-P </dev/urandom should be restricted (crash every rnd time)

[zonkzonk]

Following incorrect parsing of input in -P lets either ld or libc crash. I suggest limit
the size of input to -P.

#/bin/sh
sysctl kernel.core_uses_pid=0
ulimit -c 50000
cp /bin/cp /tmp && cd /tmp
until test -f core
do
  echo 'af;q'|r2 -D  -P</dev/urandom /tmp/cp
  sleep 2
done

Note: only apply on test machines!1

Example crash:

gdb -q r2  core 
Reading symbols from /usr/local/bin/radare2...done.

warning: core file may not match specified executable file.
[New LWP 1877]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff76ffe000
Core was generated by `r2 -D -P /tmp/cp'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f81564abeaa in __strchr_sse2 () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007f81564abeaa in __strchr_sse2 () from /usr/lib/libc.so.6
#1  0x00007f8159f70dce in cmd_interpret (data=0x6068e0 <r>, input=0x1b4c311 "ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
    at cmd.c:452
#2  0x00007f815853bf19 in r_cmd_call (cmd=0x1949d70, input=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
    at cmd.c:172
#3  0x00007f8159f73a79 in r_core_cmd_subst_i (core=0x6068e0 <r>, cmd=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
    at cmd.c:1341
#4  0x00007f8159f72292 in r_core_cmd_subst (core=0x6068e0 <r>, cmd=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
    at cmd.c:909
#5  0x00007f8159f7447a in r_core_cmd (core=0x6068e0 <r>, cstr=0x1920010 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>, log=1)
    at cmd.c:1524
#6  0x00007f8159f4ec1d in r_core_prompt_exec (r=0x6068e0 <r>) at core.c:710
#7  0x00000000004046ae in main (argc=4, argv=0x7fff76f22c08, envp=0x7fff76f22c30) at radare2.c:593
(gdb) 

[ 8573.478096] r2[1877]: segfault at 0 ip 00007f81564abeaa sp 00007fff76f22148 error 4 in libc-2.18.so[7f815642c000+1a0000]

r2 -v
radare2 0.9.7git @ linux-little-x86-64 git.0.9.6-457-gc56bb2c
commit: c56bb2c build: 2014-02-03

greetings
z.

[radare]

Please print the only cmd line that makes it fail, dev/random is not a reliable testcase

On 03 Feb 2014, at 15:31, zonkzonk [email protected] wrote:

Following incorrect parsing of input in -P lets either ld or libc crash. I suggest limit
the size of input to -P.

#/bin/sh
sysctl kernel.core_uses_pid=0
ulimit -c 50000
cp /bin/cp /tmp && cd /tmp
until test -f core
do
echo 'af;q'|r2 -D -P</dev/urandom /tmp/cp
sleep 2
done
Note: only apply on test machines!1

Example crash:

gdb -q r2 core
Reading symbols from /usr/local/bin/radare2...done.

warning: core file may not match specified executable file.
[New LWP 1877]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff76ffe000
Core was generated by `r2 -D -P /tmp/cp'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f81564abeaa in __strchr_sse2 () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007f81564abeaa in __strchr_sse2 () from /usr/lib/libc.so.6
#1 0x00007f8159f70dce in cmd_interpret (data=0x6068e0 , input=0x1b4c311 "ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
at cmd.c:452
#2 0x00007f815853bf19 in r_cmd_call (cmd=0x1949d70, input=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
at cmd.c:172
#3 0x00007f8159f73a79 in r_core_cmd_subst_i (core=0x6068e0 , cmd=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
at cmd.c:1341
#4 0x00007f8159f72292 in r_core_cmd_subst (core=0x6068e0 , cmd=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
at cmd.c:909
#5 0x00007f8159f7447a in r_core_cmd (core=0x6068e0 , cstr=0x1920010 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>, log=1)
at cmd.c:1524
#6 0x00007f8159f4ec1d in r_core_prompt_exec (r=0x6068e0 ) at core.c:710
#7 0x00000000004046ae in main (argc=4, argv=0x7fff76f22c08, envp=0x7fff76f22c30) at radare2.c:593
(gdb)
[ 8573.478096] r2[1877]: segfault at 0 ip 00007f81564abeaa sp 00007fff76f22148 error 4 in libc-2.18.so[7f815642c000+1a0000]

r2 -v
radare2 0.9.7git @ linux-little-x86-64 git.0.9.6-457-gc56bb2c
commit: c56bb2c build: 2014-02-03

greetings
z.

—
Reply to this email directly or view it on GitHub.

[zonkzonk]

a commandline option should refuse input from /dev/urandom and/or unexpected input.

[radare]

Wat

On 03 Feb 2014, at 16:55, zonkzonk [email protected] wrote:

a commandline option should refuse input from /dev/urandom and/or unexpected input.

—
Reply to this email directly or view it on GitHub.

[deeso]

@zonkzonk r2 is meant to consume, parse, and interpret data, so why would consuming a character buffer or a byte stream be a bug in radare?

[zonkzonk]

here is other example:

sysctl: permission denied on key 'kernel.core_uses_pid'
 -- Rename a function using the 'afr newname @ offset' command
[0x00403609]> ?????9?NFV"?V -- To debug a program you can do dbg://${path-to-program} or use -d ${path..}
Slurping file '??w?W?:?T???bG?&hI??M????_U/??????)`'
cannot open file
|ERROR| Invalid command '?ik?=W???'
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
parse: Missing backtick in expression.?S?XP?s%?9e?-7?g?H?N?J?h
|ERROR| Invalid command '.L/??7`?eI}????&pt??'??>?S?XP?s%?9e?-7?g?H?N?J?h'
[0x00403609]> .?'?SH?]??8?_o(B>??7??H%??V
|ERROR| Invalid command '?'?SH?]??8?_o('
m: line 9:  5101 Broken pipe             echo 'af;q'
      5102 Segmentation fault      (core dumped) | r2 -D -P /tmp/cp < /dev/urandom

@deeso maybe that is more a philosphical question, when consume, parse, and interpret data, so why would consuming a character buffer or a byte stream result in a core dump ?

[radare]

that ".?'?SH?]??8?_o(B>??7??H%??V” line is not segfaulting here. can you please provide a proper test case in shellscript form or so?

On 03 Feb 2014, at 17:50, zonkzonk [email protected] wrote:

.?'?SH?]??8?_o(B>??7??H%??V

[zonkzonk]

raw file removed, see uuencoded below

#!/bin/sh

sysctl kernel.core_uses_pid=0
ulimit -c 50000
cp /bin/cp /tmp && cd /tmp

while :; 
do
 sleep 0.2
 cat </dev/urandom|head >/dev/stdout | tee -a /tmp/buf 2>&1
 echo 'af;q'|r2 -D  -P</tmp/buf /tmp/cp
if test -f core
then 
  mv -v /tmp/buf /tmp/buf.core
  exit 0
else
  rm -v /tmp/buf
fi
done

uuencoded version:

,uuencode buf.upload buf.upload.uu
begin 644 buf.upload.uu
MZ`EG9W_LWS<W(!7"%J'>\,=E[L`FD2JEW6&H'S54"#`K>96_S8!<6^#H&WE"
M'!+IQ+S3Q)K?NPOPF@LEUE,UC4FT[DGV'6/&!E'XXMED[&3BQ'D.^&@F5ZM5
MQPRL<!A:V+;'&#ZL)M)P/BH<JC$&\=C6DS]E9H^F_!)V$UBR-AL;R]D#YF_$
MZ]SZ0AQ;U+N]_IZA^'R2X@XHPDNY0X)A?I+>VLI95KF1/WUM#=`Z`8W.7<B_
M<%?5:_*<:A8D9&:%\[TPF@I)1CU0*1:#$^.RHFK9U*`/_I]%3WK?/9(]Q'W:
MF^9T9_T]N]OZU)A];_?(E=0J(&=JK97B^7BB-92"$J%_;EXL[ZH""2\%;9;O
MQ^`@=2Z$9Q`8YVE8LN(1^L[$,:H?I^<G,H=YZ](GK1OQ<AKY@(R$NMP$<B=N
M#,)A[&[<_6(+TW/34;UGK7B*#.T08C3<8W"E(77H[JQAM^QD<(]<'\A@7UOM
MJ^C3"CI^+ZFA,@\KI4W2,G4]53WX._.U7"AO,N+@<XA<$PXO.O[$5XKD;;G7
MF-Y-->DL/FADONZ4JU`\5DCY//0^U$,TA2+O=K=I`Y268`+'JA9SO]EU'UEA
M=ESDRKDJP&FF>2`O-D44V!\`EROP:_'TVNXK()3/E23G3P?XF(MGO^-P8.[<
M3^&!;B)B?86EL;6&I#&A``GIVG94`?S6JRLK-\.(<%*$Q/"?`GV*5]%KI*0?
MQ+.NQ.O2:G9\_F7FRH[G!7X9.N^ZSWL.X_3"=(LG.K9%,O@,%9^IKV.S%GW8
M\R_MD^8;.#LNN?G*L3;202Y2(T`6%,BD6&%*N$"3&!KS7U_D9AD?<V[>)Y0.
M[(HJ(KK7*_1"N%D*.I3CY7QC0:2&O37&N!,\^'SJ?K)<5]FU8G72\='_Q'J1
MO$)O9%`[.H8V3!B]UHB2VK<:\B+Y7OJ,82MTBU[)'@!OBI=M'28^M`\MY&-F
M8^&?-K%7,]D`KV$]+7+,V\Y<<9,&GDI>3KP!]U+W+R4.*X.23@PF,L,EOI3E
MZM6&1DHWQW:F:@DUT4FQZ(N4(/-.IMRO3>F5:XE8\%X_'54ZX4U[7T[D%'O0
M'[)/3HB]4R#*#F/=X+!L%LJI98?U]M]8>@'\)K5?"N_7K;H0J/WN?B"D4@&3
M]VVC9[+5%TAQU&UH#7_NE2IE;B]L-R26];]@9J^X#"GM0[6+]'"C\L9".YQ8
M<4<9`>Y'I-\U1866T@3-?A&]["4.<N]TWK#:-F+4V_?!2.!B)X^OSV68Q4>7
MR#M!,:'*HQ%.+!5=DJU(2?H5VP`T?UE^1X)!?J]6:Y"(G>QPG5R,@VZ@6:B(
MK6-7>WY)*D*<KH%HQ0++;>GGY$S=UE%JFOC_Z?E$^\J!$X-]E@!Z[`R\=0*B
M2(C++SR$7\+]TP#),QJL*H:7A<E7]URQ76$OVAW_I3&,;N2K&\QW%7]&N6#:
MM=0+:\;\,IE_959/'%![8\)?MQQ-ICM'YDJ!`PQ6&DY[%LDH,(:%CP\\F1"<
MHE!+K<%[NUH[&,SSN(&@UA4<;<W3^D-9B1,IT*')S-)0)-.9NW@C^ZKG>X=.
M%$&4>$3BOBR5^LF,TSOL@T"KBIZ.**]K"1H\_7D?*T"<R@1'+ASJ>P**M?YU
M,B?:DVLXU_3":N\%N'IT/LI=%A`SM4[A$J/PF/8CF)64LYU;XXWE')_&DM,A
M^%7TY.[SA$RC%E"O,'EZ'N8FDYGC"AC3$=\[E,2ZU3O.R#6@"5)"*=<N9(RQ
MP">A,N5(1>_CG9<U#K))RZJL7ZWE&E[S#1.&V6`W,F]-N(]M(>C$>LBDN+%<
M,Z-@J<0*]6]_%16J*2OE"C_1WI+3NTE)Z2K+[Z0F7"K^7^L]D;QT:(CZ='5N
M*?["C[L)ID2_D`./9H)J2G%6OV_J=70$1_>M'`NK\U<R/+GYF.IS=K4,=0";
M5V!3I5Y2JHRGF!&PX>3HT42@NXZ*;?^3TUC6GK\E8@E'W0T:X7\MI>:EKSAL
M7L,N#Y%4>3<&O(NAP'PQ9]H?VOE2*![GE;$;+.Y9:)#%)^X5.ACJ\O#:6YLF
MGX"PL*;9AT_=OSNRBI'[^6HSNKUYV)5*8(&Z2?OY!+VLJ7\$CNJ=$3X&Y"`3
MUXIW4CK2`S[:V`+F#AETG^\4,H"LK^^GA5!\<2/]`L/Y^\D5,*_D`R$HWI]"
MXJ1F$@$SEE]R:6G0817Q)188SALV:[=F'_-2F"7\#3I;D.1DZA/:1;Q87Y,+
M-WAI;3BHOX)7"9`\7-\"]28>MU6VL&?`9`/1*@)&ANMTC79!2LK]:\U(H\K;
MK6:7=8C8C9,U:<F2XHB9\NIGX"`C/5B;3_#LU0FH;@'UA>X1N^^-TPK/JTB[
MGH+Q&/SA@F[+YW.H006[E-71B([>7_U(JE7<_6D*RA300E`O^%3!6W\E3>F2
MJ,X.4,Q""V@A,%07P27-K4V3U%N6[D0SO,#Z"6^4GE*&WM[:*@,XR8<VD&A+
M91D.J,W_T-P1&K:IX7+/.;VNK*QES!#X7>,,^;,(;YX-+7_B(Y*B]%D-9*@H
MC-LJ&0TYKD4:\GV<OW_4@6+]`!,T^VR@=0F>V!K$-4U<S\<YVV)02#%`.'#G
M]62D3R(PIS]>B--9.X,OE>R`Z+%_&A&!4@>&<(?R7TPVT^0^&=8X>`\H-ILJ
M?.HBLAK.N.=(<AA=7"@CZHX+J8,.\*<]1!?!3>J&&?]%HW^9%\!D\)>199#>
M)=7N<@Z-)``GVHK(1Q56WT<[4<QU*KB*TH;(O7`7(HGN''.4&,5[12F@?2$"
MW,H+44BA(LYJM&O_!,:8I*U*<C:%Y8C-'EYT0\J>5<?"W7+8QV(,/EI#]S8-
MH1:*0<X_^*V_L#"]<(Q#1NE//"\HSUD&7,0'%SJX8_5T;]8Z<X6Q=+>W,4J8
M&#Y2E*HPYHR!?=R\3(.R?PW>7N]M;@BA!73<@Z[:^A57:9>Y4TJL.^P;FFY.
%>PUT2@H`
`
end

@deeso my comment was somehow misleading, but there is a difference between file to analyse and project files which I think should not differ that much.

[radare]

Still not reproducible, can you reduce the problem to just a single statement to make it crash? Test with latest git again plz.

[zonkzonk]

Who flagged this as invalid ?

Well yes, just save the uuencoded payload as /tmp/buf, then,

 echo 'af;q'|r2 -D  -P</tmp/buf /tmp/cp

I don't know why you let me repeat this statement. :/
If you need help with uudecode, tell me.

[radare]

Oh, that was cool. Running lldb with that rarun2 script allowed me to get the affected line which was just a missing nullptr check.

$ cat crash.rarun2
program=/usr/bin/r2
arg1=-
stdin=/tmp/buf

$ lldb -- rarun2 crash.rarun2
(lldb) up
(lldb) list

[zonkzonk]

nice :) also, didn't know about lldb.