Fix NULL pointer dereference.

This dereference can happen with the following call stack: #0 0x564752dc571f in linkstub_fragment dynamorio/trunk/core/link.c:482:30 DynamoRIO#1 0x564752dc5753 in set_last_exit dynamorio/trunk/core/link.c:581:31 DynamoRIO#2 0x564752d4b234 in initialize_dynamo_context dynamorio/trunk/core/dynamo.c:1812:5 DynamoRIO#3 0x564752d4848c in dynamo_thread_init dynamorio/trunk/core/dynamo.c:2310:5 DynamoRIO#4 0x564752d461ed in dynamorio_app_init dynamorio/trunk/core/dynamo.c:636:9 DynamoRIO#5 0x564752d4c11f in dr_app_setup dynamorio/trunk/core/dynamo.c:2754:11 because dcontext->link_field is only initialized by link_thread_init, which is called further down dynamo_thread_init.
slackito · Jun 23, 2020 · 32db607 · 32db607
1 parent cd78cdd
commit 32db607
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/core/link.c b/core/link.c
@@ -479,7 +479,11 @@ linkstub_fragment(dcontext_t *dcontext, linkstub_t *l)
             return (fragment_t *)&linkstub_ibl_bb_fragment;
         if (dcontext != NULL && dcontext != GLOBAL_DCONTEXT) {
             thread_link_data_t *ldata = (thread_link_data_t *)dcontext->link_field;
-            if (l == &ldata->linkstub_deleted)
+            /* This point is reachable (via set_last_exit) from initialize_dynamo_context,
+             * which is called by dynamo_thread_init before link_thread_init. The latter
+             * initializes dcontext->link_field, so it's possible for ldata to be NULL.
+             */
+            if (ldata != NULL && l == &ldata->linkstub_deleted)
                 return &ldata->linkstub_deleted_fragment;
         }
         /* For coarse proxies, we need a fake FRAG_SHARED fragment_t for is_linkable */