From 340d6aa97cd8fa18e8c7650ac9067e1b2688e8bb Mon Sep 17 00:00:00 2001 From: Resery <50428593+Resery@users.noreply.github.com> Date: Wed, 21 Feb 2024 05:42:55 -0600 Subject: unicornafl: fix malloc of size 0 (#2010) * bugfix: free a chunk with a size of 0, it will cause 1 byte oob. Malloc does not check the size. Generally, malloc(0) should return 0 but there will return two pages. Free will use is_buffer_in_chunk to check whether the address is in the chunk. At that time, the chunk.data_addr == total_size . Free pass address and "1" to is_buffer_in_chunk. So cause 1 byte out-of-bound. * typo --- unicorn_mode/helper_scripts/unicorn_loader.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/unicorn_mode/helper_scripts/unicorn_loader.py b/unicorn_mode/helper_scripts/unicorn_loader.py index cef39f7e..d0995f83 100644 --- a/unicorn_mode/helper_scripts/unicorn_loader.py +++ b/unicorn_mode/helper_scripts/unicorn_loader.py @@ -101,6 +101,10 @@ class UnicornSimpleHeap(object): # - Allocate at least 1 4k page of memory to make Unicorn happy # - Add guard pages at the start and end of the region total_chunk_size = UNICORN_PAGE_SIZE + ALIGN_PAGE_UP(size) + UNICORN_PAGE_SIZE + + if size == 0: + return 0 + # Gross but efficient way to find space for the chunk: chunk = None for addr in range(self.HEAP_MIN_ADDR, self.HEAP_MAX_ADDR, UNICORN_PAGE_SIZE): -- cgit 1.4.1