Headline
CVE-2022-0559: Prefer memleak over usaf in io.bank's rbtree bug ##crash · radareorg/radare2@b5cb90b
Use After Free in NPM radare2.js prior to 5.6.2.
@@ -226,12 +226,18 @@ R_API bool r_io_bank_map_add_top(RIO *io, const ut32 bankid, const ut32 mapid) {
r_io_submap_set_to (bd, r_io_submap_from (sm) - 1);
entry = r_rbnode_next (entry);
}
while (entry && r_io_submap_to (((RIOSubMap *)entry->data)) <= r_io_submap_to (sm)) {
ut64 smto = r_io_submap_to (sm);
while (entry && r_io_submap_to (((RIOSubMap *)entry->data)) <= smto) {
//delete all submaps that are completly included in sm
RRBNode *next = r_rbnode_next (entry);
// this can be optimized, there is no need to do search here
// XXX this is a workaround to avoid an UAF in Reproducer: iobank-crash
void *smfree = bank->submaps->free;
bank->submaps->free = NULL;
bool a = r_crbtree_delete (bank->submaps, entry->data, _find_sm_by_from_vaddr_cb, NULL);
bank->submaps->free = smfree;
if (!a) {
entry = NULL;
break;
}
entry = next;