Null pointer dereference in r_bin_java_element_value_free() #11102

fumfel · 2018-08-15T16:00:35Z

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu 18.04 x64
File format of the file you reverse (mandatory)	Compiled Java Class
Architecture/bits of the file (mandatory)	N/A
r2 -v full output, not truncated (mandatory)	radare2 2.9.0-git 19121 @ linux-x86-64 git.2.8.0-100-g6a5abe63e commit: `6a5abe6` build: 2018-08-15__17:05:54

Expected behavior

Disassembly of file or error message.

Actual behavior

Heap out of bounds read in ASAN build.

Steps to reproduce the behavior

Download https://github.com/radare/radare2-regressions/pull/1429
Run: r2 -A r2_nullptr_r_bin_java_element_value_free

Additional Logs, screenshots, source-code, configuration dump, ...

ASAN report:

==400==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2fa0ae8ac6 bp 0x6040000213d0 sp 0x7ffc82174db0 T0)
==400==The signal is caused by a READ memory access.
==400==Hint: address points to the zero page.
    #0 0x7f2fa0ae8ac5 in r_bin_java_element_value_free XYZ/radare2/shlr/java/class.c:6371:34
    #1 0x7f2fa0ae867a in r_bin_java_element_pair_free XYZ/radare2/shlr/java/class.c:6340:3
    #2 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4
    #3 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62
    #4 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72
    #5 0x7f2fa0aeaa3d in r_bin_java_annotation_free XYZ/radare2/shlr/java/class.c:6556:3
    #6 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4
    #7 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62
    #8 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72
    #9 0x7f2fa0aeeb8e in r_bin_java_rti_annotations_attr_free XYZ/radare2/shlr/java/class.c:7179:3
    #10 0x7f2fa0aa476a in r_bin_java_attribute_free XYZ/radare2/shlr/java/class.c:3111:5
    #11 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4
    #12 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62
    #13 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72
    #14 0x7f2fa0aa457d in r_bin_java_fmtype_free XYZ/radare2/shlr/java/class.c:3136:2
    #15 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4
    #16 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62
    #17 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72
    #18 0x7f2fa0ac46f0 in r_bin_java_free XYZ/radare2/shlr/java/class.c:3077:2
    #19 0x7f2fa08762e5 in destroy XYZ/radare2/libr/..//libr/bin/p/bin_java.c:139:2
    #20 0x7f2fa0734b35 in r_bin_file_free XYZ/radare2/libr/bin/file.c:790:3
    #21 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4
    #22 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62
    #23 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72
    #24 0x7f2fa070c1d0 in r_bin_free XYZ/radare2/libr/bin/bin.c:612:2
    #25 0x7f2fa1a51bf0 in r_core_fini XYZ/radare2/libr/core/core.c:2279:11
    #26 0x5560ffbbcdbf in main XYZ/radare2/binr/radare2/radare2.c:1472:2
    #27 0x7f2f9a191b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #28 0x5560ffabe089 in _start (/usr/local/bin/radare2+0x26089)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/radare2/shlr/java/class.c:6371:34 in r_bin_java_element_value_free
==400==ABORTING

The text was updated successfully, but these errors were encountered:

radare · 2018-08-17T16:16:54Z

cant reproduce

…

On 15 Aug 2018, at 18:03, Kamil Frankowicz ***@***.***> wrote: Work environment Questions Answers OS/arch/bits (mandatory) Ubuntu 18.04 x64 File format of the file you reverse (mandatory) Compiled Java Class Architecture/bits of the file (mandatory) N/A r2 -v full output, not truncated (mandatory) radare2 2.9.0-git 19121 @ linux-x86-64 git.2.8.0-100-g6a5abe63e commit: 6a5abe6 <6a5abe6> build: 2018-08-15__17:05:54 Expected behavior Disassembly of file or error message. Actual behavior Heap out of bounds read in ASAN build. Steps to reproduce the behavior Download radare/radare2-regressions#1429 <https://github.com/radare/radare2-regressions/pull/1429> Run: r2 -A r2_nullptr_r_bin_java_element_value_free Additional Logs, screenshots, source-code, configuration dump, ... ASAN report: ==400==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2fa0ae8ac6 bp 0x6040000213d0 sp 0x7ffc82174db0 T0) ==400==The signal is caused by a READ memory access. ==400==Hint: address points to the zero page. #0 0x7f2fa0ae8ac5 in r_bin_java_element_value_free XYZ/radare2/shlr/java/class.c:6371:34 #1 0x7f2fa0ae867a in r_bin_java_element_pair_free XYZ/radare2/shlr/java/class.c:6340:3 #2 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4 #3 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62 #4 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72 #5 0x7f2fa0aeaa3d in r_bin_java_annotation_free XYZ/radare2/shlr/java/class.c:6556:3 #6 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4 #7 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62 #8 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72 #9 0x7f2fa0aeeb8e in r_bin_java_rti_annotations_attr_free XYZ/radare2/shlr/java/class.c:7179:3 #10 0x7f2fa0aa476a in r_bin_java_attribute_free XYZ/radare2/shlr/java/class.c:3111:5 #11 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4 #12 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62 #13 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72 #14 0x7f2fa0aa457d in r_bin_java_fmtype_free XYZ/radare2/shlr/java/class.c:3136:2 #15 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4 #16 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62 #17 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72 #18 0x7f2fa0ac46f0 in r_bin_java_free XYZ/radare2/shlr/java/class.c:3077:2 #19 0x7f2fa08762e5 in destroy XYZ/radare2/libr/..//libr/bin/p/bin_java.c:139:2 #20 0x7f2fa0734b35 in r_bin_file_free XYZ/radare2/libr/bin/file.c:790:3 #21 0x7f2f9b28893f in r_list_delete XYZ/radare2/libr/util/list.c:93:4 #22 0x7f2f9b28893f in r_list_purge XYZ/radare2/libr/util/list.c:62 #23 0x7f2f9b28893f in r_list_free XYZ/radare2/libr/util/list.c:72 #24 0x7f2fa070c1d0 in r_bin_free XYZ/radare2/libr/bin/bin.c:612:2 #25 0x7f2fa1a51bf0 in r_core_fini XYZ/radare2/libr/core/core.c:2279:11 #26 0x5560ffbbcdbf in main XYZ/radare2/binr/radare2/radare2.c:1472:2 #27 0x7f2f9a191b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #28 0x5560ffabe089 in _start (/usr/local/bin/radare2+0x26089) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV XYZ/radare2/shlr/java/class.c:6371:34 in r_bin_java_element_value_free ==400==ABORTING — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#11102>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lrruEW1zyBcwwGfPPo1c_pDIvD9tks5uREY_gaJpZM4V-XYh>.

XVilka added java bug labels Aug 16, 2018

radare closed this as completed in ada6a28 Aug 16, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Null pointer dereference in r_bin_java_element_value_free() #11102

Null pointer dereference in r_bin_java_element_value_free() #11102

fumfel commented Aug 15, 2018

radare commented Aug 17, 2018 via email

Null pointer dereference in r_bin_java_element_value_free() #11102

Null pointer dereference in r_bin_java_element_value_free() #11102

Comments

fumfel commented Aug 15, 2018

Work environment

Expected behavior

Actual behavior

Steps to reproduce the behavior

Additional Logs, screenshots, source-code, configuration dump, ...

radare commented Aug 17, 2018 via email