Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out of bounds heap read in core_anal_bytes() #2870

Closed
hannob opened this issue Jul 1, 2015 · 4 comments
Closed

Out of bounds heap read in core_anal_bytes() #2870

hannob opened this issue Jul 1, 2015 · 4 comments
Assignees
@alvarofe
Labels
fuzzing

Comments

@hannob
Copy link

hannob commented Jul 1, 2015

Script:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-core_anal_bytes-2
This is slightly different from #2851. Contains the string "ao@!0".

Address Sanitizer:

=================================================================
==26188==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000015eb2 at pc 0x7f239bc5335e bp 0x7ffd5fcdc9f0 sp 0x7ffd5fcdc9e0
READ of size 1 at 0x602000015eb2 thread T0
    #0 0x7f239bc5335d in core_anal_bytes /f/radare2/radare2/libr/core/cmd_anal.c:260
    #1 0x7f239bd15a51 in cmd_anal_opcode /f/radare2/radare2/libr/core/cmd_anal.c:1821
    #2 0x7f239bd15a51 in cmd_anal /f/radare2/radare2/libr/core/cmd_anal.c:2543
    #3 0x7f239bd33eee in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1578
    #4 0x7f239bc939ac in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1084
    #5 0x7f239bc94b53 in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1947
    #6 0x7f239bc97a7c in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1998
    #7 0x7f239bc97cb4 in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2010
    #8 0x7f239bc9a9ee in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #9 0x405236 in main /f/radare2/radare2/binr/radare2/radare2.c:729
    #10 0x7f23961f1f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #11 0x409e6d (/mnt/ram/r2/radare2+0x409e6d)

0x602000015eb2 is located 0 bytes to the right of 2-byte region [0x602000015eb0,0x602000015eb2)
allocated by thread T0 here:
    #0 0x7f239c3c69d6 in __interceptor_realloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x579d6)
    #1 0x7f239bc46414 in r_core_block_size /f/radare2/radare2/libr/core/core.c:1117

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/radare2/radare2/libr/core/cmd_anal.c:260 core_anal_bytes
Shadow bytes around the buggy address:
  0x0c047fffab80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffab90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffaba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffabb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffabc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffabd0: fa fa fa fa fa fa[02]fa fa fa 01 fa fa fa 06 fa
  0x0c047fffabe0: fa fa 06 fa fa fa 06 fa fa fa fd fd fa fa fd fd
  0x0c047fffabf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffac00: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 02 fa
  0x0c047fffac10: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fffac20: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==26188==ABORTING
@alvarofe alvarofe self-assigned this Jul 1, 2015
@jvoisin jvoisin added the fuzzing label Jul 3, 2015
alvarofe added a commit to alvarofe/radare2 that referenced this issue Jul 5, 2015
@alvarofe
Fix radareorg#2870 - oob read in core->block due to a off-by-one
2055aef
@hannob
Copy link
Author

hannob commented Jul 5, 2015

Just re-checked, I still see this, it is not fixed in latest git.

@alvarofe
Copy link
Contributor

alvarofe commented Jul 5, 2015

This was a little weird because I was able to reproduce in some cases :S . In /bin/ls doesn't fail to me. Which file are you using?

@alvarofe alvarofe reopened this Jul 5, 2015
@hannob
Copy link
Author

hannob commented Jul 5, 2015

Just using the output of a dummy empty c prog ("int main() { }") compiled with gcc.

@alvarofe
Copy link
Contributor

alvarofe commented Jul 5, 2015

ok I will test with that and other files to be sure the next time :)

alvarofe added a commit to alvarofe/radare2 that referenced this issue Jul 12, 2015
@alvarofe
Fix radareorg#2870
4b979ff
alvarofe added a commit to alvarofe/radare2 that referenced this issue Jul 13, 2015
@alvarofe
Fix radareorg#2870
4d93542
alvarofe added a commit to alvarofe/radare2 that referenced this issue Jul 13, 2015
@alvarofe
Fix properly radareorg#2870
b4e3321
alvarofe added a commit that referenced this issue Jul 13, 2015
@alvarofe @radare
Fix properly #2870
aaa55ed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alvarofe alvarofe

Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jvoisin @hannob @alvarofe