Use after free in r_num_calc_index #2855
Labels
Comments
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
{{ message }}
Script:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-r_num_calc_index
Content:
0
~[[
Address Sanitizer:
==6345==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000165d3 at pc 0x7feddb06ed70 bp 0x7ffc052d3050 sp 0x7ffc052d3020
READ of size 2 at 0x6020000165d3 thread T0
#0 0x7feddb06ed6f in strlen (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x32d6f)
#1 0x7fedd575e629 in r_num_calc_index /f/radare2/radare2/libr/util/calc.c:152
#2 0x7fedda90e0af in num_callback /f/radare2/radare2/libr/core/core.c:148
#3 0x7fedd56b45e9 in r_num_get /f/radare2/radare2/libr/util/num.c:118
#4 0x7fedda14faf5 in r_cons_grep /f/radare2/radare2/libr/cons/grep.c:104
#5 0x7feddaa02420 in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1420
#6 0x7fedda964499 in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1081
#7 0x7fedda965633 in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1943
#8 0x7fedda9684ec in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1994
#9 0x7fedda9686f4 in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2006
#10 0x7fedda96b496 in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
#11 0x4054e3 in main /f/radare2/radare2/binr/radare2/radare2.c:729
#12 0x7fedd4ec6f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#13 0x409fae (/mnt/ram/r2/radare2+0x409fae)
0x6020000165d4 is located 0 bytes to the right of 4-byte region [0x6020000165d0,0x6020000165d4)
freed by thread T0 here:
#0 0x7feddb09347f in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x5747f)
#1 0x7fedda9641af in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1105
previously allocated by thread T0 here:
#0 0x7feddb0936f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
#1 0x7fedd4f28789 in strdup (/lib64/libc.so.6+0x81789)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 strlen
Shadow bytes around the buggy address:
0x0c047fffac60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffac70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffac80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffac90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffaca0: fa fa fa fa fa fa fa fa fa fa 01 fa fa fa 01 fa
=>0x0c047fffacb0: fa fa 04 fa fa fa fd fa fa fa[fd]fa fa fa fd fa
0x0c047fffacc0: fa fa fd fa fa fa 06 fa fa fa 06 fa fa fa fd fd
0x0c047fffacd0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 06 fa
0x0c047ffface0: fa fa fd fa fa fa 05 fa fa fa fd fa fa fa 06 fa
0x0c047fffacf0: fa fa fd fa fa fa 06 fa fa fa 03 fa fa fa fd fa
0x0c047fffad00: fa fa 04 fa fa fa fd fa fa fa fd fa fa fa 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==6345==ABORTING
The text was updated successfully, but these errors were encountered: