Skip to content

Fix UAF when passing TypeBuilder objects into some APIs#7566

Merged
CouleeApps merged 1 commit intodevfrom
fix_typebuilder_uaf
Jan 29, 2026
Merged

Fix UAF when passing TypeBuilder objects into some APIs#7566
CouleeApps merged 1 commit intodevfrom
fix_typebuilder_uaf

Conversation

@plafosse
Copy link
Member

@plafosse plafosse commented Nov 4, 2025

This is a fundamental rewrite of how TypeBuilder objects are handled in the python API.

@CLAassistant
Copy link

CLAassistant commented Nov 4, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@plafosse plafosse requested a review from Copilot November 4, 2025 19:24
Copilot AI reviewed Nov 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a use-after-free (UAF) vulnerability by ensuring that immutable copies of Type and TypeBuilder objects are created before passing their handles to core functions. The changes prevent type objects from being garbage collected while their handles are still in use.

  • Extracts immutable_copy() calls into local variables to maintain references throughout the lifetime of handle usage
  • Adds a type_list to FunctionBuilder._to_core_struct() to preserve type object references
  • Updates _to_core_struct() return signature to include the preserved type list
  • Applies immutable copies consistently across all type-related API calls

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
python/types.py Core changes to prevent UAF by storing immutable copies before extracting handles; removed unused handle property and _to_core_struct from TypeBuilder; updated FunctionBuilder._to_core_struct to return type_list
python/mediumlevelil.py Applied immutable_copy() before calling _to_core_struct() to prevent UAF
python/highlevelil.py Applied immutable_copy() before calling _to_core_struct() to prevent UAF
python/function.py Applied immutable_copy() before accessing handles to prevent UAF across multiple function methods
python/binaryview.py Applied immutable_copy() before accessing handles; updated isinstance checks to only check for Type after conversion

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@plafosse @CouleeApps
Fix a fundamental problem with TypeBuilder.handle by deleting it
2099579 
TypeBuilder.handle creates an immutable_type gets the handle and then deletes the object to which the handle belonged to.
This was fundamentally a UAF. immutable_copy is an error prone api as its very easy to misuse. We should consider a re-architecture of this API. `TypeBuilder.immutable_copy().<anything>` or `Type.mutable_copy().<anything>` should be considered sketchy and immutable_copy().handle is just a straight up UAF. Prior to this commit the following would cause a crash:

current_data_variable.type = PointerBuilder.create(FunctionType.create())
@CouleeApps CouleeApps merged commit 2099579 into dev Jan 29, 2026
4 of 5 checks passed
@CouleeApps
Copy link
Member

CouleeApps commented Jan 29, 2026

Good changes, a bunch of UAFs fixed here. This exposes a bunch of places where we do this pattern:

if isinstance(var_type, str):
	(var_type, _) = self.parse_type_string(var_type)
var_type = var_type.immutable_copy()

... to handle var_type being one of Type, TypeBuilder, or str. We may want to factor out this common pattern in a future change, since it is so common, and so that we don't miss any future calls to immutable_copy.

@CouleeApps CouleeApps deleted the fix_typebuilder_uaf branch January 29, 2026 03:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@CouleeApps CouleeApps

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@plafosse @CLAassistant @CouleeApps