Skip to content

Fixes for SLA file parsing bugs uncovered during fuzzing #8490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

Fixes for SLA file parsing bugs uncovered during fuzzing #8490

wants to merge 24 commits into from
+173 −94

Conversation

@mnemonikr
Copy link

@mnemonikr mnemonikr commented Sep 3, 2025

Why is this change being proposed?

I was fuzzing the .sla parser in the decompiler and resolved a number of issues uncovered. I've included all of the fixes in this PR, but if preferred I can split this into multiple PRs. I tried to keep each commit self-contained to the issue I was resolving for easier reviewing.

Heap buffer overflows

These all triggered Address Sanitizer bug reports prior to being fixed:

  1. There is a buffer overflow in PackedDecode::advancePosition due to the signed skip parameter, which is read from the .sla file. If negative, can result in a read out of bounds. This was changed to unsigned.
  2. Identifiers read from the file and used as indexes should be validated to not exceed the container size. These included the symbol list, symbol scope table, address spaces, and constructors.

Null pointer dereferences

  1. If endIngest is called without any additional data, calls to decode will result in null deref when getByte tries to deref endPos.current which isn't set to point to the input stream (since there isn't one allocated). This can be triggered by an .sla file with just the header. I changed endIngest here to throw an exception in this case.
  2. Symbol list and symbol scope tables updated to ensure their entries are non-null before deleting in destructor.
  3. Pattern expression decoder returned null if invalid, but none of the callers checked for it. Changed this to an exception.

Memory leaks

These were issues identified by Leak Sanitizer and largely followed the pattern

TypeToDecode * localVar = new TypeToDecode();
localVar->decode(...);
owner->var = localVar;

If an issue occurred in decode, the localVar type would never be destroyed. These were largely mitigated with the use of std::unique_ptr locally to ensure the value would be destroyed on exception. The unique pointer is released prior to returning to prevent unwanted destruction on success.

The other common memory leak was overwriting the same value if decoding the same id multiple times. These scenarios were turned into exceptions. However, if there is a usecase for these, can update to change to free the previous value and allow overwriting instead.

Additional changes

The following files were not technically a part of the fuzz run but exhibited the same decoding pattern that resulted in the memory leaks elsewhere. I've included patches for these that should resolve the same style of memory leaks on decoding failure.

  • architecture.cc
  • funcdata.cc
  • modelrules.cc

@mnemonikr
Memory leak in Architecture::decodeProto
db06784
@mnemonikr
Memory leak in AddrSpaceManager::decodeSpace
4f02297
@mnemonikr
Memory leak in Override::decode
464b7dc
@mnemonikr
Memory leak in Funcdata::decodeJumpTable
fb224dc
@mnemonikr
Memory leak in DatatypeFilter::decodeFilter
75565cd
@mnemonikr
Memory leak in QualifierFilter::decodeFilter
c04c093
@mnemonikr
Memory leak in AssignAction::decodeAction
7cf1d4c
@mnemonikr
Memory leak in AssignAction::decodeSideeffect
3cee5ff
@mnemonikr
Fixed arbitrary heap memory read caused by negative skip in PackedDec…
3f4b408 
…ode::advancePosition
@mnemonikr
Fixed null pointer dereference caused by PackedDecode::endIngest call…
a168f2c 
… with empty input
@mnemonikr
Fixed out of bound read caused by not validating address space index
20ed796
@mnemonikr
Memory leak in OpTpl::decode
228b310
@mnemonikr
Memory leak in ConstructTpl::decode
7e1bf90
@mnemonikr
Memory leak in DisjointPattern::decodeDisjoint
fa6c853
@mnemonikr
Memory leak in Constructor::decode
4133e29
@mnemonikr
Validate SleighSymbol and SymbolScope (memory leak, nullptr deref, he…
beee69a 
…ap-buffer-overflow)
@mnemonikr
Memory leak in DecisionNode::decode
e110d62
@mnemonikr
Throw exception in PatternExpression::decodeExpression instead of ret…
20c791c 
…urning null to avoid caller nullptr deref
@mnemonikr
Memory leak in PatternExpression::decodeExpression
ffb463a
@mnemonikr
Heap buffer overflow read in OperandValue::decode
e32099f
@mnemonikr
Heap buffer overflow read in DecisionNode::decode
d8c6c3e
@mnemonikr
Memory leaks in symbols with PatternExpression when decoded multiple …
8db8cb1 
…times
@mnemonikr
C++11 compatible
4c9c834
@mnemonikr mnemonikr changed the title Fixes for SLA file parsing bugs uncovered during fuzzing - heap buffer overflows, nullptr derefs, memory leaks Fixes for SLA file parsing bugs uncovered during fuzzing Sep 3, 2025
@ryanmkurtz ryanmkurtz added Feature: Decompiler Status: Triage Information is being gathered labels Sep 3, 2025
@jobermayr
Copy link
Contributor

jobermayr commented Sep 14, 2025

Please add:
#include <memory>

in:

Ghidra/Features/Decompiler/src/decompile/cpp/architecture.cc
Ghidra/Features/Decompiler/src/decompile/cpp/funcdata.cc
Ghidra/Features/Decompiler/src/decompile/cpp/modelrules.cc
Ghidra/Features/Decompiler/src/decompile/cpp/override.cc
Ghidra/Features/Decompiler/src/decompile/cpp/semantics.cc
Ghidra/Features/Decompiler/src/decompile/cpp/slghpatexpress.cc
Ghidra/Features/Decompiler/src/decompile/cpp/slghpattern.cc
Ghidra/Features/Decompiler/src/decompile/cpp/slghsymbol.cc
Ghidra/Features/Decompiler/src/decompile/cpp/translate.cc

to fix compile errors like:

/tmp/ghidra/Ghidra/Features/Decompiler/src/decompile/cpp/override.cc:368:12: error: no member named 'unique_ptr' in namespace 'std'
  368 |       std::unique_ptr<FuncProto> fp(new FuncProto());
      |       ~~~~~^
/tmp/ghidra/Ghidra/Features/Decompiler/src/decompile/cpp/override.cc:368:23: error: 'FuncProto' does not refer to a value
  368 |       std::unique_ptr<FuncProto> fp(new FuncProto());
      |                       ^
/tmp/ghidra/Ghidra/Features/Decompiler/src/decompile/cpp/include/ghidra/fspec.hh:1353:7: note: declared here
 1353 | class FuncProto {
      |       ^
/tmp/ghidra/Ghidra/Features/Decompiler/src/decompile/cpp/override.cc:368:34: error: use of undeclared identifier 'fp'
  368 |       std::unique_ptr<FuncProto> fp(new FuncProto());
      |                                  ^
/tmp/ghidra/Ghidra/Features/Decompiler/src/decompile/cpp/override.cc:369:7: error: use of undeclared identifier 'fp'
  369 |       fp->setInternal(glb->defaultfp,glb->types->getTypeVoid());
      |       ^
/tmp/ghidra/Ghidra/Features/Decompiler/src/decompile/cpp/override.cc:370:7: error: use of undeclared identifier 'fp'
  370 |       fp->decode(decoder,glb);
      |       ^
/tmp/ghidra/Ghidra/Features/Decompiler/src/decompile/cpp/override.cc:371:37: error: use of undeclared identifier 'fp'
  371 |       insertProtoOverride(callpoint,fp.release());
      |                                     ^

@mnemonikr
Copy link
Author

mnemonikr commented Sep 16, 2025
edited
Loading

Apologies, updated! I've been running make test locally to confirm builds but should've added the include when bringing in the new usage of unique_ptr.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@caheckman caheckman

Labels

Feature: Decompiler Status: Triage Information is being gathered

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mnemonikr @jobermayr @ryanmkurtz @caheckman