Merge pull request #213 from ranmrdrakono/fb_fix_use_after_free_in_unmap

fix for use after free in case of double unmap
2024-10-20 03:18:17 +02:00 · 2015-10-22 17:03:22 +08:00 · 2015-10-22 17:03:22 +08:00 · b4efe72a7e
commit b4efe72a7e
parent cf727ad323 dd56621bbb
3 changed files with 53 additions and 1 deletions
--- a/tests/regress/Makefile
+++ b/tests/regress/Makefile
@ -8,6 +8,7 @@ TESTS += ro_mem_test nr_mem_test
 TESTS += timeout_segfault
 TESTS += rep_movsb
 TESTS += mem_unmap
+TESTS += mem_double_unmap
 TESTS += mem_protect
 TESTS += mem_exec

--- a/tests/regress/mem_double_unmap.c
+++ b/tests/regress/mem_double_unmap.c
@ -0,0 +1,51 @@
+#define __STDC_FORMAT_MACROS
+#include <inttypes.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <unicorn/unicorn.h>
+
+int main(int argc, char **argv, char **envp)
+{
+    uc_engine *uc;
+    uc_hook trace1, trace2;
+    uc_err err;
+
+    // Initialize emulator in X86-32bit mode
+    err = uc_open(UC_ARCH_X86, UC_MODE_32, &uc);
+    if (err) {
+        printf("not ok - Failed on uc_open() with error returned: %u\n", err);
+        return;
+    }
+
+    uc_mem_map(uc, 0x1000, 0x1000, UC_PROT_ALL);
+    if (err) {
+        printf("not ok - Failed on uc_mem_map() with error returned: %u\n", err);
+        return;
+    }
+
+    uc_mem_map(uc, 0x4000, 0x1000, UC_PROT_ALL);
+    if (err) {
+        printf("not ok - Failed on uc_mem_map() with error returned: %u\n", err);
+        return;
+    }
+
+    err = uc_mem_unmap(uc, 0x4000, 0x1000);
+    if (err) {
+        printf("not ok - Failed on uc_mem_unmap() with error returned: %u\n", err);
+        return;
+    }
+
+    err = uc_mem_unmap(uc, 0x4000, 0x1000);
+    if (!err) {
+        printf("not ok - second unmap succeeded\n");
+        return 1;
+    }
+
+    printf("Tests OK\n");
+    uc_close(uc);
+    return 0;
+}
--- a/uc.c
+++ b/uc.c
@ -814,7 +814,7 @@ MemoryRegion *memory_mapping(struct uc_struct* uc, uint64_t address)
    // try with the cache index first
    i = uc->mapped_block_cache_index;

-    if (address >= uc->mapped_blocks[i]->addr && address < uc->mapped_blocks[i]->end)
+    if (i < uc->mapped_block_count && address >= uc->mapped_blocks[i]->addr && address < uc->mapped_blocks[i]->end)
        return uc->mapped_blocks[i];

    for(i = 0; i < uc->mapped_block_count; i++) {