From a3248b51e3c41213e7fb4163cd8ca6845972aaec Mon Sep 17 00:00:00 2001 From: Omar Sandoval Date: Mon, 13 Apr 2020 16:16:34 -0700 Subject: [PATCH] libdrgn: fix use after free when formatting compound types compound_initializer_init_next() saves a pointer to the compound initializer stack and uses it after appending to the stack, which may have reallocated the stack. --- libdrgn/language_c.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libdrgn/language_c.c b/libdrgn/language_c.c index e810a8e1..f76a5dc4 100644 --- a/libdrgn/language_c.c +++ b/libdrgn/language_c.c @@ -1007,6 +1007,7 @@ compound_initializer_iter_next(struct initializer_iter *iter_, struct compound_initializer_iter *iter = container_of(iter_, struct compound_initializer_iter, iter); struct compound_initializer_state *top; + uint64_t bit_offset; struct drgn_type_member *member; struct drgn_qualified_type member_type; @@ -1022,6 +1023,7 @@ compound_initializer_iter_next(struct initializer_iter *iter_, continue; } + bit_offset = top->bit_offset; member = top->member++; err = drgn_member_type(member, &member_type); if (err) @@ -1037,7 +1039,7 @@ compound_initializer_iter_next(struct initializer_iter *iter_, !(iter->flags & DRGN_FORMAT_OBJECT_MEMBER_NAMES) || !drgn_type_has_members(member_type.type)) { err = drgn_object_slice(obj_ret, iter->obj, member_type, - top->bit_offset + member->bit_offset, + bit_offset + member->bit_offset, member->bit_field_size); if (err) return err; @@ -1062,7 +1064,7 @@ compound_initializer_iter_next(struct initializer_iter *iter_, return &drgn_enomem; new->member = drgn_type_members(member_type.type); new->end = new->member + drgn_type_num_members(member_type.type); - new->bit_offset = top->bit_offset + member->bit_offset; + new->bit_offset = bit_offset + member->bit_offset; } *flags_ret = iter->member_flags;