You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is an SIOF issue (ref: https://en.cppreference.com/w/cpp/language/siof). There are two globals in different translation units, and therefore their destruction order is undefined, where a bad order can result in a use after free.
For us, this was causing an infinite loop on shutdown. The iterator ++ operator was iterating over garbage data. Because this happens at shutdown, it doesn't seem like a highly exploitable vulnerability to Ghidra proper. However, I'm less sure about the impact for those who may use it as part of a larger workflow. At the very least, it caused our pipeline to hang forever.
Resolution
The pull request #6890 contains a fix for this issue.
Summary
This is an SIOF issue (ref: https://en.cppreference.com/w/cpp/language/siof). There are two globals in different translation units, and therefore their destruction order is undefined, where a bad order can result in a use after free.
Details
If the "SleighArchitecture::translators" singleton (ref: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc#L36) is destroyed before the "XmlArchitectureCapability" singleton (ref: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/src/decompile/cpp/xml_arch.cc#L23) is destroyed, the call to SleighArchitecture::shutdown (ref: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc#L627-L635) will result in iterating over deallocated (though not necessarily zerod) memory.
Impact
For us, this was causing an infinite loop on shutdown. The iterator ++ operator was iterating over garbage data. Because this happens at shutdown, it doesn't seem like a highly exploitable vulnerability to Ghidra proper. However, I'm less sure about the impact for those who may use it as part of a larger workflow. At the very least, it caused our pipeline to hang forever.
Resolution
The pull request #6890 contains a fix for this issue.