Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Script causes out of bounds read (heap) in function cmd_zign #2736

Closed
hannob opened this issue Jun 9, 2015 · 0 comments
Closed

Script causes out of bounds read (heap) in function cmd_zign #2736

hannob opened this issue Jun 9, 2015 · 0 comments
Labels
fuzzing

Comments

@hannob
Copy link

hannob commented Jun 9, 2015

This input file will cause an out of bounds heap access in the script handling of radare2:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-cmd_zign
It just consists of two bytes ("za").

Test: radare2 -i [input] /dev/null

This was found with american fuzzy lop. Address Sanitizer Stack trace:

==16858==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000016a14 at pc 0x7f6fb69a77d0 bp 0x7fff9e0cf350 sp 0x7fff9e0cf320
READ of size 1 at 0x602000016a14 thread T0
    #0 0x7f6fb69a77cf in index (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x347cf)
    #1 0x7f6fb6271efd in cmd_zign /f/radare2/radare2/libr/core/cmd_zign.c:87
    #2 0x7f6fb633dfde in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1589
    #3 0x7f6fb629f3f1 in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1080
    #4 0x7f6fb62a039c in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1937
    #5 0x7f6fb62a31ac in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1988
    #6 0x7f6fb62a342c in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2000
    #7 0x7f6fb62a6116 in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #8 0x4055fa in main /f/radare2/radare2/binr/radare2/radare2.c:730
    #9 0x7f6fb082df9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #10 0x409fbe (/mnt/ram/radare2/radare2+0x409fbe)

0x602000016a14 is located 1 bytes to the right of 3-byte region [0x602000016a10,0x602000016a13)
allocated by thread T0 here:
    #0 0x7f6fb69ca6f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7f6fb088f789 in strdup (/lib64/libc.so.6+0x81789)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 index
Shadow bytes around the buggy address:
  0x0c047fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa
=>0x0c047fffad40: fa fa[03]fa fa fa 03 fa fa fa 03 fa fa fa fd fa
  0x0c047fffad50: fa fa fd fd fa fa 06 fa fa fa fd fa fa fa 05 fa
  0x0c047fffad60: fa fa fd fa fa fa 06 fa fa fa fd fa fa fa 03 fa
  0x0c047fffad70: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fa
  0x0c047fffad80: fa fa 04 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffad90: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==16858==ABORTING
@alvarofe alvarofe self-assigned this Jun 9, 2015
alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 14, 2015
@alvarofe
Fix radareorg#2736
9db3cdb
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hannob @alvarofe