diff options
| author | Resery <50428593+Resery@users.noreply.github.com> | 2024-02-20 07:01:37 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-20 14:01:37 +0100 |
| commit | 80158de3e801fa7dc1d4e36ec88cb767997f478e (patch) | |
| tree | 2f8c84eb17903e68cd53295a8b1b4eeffc92f1d4 /unicorn_mode | |
| parent | 730713193a236dd63592bb70dbd3ef7cf062c268 (diff) | |
| download | afl++-80158de3e801fa7dc1d4e36ec88cb767997f478e.tar.gz | |
Catch invalid frees (#2008)
1. There isn't a need to check all chunks when address == 0
2. If the address is not in chunks, the program may want to free an object that doesn't exist. There may be a "double-free" or "invalid-free" vulnerability. (This patch is from the repo named "Battelle/afl-unicorn")
Diffstat (limited to 'unicorn_mode')
| -rw-r--r-- | unicorn_mode/helper_scripts/unicorn_loader.py | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/unicorn_mode/helper_scripts/unicorn_loader.py b/unicorn_mode/helper_scripts/unicorn_loader.py index 740af1c8..cef39f7e 100644 --- a/unicorn_mode/helper_scripts/unicorn_loader.py +++ b/unicorn_mode/helper_scripts/unicorn_loader.py @@ -148,6 +148,9 @@ class UnicornSimpleHeap(object): return new_chunk_addr def free(self, addr): + if addr == 0: + return False + for chunk in self._chunks: if chunk.is_buffer_in_chunk(addr, 1): if self._debug_print: @@ -159,7 +162,8 @@ class UnicornSimpleHeap(object): self._uc.mem_unmap(chunk.actual_addr, chunk.total_size) self._chunks.remove(chunk) return True - return False + # Freed an object that doesn't exist. Maybe 'dobule-free' or 'invalid free' vulnerability here. + self._uc.force_crash(UcError(UC_ERR_FETCH_UNMAPPED)) # Implements basic guard-page functionality def __check_mem_access(self, uc, access, address, size, value, user_data): |