Summary

This is an SIOF issue (ref: https://en.cppreference.com/w/cpp/language/siof). There are two globals in different translation units, and therefore their destruction order is undefined, where a bad order can result in a use after free.

Details

If the "SleighArchitecture::translators" singleton (ref: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc#L36) is destroyed before the "XmlArchitectureCapability" singleton (ref: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/src/decompile/cpp/xml_arch.cc#L23) is destroyed, the call to SleighArchitecture::shutdown (ref: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Decompiler/src/decompile/cpp/sleigh_arch.cc#L627-L635) will result in iterating over deallocated (though not necessarily zerod) memory.

Impact

For us, this was causing an infinite loop on shutdown. The iterator ++ operator was iterating over garbage data. Because this happens at shutdown, it doesn't seem like a highly exploitable vulnerability to Ghidra proper. However, I'm less sure about the impact for those who may use it as part of a larger workflow. At the very least, it caused our pipeline to hang forever.

Resolution

The pull request #6890 contains a fix for this issue.