Pre-release fuzz-a-ton #3450
Comments
|
Some results
|
|
btw it is quite noticeable that mach0 parser has been improved.. kudos for that g*ys |
==26561==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000f4ce at pc 0x7fa43d1968bf bp 0x7ffe7998e220 sp 0x7ffe7998e210
READ of size 1 at 0x61500000f4ce thread T0
#0 0x7fa43d1968be in r_bin_java_line_number_table_attr_new /home/revskillz/dev/radare2/shlr/java/class.c:3631
#1 0x7fa43d18ac42 in r_bin_java_read_next_attr_from_buffer /home/revskillz/dev/radare2/shlr/java/class.c:2026
#2 0x7fa43d1949bd in r_bin_java_code_attr_new /home/revskillz/dev/radare2/shlr/java/class.c:3335
#3 0x7fa43d18ac42 in r_bin_java_read_next_attr_from_buffer /home/revskillz/dev/radare2/shlr/java/class.c:2026
#4 0x7fa43d18a877 in r_bin_java_read_next_attr /home/revskillz/dev/radare2/shlr/java/class.c:1992
#5 0x7fa43d187cd5 in r_bin_java_read_next_field /home/revskillz/dev/radare2/shlr/java/class.c:1496
#6 0x7fa43d18bef2 in r_bin_java_parse_fields /home/revskillz/dev/radare2/shlr/java/class.c:2149
#7 0x7fa43d18d184 in r_bin_java_load_bin /home/revskillz/dev/radare2/shlr/java/class.c:2297
#8 0x7fa43d18cd4b in r_bin_java_new_bin /home/revskillz/dev/radare2/shlr/java/class.c:2259
#9 0x7fa43d1925b4 in r_bin_java_new_buf /home/revskillz/dev/radare2/shlr/java/class.c:2967
#10 0x7fa43d0d54ee in load_bytes /home/revskillz/dev/radare2/libr/..//libr/bin/p/bin_java.c:65
#11 0x7fa43d062591 in r_bin_object_new /home/revskillz/dev/radare2/libr/bin/bin.c:962
#12 0x7fa43d0635f1 in r_bin_file_new_from_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:1109
#13 0x7fa43d06105d in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:704
#14 0x7fa43d0610e7 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:720
#15 0x7fa43d0605d2 in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:609
#16 0x7fa43deba1c0 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:379
#17 0x7fa43debabce in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:452
#18 0x560dbc1717bd in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:597
#19 0x7fa438df16ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#20 0x560dbc16e798 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x5798)
ASAN:SIGSEGV
==26561==AddressSanitizerfile: http://revskills.cz/r2/256996efe37d69100bf09cf3a07cbffc |
==26795==ERROR: AddressSanitizer: SEGV on unknown address 0x6210000f7920 (pc 0x7fbc53d50c5b bp 0x7fff80334040 sp 0x7fff80333e90 T0)
#0 0x7fbc53d50c5a in r_bin_dyldcache_extract /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/mach0/dyldcache.c:43
#1 0x7fbc53d50413 in oneshot /home/revskillz/dev/radare2/libr/..//libr/bin/p/bin_xtr_dyldcache.c:88
#2 0x7fbc53d50607 in oneshotall /home/revskillz/dev/radare2/libr/..//libr/bin/p/bin_xtr_dyldcache.c:107
#3 0x7fbc53c609cd in r_bin_file_xtr_load_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:856
#4 0x7fbc53c5ff0c in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:693
#5 0x7fbc53c600e7 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:720
#6 0x7fbc53c5f5d2 in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:609
#7 0x7fbc54ab91c0 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:379
#8 0x7fbc54ab9bce in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:452
#9 0x56208ab477bd in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:597
#10 0x7fbc4f9f06ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#11 0x56208ab44798 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x5798)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizerfile: http://revskills.cz/r2/eeaf87ece627fe94f92f836ac3467ffd |
==30492==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000012918 at pc 0x7ff80d914975 bp 0x7ffd3ac20aa0 sp 0x7ffd3ac20a90
READ of size 8 at 0x602000012918 thread T0
#0 0x7ff80d914974 in bin_classes /home/revskillz/dev/radare2/libr/core/bin.c:1642
#1 0x7ff80d915e3b in r_core_bin_info /home/revskillz/dev/radare2/libr/core/bin.c:1817
#2 0x7ff80d907abb in r_core_bin_set_env /home/revskillz/dev/radare2/libr/core/bin.c:106
#3 0x7ff80d8c6215 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:384
#4 0x7ff80d8c6bce in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:452
#5 0x55574db717bd in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:597
#6 0x7ff8087fd6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#7 0x55574db6e798 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x5798)
ASAN:SIGSEGV
==30492==AddressSanitizerFrom radare2-regressions: elf/hello-objc-linux |
==30534==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300001e14c at pc 0x7fc7fd9298a6 bp 0x7ffd15835050 sp 0x7ffd15835040
READ of size 1 at 0x60300001e14c thread T0
#0 0x7fc7fd9298a5 in load_omf_lnames /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/omf/omf.c:90
#1 0x7fc7fd92b6dd in load_omf_content /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/omf/omf.c:334
#2 0x7fc7fd92bc41 in load_record_omf /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/omf/omf.c:369
#3 0x7fc7fd92bdb8 in load_all_omf_records /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/omf/omf.c:385
#4 0x7fc7fd92de2d in r_bin_internal_omf_load /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/omf/omf.c:625
#5 0x7fc7fd92818d in load_bytes /home/revskillz/dev/radare2/libr/..//libr/bin/p/bin_omf.c:11
#6 0x7fc7fd876591 in r_bin_object_new /home/revskillz/dev/radare2/libr/bin/bin.c:962
#7 0x7fc7fd8775f1 in r_bin_file_new_from_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:1109
#8 0x7fc7fd87505d in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:704
#9 0x7fc7fd8750e7 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:720
#10 0x7fc7fd8745d2 in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:609
#11 0x7fc7fe6ce1c0 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:379
#12 0x7fc7fe6cebce in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:452
#13 0x564eb532e7bd in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:597
#14 0x7fc7f96056ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#15 0x564eb532b798 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x5798)
ASAN:SIGSEGV
==30534==AddressSanitizerFrom radare2-regressions: omf/605d45c02352294155cfed6ce0f7e5cc |
|
this eeaf87 looks fixed to me |
|
Just found another crash in the java parser. http://lolcathost.org/b/jaja.class |
|
java is a big hole that need a lot of love. I will move that task to 1.0.0 because we could spend months fixing crashes xD |
|
What about disabling java in default builds? Moving it to extras can end up in abandon and untestification. But at least users will not be that vulnerable 🐣
|
|
This task is a mess and we should remove old comments or find a better way to organize the crashfiles (r2r?) |
|
+1 for disabling Java by default. |
|
pancake: DOES NOT CRASHES FOR ME ==533==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200002a1d8 at pc 0x7ff3972264fa bp 0x7ffdf365e530 sp 0x7ffdf365e520
READ of size 8 at 0x60200002a1d8 thread T0
#0 0x7ff3972264f9 in bin_classes /home/revskillz/dev/radare2/libr/core/bin.c:1643
#1 0x7ff3972279c0 in r_core_bin_info /home/revskillz/dev/radare2/libr/core/bin.c:1818
#2 0x7ff39721963b in r_core_bin_set_env /home/revskillz/dev/radare2/libr/core/bin.c:106
#3 0x7ff3971d7757 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:385
#4 0x7ff3971d8222 in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:457
#5 0x5619053267bd in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:597
#6 0x7ff39210a6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#7 0x561905323798 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x5798)
ASAN:SIGSEGV
==533==AddressSanitizerfile: http://revskills.cz/r2/b099298e30716688b11e956d26060042 |
|
+1 for disabling Java by default. Can you group tasks on a issue with labels and I can add fuzzing labels/regressions in case of old samples, etc? |
|
CANNOT REPRODUCE ==6043==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x7f69817ff8ae bp 0x7fff83186280 sp 0x7fff83186230 T0)
#0 0x7f69817ff8ad in size /home/revskillz/dev/radare2/libr/..//libr/bin/p/bin_p9.c:185
#1 0x7f69817418f7 in r_bin_object_set_items /home/revskillz/dev/radare2/libr/bin/bin.c:439
#2 0x7f6981745d1f in r_bin_object_new /home/revskillz/dev/radare2/libr/bin/bin.c:997
#3 0x7f698174664a in r_bin_file_object_new_from_xtr_data /home/revskillz/dev/radare2/libr/bin/bin.c:1069
#4 0x7f6981744bde in r_bin_files_populate_from_xtrlist /home/revskillz/dev/radare2/libr/bin/bin.c:842
#5 0x7f6981744dae in r_bin_file_xtr_load_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:858
#6 0x7f69817442bc in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:693
#7 0x7f6981744497 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:720
#8 0x7f6981743982 in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:609
#9 0x7f698259f702 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:380
#10 0x7f69825a0222 in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:457
#11 0x55dab31ee7bd in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:597
#12 0x7f697d4d26ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#13 0x55dab31eb798 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x5798)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer*Low priority file: http://revskills.cz/r2/a84c559b0033f196a5527f2f1f187742 |
|
Status? All those crashes are fixed now? Can we remove the comments of the fixed ones?
|
|
we're trying to fix java.. without refactoring it with @alvarofe |
|
So.. Should I report bugs in java? |
|
Maybe we can just put them in a separate issue to keep track of them. I think we should focus on fixing clang analyzer issues in libr/bin/p/*
|
|
so lets close this one if everything is fixed now. Please double check :-). |
|
@revskills Minidump will need tons of fuzz, currently it doesn't even run on a standard stuff :'( #3649 |
|
it's still pending to fix 7cc0970af593532fcf484a17dac1563e in r2r bins/java |
|
cant find this bin. are you sure its pushed? |
|
git pull :P |
|
Because of my type changes in the header files? Do we have valid minidump files to test? Maybe @skuater can have a look
|
|
No more issues? anyone wanna fuzz more before the release? |
|
I'm on it |
|
@revskills :* |
|
release ETA? |
==15205==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b838 at pc 0x7fb23606c6a9 bp 0x7fff707884b0 sp 0x7fff70787c28
READ of size 205 at 0x61900000b838 thread T0
#0 0x7fb23606c6a8 (/lib64/libasan.so.2+0x606a8)
#1 0x7fb23606d605 in __interceptor_vsnprintf (/lib64/libasan.so.2+0x61605)
#2 0x7fb23606d871 in snprintf (/lib64/libasan.so.2+0x61871)
#3 0x7fb234e4d470 in get_sections /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:942
#4 0x7fb234e403bb in sections /home/revskillz/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:98
#5 0x7fb234e44248 in size /home/revskillz/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:555
#6 0x7fb234dc5f07 in r_bin_object_set_items /home/revskillz/dev/radare2/libr/bin/bin.c:468
#7 0x7fb234dca3e5 in r_bin_object_new /home/revskillz/dev/radare2/libr/bin/bin.c:1005
#8 0x7fb234dcab34 in r_bin_file_object_new_from_xtr_data /home/revskillz/dev/radare2/libr/bin/bin.c:1079
#9 0x7fb234dc92a4 in r_bin_files_populate_from_xtrlist /home/revskillz/dev/radare2/libr/bin/bin.c:850
#10 0x7fb234dc9474 in r_bin_file_xtr_load_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:866
#11 0x7fb234dc8987 in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:728
#12 0x7fb234dc8b65 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:755
#13 0x7fb234dc804d in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:646
#14 0x7fb235c308c5 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:380
#15 0x7fb235c31530 in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:459
#16 0x55ab6748794c in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:605
#17 0x7fb230afd57f in __libc_start_main (/lib64/libc.so.6+0x2057f)
#18 0x55ab674848c8 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x58c8)
ASAN:SIGSEGV
==15205==AddressSanitizerfile: http://revskills.cz/r2/6f29967c0c3bbbc0fff59bc00f047209 |
|
@revskills cant reproduce this last heap buffer overflow in master r2. can you confirm? |
|
I can reproduce. I'll look at it this night ;) |
==10501==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000090bc at pc 0x7f834a76f042 bp 0x7ffea47830a0 sp 0x7ffea4783090
READ of size 1 at 0x60c0000090bc thread T0
#0 0x7f834a76f041 in r_str_escape_ /home/revskillz/dev/radare2/libr/util/str.c:961
#1 0x7f834a76f300 in r_str_escape /home/revskillz/dev/radare2/libr/util/str.c:986
#2 0x7f834f0ecc78 in bin_imports /home/revskillz/dev/radare2/libr/core/bin.c:996
#3 0x7f834f0f410a in r_core_bin_info /home/revskillz/dev/radare2/libr/core/bin.c:1863
#4 0x7f834f0e55b6 in r_core_bin_set_env /home/revskillz/dev/radare2/libr/core/bin.c:106
#5 0x7f834f0a284f in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:385
#6 0x7f834f0a3465 in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:459
#7 0x55965102a94c in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:605
#8 0x7f8349f6f57f in __libc_start_main (/lib64/libc.so.6+0x2057f)
#9 0x5596510278c8 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x58c8)
ASAN:SIGSEGV
==10501==AddressSanitizerfile: http://revskills.cz/r2/361fef87f4b8355630c7532847164c79 |
|
all fixed again, push more crashes plz :D |
|
256996efe37d69100bf09cf3a07cbffc still unfixed. (Java) |
|
it's fixed now :D |
|
@revskills can you try fuzzing fatmach0s and the demanglers? |
|
zignature, pdb and flirt signature could be nice I don't think this has been done already |
|
FIXED ==20508==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200002e952 at pc 0x7fb472804646 bp 0x7ffccf4502c0 sp 0x7ffccf4502b0
READ of size 1 at 0x60200002e952 thread T0
#0 0x7fb472804645 in r_bin_demangle_objc /home/revskillz/dev/radare2/libr/bin/demangle.c:226
#1 0x7fb472900125 in r_bin_lang_objc mangling/objc.c:24
#2 0x7fb4727f7007 in r_bin_load_languages /home/revskillz/dev/radare2/libr/bin/bin.c:329
#3 0x7fb4727f9249 in r_bin_object_set_items /home/revskillz/dev/radare2/libr/bin/bin.c:528
#4 0x7fb4727fc477 in r_bin_object_new /home/revskillz/dev/radare2/libr/bin/bin.c:1001
#5 0x7fb4727fcf1d in r_bin_file_new_from_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:1114
#6 0x7fb4727fab78 in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:738
#7 0x7fb4727fabf7 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:751
#8 0x7fb4727fa0ed in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:645
#9 0x7fb473663850 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:380
#10 0x7fb4736644bb in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:459
#11 0x55696fdb294c in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:605
#12 0x7fb46e52f6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#13 0x55696fdaf8c8 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x58c8)
ASAN:SIGSEGV
==20508==AddressSanitizerfile: http://revskills.cz/r2/21650855180932f7b2e005c3cb7aec26 |
|
FIXED ==32187==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000028832 at pc 0x7f4a020d48a5 bp 0x7ffc95e374a0 sp 0x7ffc95e36c48
READ of size 3 at 0x602000028832 thread T0
#0 0x7f4a020d48a4 in strdup (/lib64/libasan.so.2+0x628a4)
#1 0x7f4a00ebd5c5 in copy_sym_name_with_namespace /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/objc/mach0_classes.c:161
#2 0x7f4a00ebf4ac in get_method_list_t /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/objc/mach0_classes.c:477
#3 0x7f4a00ec0a9e in get_class_ro_t /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/objc/mach0_classes.c:688
#4 0x7f4a00ec0fbc in get_class_t /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/objc/mach0_classes.c:739
#5 0x7f4a00ec19f8 in parse_classes_64 /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/objc/mach0_classes.c:852
#6 0x7f4a00e2a015 in r_bin_object_set_items /home/revskillz/dev/radare2/libr/bin/bin.c:521
#7 0x7f4a00e2d477 in r_bin_object_new /home/revskillz/dev/radare2/libr/bin/bin.c:1001
#8 0x7f4a00e2df1d in r_bin_file_new_from_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:1114
#9 0x7f4a00e2bb78 in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:738
#10 0x7f4a00e2bbf7 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:751
#11 0x7f4a00e2b0ed in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:645
#12 0x7f4a01c94850 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:380
#13 0x7f4a01c954bb in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:459
#14 0x5588065ad94c in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:605
#15 0x7f49fcb606ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#16 0x5588065aa8c8 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x58c8)
ASAN:SIGSEGV
==32187==AddressSanitizerfile: http://revskills.cz/r2/05416456de04fa6838cd38e6cce5bebb |
|
FIXED ==15278==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000267d2 at pc 0x7ffb6b3f46a9 bp 0x7ffeb0166e40 sp 0x7ffeb01665b8
READ of size 3 at 0x6020000267d2 thread T0
#0 0x7ffb6b3f46a8 (/lib64/libasan.so.2+0x606a8)
#1 0x7ffb6b3f5605 in __interceptor_vsnprintf (/lib64/libasan.so.2+0x61605)
#2 0x7ffb6667e290 in r_str_newf /home/revskillz/dev/radare2/libr/util/str.c:454
#3 0x7ffb6a1e0a98 in get_objc_property_list /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/objc/mach0_classes.c:361
#4 0x7ffb6a1e2b10 in get_class_ro_t /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/objc/mach0_classes.c:704
#5 0x7ffb6a1e2fbc in get_class_t /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/objc/mach0_classes.c:739
#6 0x7ffb6a1e39f8 in parse_classes_64 /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/objc/mach0_classes.c:852
#7 0x7ffb6a14c015 in r_bin_object_set_items /home/revskillz/dev/radare2/libr/bin/bin.c:521
#8 0x7ffb6a14f477 in r_bin_object_new /home/revskillz/dev/radare2/libr/bin/bin.c:1001
#9 0x7ffb6a14ff1d in r_bin_file_new_from_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:1114
#10 0x7ffb6a14db78 in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:738
#11 0x7ffb6a14dbf7 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:751
#12 0x7ffb6a14d0ed in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:645
#13 0x7ffb6afb6850 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:380
#14 0x7ffb6afb74bb in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:459
#15 0x55f1b2f7594c in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:605
#16 0x7ffb65e826ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#17 0x55f1b2f728c8 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x58c8)
ASAN:SIGSEGV
==15278==AddressSanitizerfile: http://revskills.cz/r2/ffc94063da6027da908954d0b5f81169 |
|
FIXED ==13735==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000012499 at pc 0x7f851b0fe5fb bp 0x7ffeb31caf10 sp 0x7ffeb31caf00
READ of size 1 at 0x602000012499 thread T0
#0 0x7f851b0fe5fa in symbols /home/revskillz/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:169
#1 0x7f851b064674 in r_bin_object_set_items /home/revskillz/dev/radare2/libr/bin/bin.c:494
#2 0x7f851b068477 in r_bin_object_new /home/revskillz/dev/radare2/libr/bin/bin.c:1001
#3 0x7f851b068f1d in r_bin_file_new_from_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:1114
#4 0x7f851b066b78 in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:738
#5 0x7f851b066bf7 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:751
#6 0x7f851b0660ed in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:645
#7 0x7f851becf850 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:380
#8 0x7f851bed04bb in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:459
file: http://revskills.cz/r2/3757ca0ff58b0625d261512707f112f3 |
|
FIXED ==29413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120000068f8 at pc 0x7ff9b6869654 bp 0x7ffd6fcec620 sp 0x7ffd6fcec610
READ of size 8 at 0x6120000068f8 thread T0
#0 0x7ff9b6869653 in get_relocs_64 /home/revskillz/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1442
#1 0x7ff9b6859ea7 in relocs /home/revskillz/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:257
#2 0x7ff9b67bfa07 in r_bin_object_set_items /home/revskillz/dev/radare2/libr/bin/bin.c:505
#3 0x7ff9b67c3477 in r_bin_object_new /home/revskillz/dev/radare2/libr/bin/bin.c:1001
#4 0x7ff9b67c3f1d in r_bin_file_new_from_bytes /home/revskillz/dev/radare2/libr/bin/bin.c:1114
#5 0x7ff9b67c1b78 in r_bin_load_io_at_offset_as_sz /home/revskillz/dev/radare2/libr/bin/bin.c:738
#6 0x7ff9b67c1bf7 in r_bin_load_io_at_offset_as /home/revskillz/dev/radare2/libr/bin/bin.c:751
#7 0x7ff9b67c10ed in r_bin_load_io /home/revskillz/dev/radare2/libr/bin/bin.c:645
#8 0x7ff9b762a850 in r_core_file_do_load_for_io_plugin /home/revskillz/dev/radare2/libr/core/file.c:380
#9 0x7ff9b762b4bb in r_core_bin_load /home/revskillz/dev/radare2/libr/core/file.c:459
#10 0x55bee5caf94c in main /home/revskillz/dev/radare2/binr/radare2/radare2.c:605
#11 0x7ff9b24f66ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#12 0x55bee5cac8c8 in _start (/home/revskillz/dev/radare2/binr/radare2/radare2+0x58c8)
ASAN:SIGSEGV
==29413==AddressSanitizerfile: http://revskills.cz/r2/3496c4253cd979b4d0018cc5c88f2a08 |
|
@revskills all fixed! fuzz moar! :D |
|
Not fixed: ffc94063da6027da908954d0b5f81169 |
|
Confirm now from master |
|
moar |
|
@radare what about this issue ? |
|
Anybody except me or alvaro do this already? From my experience unless i see enough motivation it end ups me coding alone until 6am. If anyone wants to join the prty just ping on irc or here
|
|
The issue here, is the milestone is for 1.0.0. |
|
And well it will be great if we could find some ppl willing to fix bugs except alvaro and me before the release. Right now we have more than 100 issues tagged for 0.10.4, so if anyone wants to join the fix-a-ton its up to them. Im not gonna spend time trying to persecute people to do stuff they dont do by itself. So we can close this i guess
|
|
ok :) |
The purpose of this issue is to organize the fuzzing efforts in order to find bugs in r2 before the release:
e anal.optionsNOTE Recommended build for fuzzing: 32bit x86 asan (
sys/asan.sh)The text was updated successfully, but these errors were encountered: