Version and Platform (required):
- Binary Ninja Version: 5.4.9678-dev
- Edition: Commercial
- OS: Windows
- OS Version: 10 Pro
- CPU Architecture: x64
Bug Description:
There appears to be a use after free, triggerable in python by calling Architecture.register() twice on the same class.
The workaround is simply "Don't register twice".
Steps To Reproduce:
Run the following snippet
import gc
import binaryninja as bn
from binaryninja import Architecture, RegisterInfo, InstructionInfo
from binaryninja.function import InstructionTextToken
from binaryninja.enums import Endianness
class MinimalArch(Architecture):
name = "UAF-Repro"
address_size = 4
default_int_size = 1
instr_alignment = 1
max_instr_length = 1
endianness = Endianness.LittleEndian
regs = {"R0": RegisterInfo("R0", 4)}
stack_pointer = "R0"
def get_instruction_info(self, data, addr):
info = InstructionInfo()
info.length = 1
return info
def get_instruction_text(self, data, addr):
return [InstructionTextToken(0, "nop")], 1
def get_instruction_low_level_il(self, data, addr, il):
return 1
MinimalArch.register()
MinimalArch.register()
gc.collect() # Force a collection for the sake of expediency, not necessity
arch = bn.Architecture["UAF-Repro"] # crashes here
Version and Platform (required):
Bug Description:
There appears to be a use after free, triggerable in python by calling
Architecture.register()twice on the same class.The workaround is simply "Don't register twice".
Steps To Reproduce:
Run the following snippet