From c4ab77ed9eb8be465f9b232dfd2007bcc05b828f Mon Sep 17 00:00:00 2001
From: ThePedroo <pedroolimpioguerra@gmail.com>
Date: Fri, 8 Nov 2024 17:18:49 -0300
Subject: [PATCH] fix: memory leak and use-after-free in APatch Zygiskd code

This commit fixes a memory leak and a user-after-free vulnerability in APatch code of Zygiskd.
---
 zygiskd/src/root_impl/apatch.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/zygiskd/src/root_impl/apatch.c b/zygiskd/src/root_impl/apatch.c
index 3b9a000..fadac60 100644
--- a/zygiskd/src/root_impl/apatch.c
+++ b/zygiskd/src/root_impl/apatch.c
@@ -140,13 +140,18 @@ bool apatch_uid_granted_root(uid_t uid) {
   }
 
   for (size_t i = 0; i < config.size; i++) {
-    if (config.configs[i].uid == uid) {
-      _apatch_free_package_config(&config);
+    if (config.configs[i].uid != uid) continue;
 
-      return config.configs[i].root_granted;
-    }
+    /* INFO: This allow us to copy the information to avoid use-after-free */
+    bool root_granted = config.configs[i].root_granted;
+
+    _apatch_free_package_config(&config);
+
+    return root_granted;
   }
 
+  _apatch_free_package_config(&config);
+
   return false;
 }
 
@@ -159,11 +164,14 @@ bool apatch_uid_should_umount(uid_t uid) {
   }
 
   for (size_t i = 0; i < config.size; i++) {
-    if (config.configs[i].uid == uid) {
-      _apatch_free_package_config(&config);
+    if (config.configs[i].uid != uid) continue;
 
-      return config.configs[i].umount_needed;
-    }
+    /* INFO: This allow us to copy the information to avoid use-after-free */
+    bool umount_needed = config.configs[i].umount_needed;
+
+    _apatch_free_package_config(&config);
+
+    return umount_needed;
   }
 
   _apatch_free_package_config(&config);