[zzuf] afi signal 11

[zonkzonk]

morrn,

zzuf -s 0:1000000 -c -C 0 -q -T 5 -M 100 r2 -qc "afi;afo sym.main" ./a.out.bak 2>log
*** glibc detected *** r2: malloc(): memory corruption: 0x08fab830 ***

Core was generated by `r2 10'.
Program terminated with signal 11, Segmentation fault.
#0  0xb753f7e7 in __strnlen (str=0x89d04e0 <Address 0x89d04e0 out of bounds>, len=255) at /home/zlul/radare2/libr/..//libr/bin/p/../format/elf/elf.c:12
12              while (IS_PRINTABLE(*str) && --len) {
(gdb) bt
#0  0xb753f7e7 in __strnlen (str=0x89d04e0 <Address 0x89d04e0 out of bounds>, len=255) at /home/zlul/radare2/libr/..//libr/bin/p/../format/elf/elf.c:12
#1  0xb75444bc in Elf64_r_bin_elf_get_symbols (bin=0x82bef20, type=1) at /home/zlul/radare2/libr/..//libr/bin/p/../format/elf/elf.c:1241
#2  0xb753dacc in imports (arch=0x82b9748) at /home/zlul/radare2/libr/..//libr/bin/p/bin_elf.c:325
#3  0xb751e934 in r_bin_object_set_items (binfile=0x82b9748, o=0x82bede0) at bin.c:379
#4  0xb75203d8 in r_bin_object_new (binfile=0x82b9748, plugin=0x82876b8, baseaddr=0, loadaddr=0, offset=0, sz=8473) at bin.c:872
#5  0xb7520a6f in r_bin_file_new_from_bytes (bin=0x8283720, file=0x82c09f8 "10", bytes=0x82b7628 "\177ELF\002\001\001", sz=8473, file_sz=8473, rawstr=0, baseaddr=0, loadaddr=0, fd=7, pluginname=0x0, 
    xtrname=0x0, offset=0) at bin.c:983
#6  0xb751f6bb in r_bin_load_io_at_offset_as_sz (bin=0x8283720, desc=0x82b7580, baseaddr=0, loadaddr=0, xtr_idx=0, offset=0, name=0x0, sz=8473) at bin.c:584
#7  0xb751f784 in r_bin_load_io_at_offset_as (bin=0x8283720, desc=0x82b7580, baseaddr=0, loadaddr=0, xtr_idx=0, offset=0, name=0x0) at bin.c:599
#8  0xb751f12d in r_bin_load_io (bin=0x8283720, desc=0x82b7580, baseaddr=0, loadaddr=0, xtr_idx=0) at bin.c:498
#9  0xb765fce8 in r_core_file_do_load_for_io_plugin (r=0x804e4c0, baseaddr=0, loadaddr=0) at file.c:340
#10 0xb76600f3 in r_core_bin_load (r=0x804e4c0, filenameuri=0x82c09f8 "10", baddr=0) at file.c:472
#11 0x0804bc23 in main (argc=2, argv=0xbfec1dd4, envp=0xbfec1de0) at radare2.c:532

fuzzed_file: (base64)
http://sprunge.us/agCP

r2 -v; arch
radare2 0.9.9-git @ linux-little-x86-32 git.0.9.8-528-g4c1ae2c
commit: 4c1ae2c build: 2015-01-23
i686

Greetings
--zlul

[radare]

Valgrind plz. Thats a mem corruption

On 23 Jan 2015, at 14:22, zonkzonk [email protected] wrote:

morrn,

zzuf -s 0:1000000 -c -C 0 -q -T 5 -M 100 r2 -qc "afi;afo sym.main" ./a.out.bak 2>log
*** glibc detected *** r2: malloc(): memory corruption: 0x08fab830 ***

Core was generated by `r2 10'.
Program terminated with signal 11, Segmentation fault.
#0 0xb753f7e7 in __strnlen (str=0x89d04e0

, len=255) at /home/zlul/radare2/libr/..//libr/bin/p/../format/elf/elf.c:12
12 while (IS_PRINTABLE(*str) && --len) {
(gdb) bt
#0 0xb753f7e7 in __strnlen (str=0x89d04e0 , len=255) at /home/zlul/radare2/libr/..//libr/bin/p/../format/elf/elf.c:12
#1 0xb75444bc in Elf64_r_bin_elf_get_symbols (bin=0x82bef20, type=1) at /home/zlul/radare2/libr/..//libr/bin/p/../format/elf/elf.c:1241
#2 0xb753dacc in imports (arch=0x82b9748) at /home/zlul/radare2/libr/..//libr/bin/p/bin_elf.c:325
#3 0xb751e934 in r_bin_object_set_items (binfile=0x82b9748, o=0x82bede0) at bin.c:379
#4 0xb75203d8 in r_bin_object_new (binfile=0x82b9748, plugin=0x82876b8, baseaddr=0, loadaddr=0, offset=0, sz=8473) at bin.c:872
#5 0xb7520a6f in r_bin_file_new_from_bytes (bin=0x8283720, file=0x82c09f8 "10", bytes=0x82b7628 "\177ELF\002\001\001", sz=8473, file_sz=8473, rawstr=0, baseaddr=0, loadaddr=0, fd=7, pluginname=0x0,
xtrname=0x0, offset=0) at bin.c:983
#6 0xb751f6bb in r_bin_load_io_at_offset_as_sz (bin=0x8283720, desc=0x82b7580, baseaddr=0, loadaddr=0, xtr_idx=0, offset=0, name=0x0, sz=8473) at bin.c:584
#7 0xb751f784 in r_bin_load_io_at_offset_as (bin=0x8283720, desc=0x82b7580, baseaddr=0, loadaddr=0, xtr_idx=0, offset=0, name=0x0) at bin.c:599
#8 0xb751f12d in r_bin_load_io (bin=0x8283720, desc=0x82b7580, baseaddr=0, loadaddr=0, xtr_idx=0) at bin.c:498
#9 0xb765fce8 in r_core_file_do_load_for_io_plugin (r=0x804e4c0, baseaddr=0, loadaddr=0) at file.c:340
#10 0xb76600f3 in r_core_bin_load (r=0x804e4c0, filenameuri=0x82c09f8 "10", baddr=0) at file.c:472
#11 0x0804bc23 in main (argc=2, argv=0xbfec1dd4, envp=0xbfec1de0) at radare2.c:532
[...]

fuzzed_file: (base64)
http://sprunge.us/agCP

r2 -v; arch
radare2 0.9.9-git @ linux-little-x86-32 git.0.9.8-528-g4c1ae2c
commit: 4c1ae2c build: 2015-01-23
i686

Greetings
--zlul

—
Reply to this email directly or view it on GitHub.

[zonkzonk]

==17956== Memcheck, a memory error detector
==17956== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==17956== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==17956== Command: r2 10
==17956== Parent PID: 3223
==17956==
==17956== Invalid read of size 1
==17956== at 0x41947E7: __strnlen (elf.c:12)
==17956== by 0x41994BB: Elf64_r_bin_elf_get_symbols (elf.c:1241)
==17956== by 0x4192ACB: imports (bin_elf.c:325)
==17956== by 0x4173933: r_bin_object_set_items (bin.c:379)
==17956== by 0x41753D7: r_bin_object_new (bin.c:872)
==17956== by 0x4175A6E: r_bin_file_new_from_bytes (bin.c:983)
==17956== by 0x41746BA: r_bin_load_io_at_offset_as_sz (bin.c:584)
==17956== by 0x4174783: r_bin_load_io_at_offset_as (bin.c:599)
==17956== by 0x417412C: r_bin_load_io (bin.c:498)
==17956== by 0x409FCE7: r_core_file_do_load_for_io_plugin (file.c:340)
==17956== by 0x40A00F2: r_core_bin_load (file.c:472)
==17956== by 0x804BC22: main (radare2.c:532)
==17956== Address 0x57102c0 is not stack'd, malloc'd or (recently) free'd
==17956==
==17956==
==17956== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==17956== Access not within mapped region at address 0x57102C0
==17956== at 0x41947E7: __strnlen (elf.c:12)
==17956== by 0x41994BB: Elf64_r_bin_elf_get_symbols (elf.c:1241)
==17956== by 0x4192ACB: imports (bin_elf.c:325)
==17956== by 0x4173933: r_bin_object_set_items (bin.c:379)
==17956== by 0x41753D7: r_bin_object_new (bin.c:872)
==17956== by 0x4175A6E: r_bin_file_new_from_bytes (bin.c:983)
==17956== by 0x41746BA: r_bin_load_io_at_offset_as_sz (bin.c:584)
==17956== by 0x4174783: r_bin_load_io_at_offset_as (bin.c:599)
==17956== by 0x417412C: r_bin_load_io (bin.c:498)
==17956== by 0x409FCE7: r_core_file_do_load_for_io_plugin (file.c:340)
==17956== by 0x40A00F2: r_core_bin_load (file.c:472)
==17956== by 0x804BC22: main (radare2.c:532)
==17956== If you believe this happened as a result of a stack
==17956== overflow in your program's main thread (unlikely but
==17956== possible), you can try to increase the size of the
==17956== main thread stack using the --main-stacksize= flag.
==17956== The main thread stack size used in this run was 8388608.
==17956==
==17956== HEAP SUMMARY:
==17956== in use at exit: 492,627 bytes in 2,658 blocks
==17956== total heap usage: 4,087 allocs, 1,429 frees, 841,453 bytes allocated
==17956==
==17956== LEAK SUMMARY:
==17956== definitely lost: 272 bytes in 9 blocks
==17956== indirectly lost: 2,551 bytes in 29 blocks
==17956== possibly lost: 11,672 bytes in 39 blocks
==17956== still reachable: 478,132 bytes in 2,581 blocks
==17956== suppressed: 0 bytes in 0 blocks
==17956== Rerun with --leak-check=full to see details of leaked memory