Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out of bounds heap read in updateAddr #2808

Closed
hannob opened this issue Jun 20, 2015 · 2 comments
Closed

Out of bounds heap read in updateAddr #2808

hannob opened this issue Jun 20, 2015 · 2 comments
Assignees
@alvarofe

Comments

@hannob
Copy link

hannob commented Jun 20, 2015

This script will generate an out of bounds heap read:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-updateAddr

Found with american fuzzy lop. Test: radare2 -q -i [script] /dev/null

Address Sanitizer trace:

==1044==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000016833 at pc 0x7fcf11612e49 bp 0x7fffc130c9f0 sp 0x7fffc130c9e0
READ of size 1 at 0x602000016833 thread T0
    #0 0x7fcf11612e48 in updateAddr /f/radare2/radare2/libr/util/p_format.c:29
    #1 0x7fcf1161ce8e in r_print_format /f/radare2/radare2/libr/util/p_format.c:1137
    #2 0x7fcf16848bba in cmd_print_format /f/radare2/radare2/libr/core/cmd_print.c:517
    #3 0x7fcf16848bba in cmd_print /f/radare2/radare2/libr/core/cmd_print.c:2840
    #4 0x7fcf168a64ac in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1569
    #5 0x7fcf1680a02c in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1081
    #6 0x7fcf1680b2ee in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1938
    #7 0x7fcf1680e11c in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1989
    #8 0x7fcf1680e38e in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2001
    #9 0x7fcf16811363 in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #10 0x405572 in main /f/radare2/radare2/binr/radare2/radare2.c:729
    #11 0x7fcf10d6ef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #12 0x40a333 (/mnt/ram/radare2/radare2+0x40a333)

0x602000016833 is located 2 bytes to the right of 1-byte region [0x602000016830,0x602000016831)
allocated by thread T0 here:
    #0 0x7fcf16f346f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7fcf1161bacf in r_print_format /f/radare2/radare2/libr/util/p_format.c:1042

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/radare2/radare2/libr/util/p_format.c:29 updateAddr
Shadow bytes around the buggy address:
  0x0c047fffacb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffad00: fa fa fa fa fa fa[01]fa fa fa 03 fa fa fa 02 fa
  0x0c047fffad10: fa fa 01 fa fa fa 06 fa fa fa 06 fa fa fa 06 fa
  0x0c047fffad20: fa fa fd fa fa fa fd fd fa fa 06 fa fa fa fd fa
  0x0c047fffad30: fa fa 05 fa fa fa fd fa fa fa 06 fa fa fa fd fa
  0x0c047fffad40: fa fa 03 fa fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fffad50: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==1044==ABORTING
@alvarofe alvarofe self-assigned this Jun 20, 2015
@XVilka XVilka added the bug label Jun 23, 2015
alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 23, 2015
@alvarofe
Fix radareorg#2808
345e245
@crowell
Copy link
Collaborator

crowell commented Jun 27, 2015

can't repro, @alvarofe is this fix submitted?

@alvarofe
Copy link
Contributor

I can reproduce it. It was submitted but not merged because one of my fix the related with cmd_open was breaking travis ( i just saw you fixed). I'm working on these and other bug and I hope make a PR this weekend but I'm having problems with my internet provider and I can't do nothing :(

alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 27, 2015
@alvarofe
Fix radareorg#2808 - oob read in updateAddr
aacfcbe
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alvarofe alvarofe

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@XVilka @crowell @hannob @alvarofe