 11:07
@XVilka XVilka merged commit 0551f25 into rizinorg:dev Apr 21, 2024
44 checks passed
pelijah
pelijah reviewed Apr 24, 2024
View reviewed changes
librz/bin/bin.c
Comment on lines +206 to +207
rz_bin_import_free(reloc->import);
rz_bin_symbol_free(reloc->symbol);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes are not related to heap parsing and not tested well. Reloc related changes cause UAF and must be reverted.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@XVilka

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. @giridharprasath could you please send a PR reverting those? @pelijah do you have an example of the test file where it happens?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure @XVilka, will send them. I have tested this with ELF and PE binaries. The fix caused UAF in mach binaries, I have fixed there as well. @pelijah Please add where it is reproducible.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

COFF files and some LE libs

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was some reason why relocs refer to original imports/symbols. I have concerns that breaking this unwritten rule may cause side effects.

@giridharprasath giridharprasath mentioned this pull request Apr 26, 2024
Merged
5 tasks
kazarmy pushed a commit to kazarmy/rizin that referenced this pull request May 2, 2024
@giridharprasath @kazarmy
[TO BE REVERTED] Fix memory leaks in linux heap parser (rizinorg#4426)
6e0a256 
* Fix memory leaks in debug path
* Fix memory leaks in mach and mdmp format
* Update the fix for mach
* Add support for aarch64 tcache parsing
* Test case fix
* Comment update

---------

Co-authored-by: Giridhar Prasath R <[email protected]>
kazarmy added a commit to kazarmy/rizin that referenced this pull request May 2, 2024
@kazarmy
Revert "[TO BE REVERTED] Fix memory leaks in linux heap parser (rizin…
ff0addc 
…org#4426)"

This reverts commit 6e0a256.
kazarmy pushed a commit to kazarmy/rizin that referenced this pull request May 3, 2024
@giridharprasath @kazarmy
[TO BE REVERTED] Fix memory leaks in linux heap parser (rizinorg#4426)
081b3d9 
* Fix memory leaks in debug path
* Fix memory leaks in mach and mdmp format
* Update the fix for mach
* Add support for aarch64 tcache parsing
* Test case fix
* Comment update

---------

Co-authored-by: Giridhar Prasath R <[email protected]>
kazarmy added a commit to kazarmy/rizin that referenced this pull request May 3, 2024
@kazarmy
Revert "[TO BE REVERTED] Fix memory leaks in linux heap parser (rizin…
0cd5349 
…org#4426)"

This reverts commit 081b3d9.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pelijah pelijah pelijah left review comments

@XVilka XVilka XVilka approved these changes

@Rot127 Rot127 Rot127 approved these changes

@ret2libc ret2libc Awaiting requested review from ret2libc ret2libc is a code owner

@kazarmy kazarmy Awaiting requested review from kazarmy kazarmy is a code owner

@thestr4ng3r thestr4ng3r Awaiting requested review from thestr4ng3r thestr4ng3r is a code owner

@yossizap yossizap Awaiting requested review from yossizap yossizap is a code owner

@wargio wargio Awaiting requested review from wargio wargio is a code owner

Assignees
No one assigned
Labels
Mach-O PE rz-test RzBin RzCore RzDebug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@giridharprasath @imbillow @XVilka @wargio @pelijah @Rot127