patch 9.0.2158: [security]: use-after-free in check_argument_typev9.0.2158

Problem: [security]: use-after-free in check_argument_type Solution: Reset function type pointer when freeing the function type list function pointer fp->uf_func_type may point to the same memory, that was allocated for fp->uf_type_list. However, when cleaning up a function definition (e.g. because it was invalid), fp->uf_type_list will be freed, but fp->uf_func_type may still point to the same (now) invalid memory address. So when freeing the fp->uf_type_list, check if fp->func_type points to any of those types and if it does, reset the fp->uf_func_type pointer to the t_func_any (default) type pointer closes: #13652 Signed-off-by: Christian Brabandt <cb@256bit.org>
author: Christian Brabandt <cb@256bit.org> 2023-12-11 17:53:25 +0100
committer: Christian Brabandt <cb@256bit.org> 2023-12-11 17:53:25 +0100
commit: 0f28791b215bd4c22ed580839409c2f7d39d8140 (patch)
tree: 48426013e84963dab16dcc478a9486c158b788a8 /src/testdir/crash
parent: e4a450a87ba532cbfe1c4e97cac378eaafc3ae39 (diff)
1 files changed, 0 insertions, 0 deletions
diff --git a/src/testdir/crash/poc_uaf_check_argument_types b/src/testdir/crash/poc_uaf_check_argument_types
new file mode 100644
index 0000000000..83a2e7b0a6
--- /dev/null
+++ b/src/testdir/crash/poc_uaf_check_argument_types
author	Christian Brabandt <cb@256bit.org>	2023-12-11 17:53:25 +0100
committer	Christian Brabandt <cb@256bit.org>	2023-12-11 17:53:25 +0100
commit	0f28791b215bd4c22ed580839409c2f7d39d8140 (patch)
tree	48426013e84963dab16dcc478a9486c158b788a8 /src/testdir/crash
parent	e4a450a87ba532cbfe1c4e97cac378eaafc3ae39 (diff)