Skip to content

Use after free vulnerability in Sleigh backend

Low
emteere published GHSA-4g43-2f29-xvp4 Sep 19, 2024

Package

Sleigh Decompiler Backend (Sleigh)

Affected versions

<= 11.1.2

Patched versions

11.2

Description

Summary

This is an SIOF issue (ref: https://en.cppreference.com/w/cpp/language/siof). There are two globals in different translation units, and therefore their destruction order is undefined, where a bad order can result in a use after free.

Details

If the "SleighArchitecture::translators" singleton (ref: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc#L36) is destroyed before the "XmlArchitectureCapability" singleton (ref: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/src/decompile/cpp/xml_arch.cc#L23) is destroyed, the call to SleighArchitecture::shutdown (ref: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc#L627-L635) will result in iterating over deallocated (though not necessarily zerod) memory.

Impact

For us, this was causing an infinite loop on shutdown. The iterator ++ operator was iterating over garbage data. Because this happens at shutdown, it doesn't seem like a highly exploitable vulnerability to Ghidra proper. However, I'm less sure about the impact for those who may use it as part of a larger workflow. At the very least, it caused our pipeline to hang forever.

Resolution

The pull request #6890 contains a fix for this issue.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CVE ID

No known CVE

Weaknesses

Credits