Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

out of bounds heap read in r_core_yank_hud_file #2806

Closed
hannob opened this issue Jun 20, 2015 · 0 comments
Closed

out of bounds heap read in r_core_yank_hud_file #2806

hannob opened this issue Jun 20, 2015 · 0 comments

Comments

@hannob
Copy link

hannob commented Jun 20, 2015

This script will cause an out of bounds heap read:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-r_core_yank_hud_file

Found with american fuzzy lop, test with: radare2 -q -i [script] /dev/null

Address Sanitizer stack trace:

==23731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000168b3 at pc 0x7f122a0da2dd bp 0x7fff1106da60 sp 0x7fff1106da50
READ of size 1 at 0x6020000168b3 thread T0
    #0 0x7f122a0da2dc in r_core_yank_hud_file /f/radare2/radare2/libr/core/yank.c:294
    #1 0x7f122a06e54f in cmd_help /f/radare2/radare2/libr/core/cmd_help.c:428
    #2 0x7f122a0991ea in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1590
    #3 0x7f1229ffbdfd in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1081
    #4 0x7f1229ffcd63 in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1938
    #5 0x7f1229fff88c in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1989
    #6 0x7f1229fffa94 in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2001
    #7 0x7f122a002c1e in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #8 0x4054bc in main /f/radare2/radare2/binr/radare2/radare2.c:729
    #9 0x7f122456bf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #10 0x40a4d3 (/mnt/ram/radare2/radare2+0x40a4d3)

0x6020000168b3 is located 0 bytes to the right of 3-byte region [0x6020000168b0,0x6020000168b3)
allocated by thread T0 here:
    #0 0x7f122a72a6f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7f12245cd789 in strdup (/lib64/libc.so.6+0x81789)

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/radare2/radare2/libr/core/yank.c:294 r_core_yank_hud_file
Shadow bytes around the buggy address:
  0x0c047fffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffad10: fa fa 01 fa fa fa[03]fa fa fa 03 fa fa fa 03 fa
  0x0c047fffad20: fa fa fd fa fa fa fd fd fa fa 06 fa fa fa fd fa
  0x0c047fffad30: fa fa 05 fa fa fa fd fa fa fa 06 fa fa fa fd fa
  0x0c047fffad40: fa fa 03 fa fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fffad50: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fa
  0x0c047fffad60: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==23731==ABORTING
@alvarofe alvarofe self-assigned this Jun 20, 2015
@XVilka XVilka added the bug label Jun 23, 2015
alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 23, 2015
@alvarofe
Fix radareorg#2806
9145c27
alvarofe added a commit that referenced this issue Jun 24, 2015
@alvarofe @radare
Fix #2806
21ca918
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@XVilka @hannob @alvarofe