Fix use-after-free bug in read_ihex_chunks() when reallocating first chunk #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…chunk When read_ihex_chunks() needs to expand the first chunk via realloc(), it updates the backlink pointer but fails to update the root pointer passed by the caller. This leaves the caller with a dangling pointer to freed memory, causing a segmentation fault when the freed address is later accessed. The bug manifests as a crash during firmware loading: - Consistent segfault on Void Linux - Intermittent crashes on WSL Ubuntu - Crash occurs in memcpy() at sim_hex.c:200 Root cause: In the realloc path (line 173-179), when backlink_p is NULL (first chunk case), only backlink_p->next is updated. The root pointer (*chunks_p) still points to the old freed memory location. Fix: Track the root pointer separately and update it when reallocating the first chunk (backlink_p == NULL case). Testing: Verified fix resolves segfaults on Void Linux and eliminates intermittent crashes on WSL Ubuntu. Simulator now initializes successfully across all tested platforms. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a use-after-free bug in
read_ihex_chunks()that causes segmentation faults during firmware loading on some systems.Bug Description
When
read_ihex_chunks()needs to expand the first chunk viarealloc(), it updates the backlink pointer but fails to update the root pointer passed by the caller. This leaves the caller with a dangling pointer to freed memory.Symptoms
memcpy()atsim_hex.c:200Root Cause
In the realloc path (line 173-179), when
backlink_pis NULL (first chunk case), onlybacklink_p->nextis updated. The root pointer (*chunks_p) still points to the old freed memory location.Fix
Track the root pointer separately (
fw_chunk_t **root_p = chunks_p) and update it when reallocating the first chunk (backlink_p == NULLcase).Changes in this PR
Only contains the UAF fix - 7 additions, 1 deletion to
simavr/sim/sim_hex.c.This PR is based on your
add-attiny1634-corebranch and does not modify any ATtiny1634 code.Testing
Related
This same fix has been submitted to upstream simavr: buserror#569
🤖 Generated with Claude Code