Page MenuHome
Differential D11737

Fix T89436: use-after-free creating nodelinks in certain scenarios
AbandonedPublic
Actions

Authored by Philipp Oeser (lichtwerk) on Jun 29 2021, 2:00 PM.

Details

Reviewers
Jacques Lucke (JacquesLucke)
Lukas Tönne (lukastoenne)
Maniphest Tasks
T89436: Programmatically creating a link involving a blank group input/output socket causes a UAF
Summary

When creating nodelinks from python to a group extension socket, freed
memory could be used.

This is because since rB513066e8ad6f, just created links could be
removed and recreated again if extension sockets are involved. This is
not a problem in itself, but this links 'tonode' was accessed - we can
use other available 'tonode' though, this should be the same.

Diff Detail

Repository
rB Blender
Branch
T89436 (branched from master)
Build Status
Buildable 15485
Build 15485: arc lint + arc unit

Event Timeline

Philipp Oeser (lichtwerk) requested review of this revision.Jun 29 2021, 2:00 PM
Philipp Oeser (lichtwerk) created this revision.
Harbormaster completed remote builds in B15485: Diff 38888.Jun 29 2021, 2:00 PM
Philipp Oeser (lichtwerk) added a project: Nodes & Physics.Jun 29 2021, 2:01 PM
Jacques Lucke (JacquesLucke) requested changes to this revision.Jun 29 2021, 2:16 PM

I should mention that it is generally discouraged to link to these sockets directly. Better use e.g node_group.inputs.new beforehand.

It still seems wrong that ret is returned even though it has been freed, if I understand correctly.

source/blender/makesrna/intern/rna_nodetree.c
1313

Missing ..

This revision now requires changes to proceed.Jun 29 2021, 2:16 PM
Philipp Oeser (lichtwerk) added a comment.Jun 29 2021, 2:29 PM
In D11737#302119, @Jacques Lucke (JacquesLucke) wrote:

It still seems wrong that ret is returned even though it has been freed, if I understand correctly.

Hm, true, that should be fixed as well I guess

Philipp Oeser (lichtwerk) added a comment.Jul 15 2021, 12:42 PM

Not sure if I read node_group_output_update correctly, but at this point I am unsure on how to reliably return something valid in this case.

I tried getting the new link with

ret = nodeFindLink(ntree, fromsock, tosock);

after nodeUpdate and ntreeUpdateTree have run but that wont find a link. Possibly the sockets are not valid anymore either?

Philipp Oeser (lichtwerk) mentioned this in T89436: Programmatically creating a link involving a blank group input/output socket causes a UAF.Jul 15 2021, 1:08 PM
Philipp Oeser (lichtwerk) abandoned this revision.Oct 14 2021, 2:40 PM

Think this is not even an issue anymore in newer versions

Revision Contents
Changeset List

PathSize
source/
blender/
makesrna/
intern/
4 lines

Diff 38888

View Options

source/blender/makesrna/intern/rna_nodetree.c

Loading...