You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fuzz@fuzz:~/fuzz$ date
Fri 07 May 2021 12:59:49 PM UTC
fuzz@fuzz:~/fuzz$ r2 -v
radare2 5.3.0-git 26142 @ linux-x86-64 git.5.2.1
commit: 518bf6664cedcb3035c9c47388b4fa03bba66748 build: 2021-05-07__12:55:47
fuzz@fuzz:~/fuzz$ uname -ms
Linux x86_64
Description
While I am fuzzing rabin2 binary with -I parameter, I found out that there may be a heap-use-after-free ( and double-free , I guess) bug on it. I am suspecting that two same undefined types are found and rabin2 tries to manipulate (copy, free etc) without control.
With MSAN:
fuzz@fuzz:~/fuzz/issue$ rabin2 -I double_free
Copy not implemented fortype 78
==899274==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x7ffff43be235 in free_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:721:6#1 0x7ffff43bdcf9 in get_code_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:978:3#2 0x7ffff43c17c9 in get_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1065:9#3 0x7ffff43bec47 in get_sections_symbols_from_code_objects /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1218:34#4 0x7ffff43cf3d1 in pyc_get_sections_symbols /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/pyc.c:7:9#5 0x7ffff43ba51e in symbols /home/fuzz/fuzz/radare2/libr/../libr/bin/p/bin_pyc.c:124:2#6 0x7ffff3c3e446 in r_bin_object_set_items /home/fuzz/fuzz/radare2/libr/bin/bobj.c:327:16#7 0x7ffff3c3b588 in r_bin_object_new /home/fuzz/fuzz/radare2/libr/bin/bobj.c:172:2#8 0x7ffff3c1d379 in r_bin_file_new_from_buffer /home/fuzz/fuzz/radare2/libr/bin/bfile.c:529:19#9 0x7ffff3bb803b in r_bin_open_buf /home/fuzz/fuzz/radare2/libr/bin/bin.c:286:8#10 0x7ffff3bb6048 in r_bin_open_io /home/fuzz/fuzz/radare2/libr/bin/bin.c:346:13#11 0x7ffff3bb4919 in r_bin_open /home/fuzz/fuzz/radare2/libr/bin/bin.c:231:9#12 0x7ffff7dde246 in r_main_rabin2 /home/fuzz/fuzz/radare2/libr/main/rabin2.c:1069:7#13 0x5555555ec931 in main /home/fuzz/fuzz/radare2/binr/rabin2/rabin2.c:6:9#14 0x7ffff7bb10b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16#15 0x55555557225d in _start (/home/fuzz/fuzz/radare2/binr/rabin2/rabin2+0x1e25d)
SUMMARY: MemorySanitizer: use-of-uninitialized-value /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:721:6 in free_object
Exiting
With ASAN:
=================================================================
==1631110==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000065890 at pc 0x7fffef7c994c bp 0x7ffffff99320 sp 0x7ffffff99318
READ of size 4 at 0x602000065890 thread T0
#0 0x7fffef7c994b in copy_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:790:23
#1 0x7fffef7c1b53 in get_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1141:19
#2 0x7fffef7bc09e in get_code_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:940:15
#3 0x7fffef7c1718 in get_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1065:9
#4 0x7fffef7be85f in get_sections_symbols_from_code_objects /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1218:34
#5 0x7fffef7ce054 in pyc_get_sections_symbols /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/pyc.c:7:9
#6 0x7fffef7b985f in symbols /home/fuzz/fuzz/radare2/libr/../libr/bin/p/bin_pyc.c:124:2
#7 0x7fffef003464 in r_bin_object_set_items /home/fuzz/fuzz/radare2/libr/bin/bobj.c:327:16
#8 0x7fffeefff4bc in r_bin_object_new /home/fuzz/fuzz/radare2/libr/bin/bobj.c:172:2
#9 0x7fffeefe4299 in r_bin_file_new_from_buffer /home/fuzz/fuzz/radare2/libr/bin/bfile.c:529:19
#10 0x7fffeef827c9 in r_bin_open_buf /home/fuzz/fuzz/radare2/libr/bin/bin.c:286:8
#11 0x7fffeef80381 in r_bin_open_io /home/fuzz/fuzz/radare2/libr/bin/bin.c:346:13
#12 0x7fffeef7edf0 in r_bin_open /home/fuzz/fuzz/radare2/libr/bin/bin.c:231:9
#13 0x7ffff7db242b in r_main_rabin2 /home/fuzz/fuzz/radare2/libr/main/rabin2.c:1069:7
#14 0x55555561af91 in main /home/fuzz/fuzz/radare2/binr/rabin2/rabin2.c:6:9
#15 0x7ffff7b4d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#16 0x5555555712dd in _start (/home/fuzz/fuzz/radare2/binr/rabin2/rabin2+0x1d2dd)
0x602000065890 is located 0 bytes inside of 16-byte region [0x602000065890,0x6020000658a0)
freed by thread T0 here:
#0 0x5555555eb0cd in free (/home/fuzz/fuzz/radare2/binr/rabin2/rabin2+0x970cd)
#1 0x7fffef7be7e9 in free_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:781:2
#2 0x7fffef7c1b47 in get_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1140:3
#3 0x7fffef7bc09e in get_code_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:940:15
#4 0x7fffef7c1718 in get_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1065:9
#5 0x7fffef7be85f in get_sections_symbols_from_code_objects /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1218:34
#6 0x7fffef7ce054 in pyc_get_sections_symbols /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/pyc.c:7:9
#7 0x7fffef7b985f in symbols /home/fuzz/fuzz/radare2/libr/../libr/bin/p/bin_pyc.c:124:2
#8 0x7fffef003464 in r_bin_object_set_items /home/fuzz/fuzz/radare2/libr/bin/bobj.c:327:16
#9 0x7fffeefff4bc in r_bin_object_new /home/fuzz/fuzz/radare2/libr/bin/bobj.c:172:2
#10 0x7fffeefe4299 in r_bin_file_new_from_buffer /home/fuzz/fuzz/radare2/libr/bin/bfile.c:529:19
#11 0x7fffeef827c9 in r_bin_open_buf /home/fuzz/fuzz/radare2/libr/bin/bin.c:286:8
#12 0x7fffeef80381 in r_bin_open_io /home/fuzz/fuzz/radare2/libr/bin/bin.c:346:13
#13 0x7fffeef7edf0 in r_bin_open /home/fuzz/fuzz/radare2/libr/bin/bin.c:231:9
#14 0x7ffff7db242b in r_main_rabin2 /home/fuzz/fuzz/radare2/libr/main/rabin2.c:1069:7
#15 0x55555561af91 in main /home/fuzz/fuzz/radare2/binr/rabin2/rabin2.c:6:9
#16 0x7ffff7b4d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x5555555eb4c2 in calloc (/home/fuzz/fuzz/radare2/binr/rabin2/rabin2+0x974c2)
#1 0x7fffef7c2376 in get_none_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:93:8
#2 0x7fffef7c1461 in get_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1022:9
#3 0x7fffef7bc09e in get_code_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:940:15
#4 0x7fffef7c1718 in get_object /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1065:9
#5 0x7fffef7be85f in get_sections_symbols_from_code_objects /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:1218:34
#6 0x7fffef7ce054 in pyc_get_sections_symbols /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/pyc.c:7:9
#7 0x7fffef7b985f in symbols /home/fuzz/fuzz/radare2/libr/../libr/bin/p/bin_pyc.c:124:2
#8 0x7fffef003464 in r_bin_object_set_items /home/fuzz/fuzz/radare2/libr/bin/bobj.c:327:16
#9 0x7fffeefff4bc in r_bin_object_new /home/fuzz/fuzz/radare2/libr/bin/bobj.c:172:2
#10 0x7fffeefe4299 in r_bin_file_new_from_buffer /home/fuzz/fuzz/radare2/libr/bin/bfile.c:529:19
#11 0x7fffeef827c9 in r_bin_open_buf /home/fuzz/fuzz/radare2/libr/bin/bin.c:286:8
#12 0x7fffeef80381 in r_bin_open_io /home/fuzz/fuzz/radare2/libr/bin/bin.c:346:13
#13 0x7fffeef7edf0 in r_bin_open /home/fuzz/fuzz/radare2/libr/bin/bin.c:231:9
#14 0x7ffff7db242b in r_main_rabin2 /home/fuzz/fuzz/radare2/libr/main/rabin2.c:1069:7
#15 0x55555561af91 in main /home/fuzz/fuzz/radare2/binr/rabin2/rabin2.c:6:9
#16 0x7ffff7b4d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/fuzz/radare2/libr/../libr/bin/p/../format/pyc/marshal.c:790:23 in copy_object
Shadow bytes around the buggy address:
0x0c0480004ac0: fa fa 03 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c0480004ad0: fa fa fd fd fa fa fd fd fa fa 02 fa fa fa 00 04
0x0c0480004ae0: fa fa fd fd fa fa fd fd fa fa 00 04 fa fa 00 04
0x0c0480004af0: fa fa 00 04 fa fa 02 fa fa fa fd fa fa fa fd fa
0x0c0480004b00: fa fa 00 00 fa fa 00 04 fa fa 00 00 fa fa 00 00
=>0x0c0480004b10: fa fa[fd]fd fa fa fd fa fa fa 00 00 fa fa fa fa
0x0c0480004b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1631110==ABORTING
Without Sanitizer:
Undefined type in copy_object (556d8a00)
Copy not implemented for type 78
Undefined type in free_object (556d8a00)
free(): double free detected in tcache 2
Aborted
Environment
Description
While I am fuzzing rabin2 binary with -I parameter, I found out that there may be a heap-use-after-free ( and double-free , I guess) bug on it. I am suspecting that two same undefined types are found and rabin2 tries to manipulate (copy, free etc) without control.
With MSAN:
With ASAN:
Without Sanitizer:
This issue is also produced with radare2:
Test
This is the my debugging screenshot.
double_free.zip
The text was updated successfully, but these errors were encountered: