heap-buffer-overflow in r_hex_bin2str (libr/util/hex.c) #9915
Comments
radare
added a commit
that referenced
this issue
Apr 18, 2018
|
the bug is not in hex_bin2str, but in the caller function asm.c and its an oobread, not exploitable
… On 17 Apr 2018, at 17:20, traceprobe ***@***.***> wrote:
Work environment
Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) dex
Architecture/bits of the file (mandatory) ARM, Dalvik dex file version 035.
r2 -v full output, not truncated (mandatory) radare2 2.6.0-git 17938 @ linux-x86-64 git.2.5.0-80-g0767f40 commit: 0767f40 <0767f40> build: 2018-04-17__10:33:03
Expected behavior
Successful processing of dex format
Actual behavior
heap-buffer-overflow
Steps to reproduce the behavior
download the attached POC
checkout commit 0767f40 <0767f40>
build with ASAN: ASAN='address' sys/asan.sh
run: radare2 -A $POC
Vulnerable code
// libr/util/hex.c
314 R_API int r_hex_bin2str(const ut8 *in, int len, char *out) {
315 int i, idx;
316 char tmp[5];
317 if (len < 0)
318 return 0;
319 for (idx = i = 0; i < len; i++, idx += 2) {
_320 snprintf (tmp, sizeof (tmp), "%02x", in[i]);_
321 memcpy (out+idx, tmp, 2);
322 }
323 out[idx] = 0;
324 return len;
325 }
Additional Logs, screenshots, source-code, configuration dump, ...
==31621==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000bfc1 at pc 0x7f17af392af2 bp 0x7fffd8713a50 sp 0x7fffd8713a40
READ of size 1 at 0x61200000bfc1 thread T0
#0 0x7f17af392af1 in r_hex_bin2str /home/test/radare2/libr/util/hex.c:320
#1 <#1> 0x7f17b0b7480d in r_asm_disassemble /home/test/radare2/libr/asm/asm.c:479
#2 <#2> 0x7f17b4a651f3 in r_core_anal_op /home/test/radare2/libr/core/canal.c:836
#3 <#3> 0x7f17b4a71f1e in fcn_callconv /home/test/radare2/libr/core/canal.c:2420
#4 <#4> 0x7f17b4a75bdc in r_core_anal_all /home/test/radare2/libr/core/canal.c:3026
#5 <#5> 0x7f17b493b4dd in cmd_anal_all /home/test/radare2/libr/core/cmd_anal.c:6292
#6 <#6> 0x7f17b493d78a in cmd_anal /home/test/radare2/libr/core/cmd_anal.c:6667
#7 <#7> 0x7f17b4a59c6e in r_cmd_call /home/test/radare2/libr/core/cmd_api.c:233
#8 <#8> 0x7f17b49bef3e in r_core_cmd_subst_i /home/test/radare2/libr/core/cmd.c:2686
#9 <#9> 0x7f17b49b83f0 in r_core_cmd_subst /home/test/radare2/libr/core/cmd.c:1733
#10 <#10> 0x7f17b49c40a0 in r_core_cmd /home/test/radare2/libr/core/cmd.c:3368
#11 <#11> 0x7f17b49c4e63 in r_core_cmd0 /home/test/radare2/libr/core/cmd.c:3535
#12 <#12> 0x55de9fdf2076 in main /home/test/radare2/binr/radare2/radare2.c:1286
#13 <#13> 0x7f17aed0e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 <#14> 0x55de9fdebd38 in _start (/home/test/radare2/binr/radare2/radare2+0x6d38)
0x61200000bfc1 is located 0 bytes to the right of 257-byte region [0x61200000bec0,0x61200000bfc1)
allocated by thread T0 here:
#0 0x7f17b4f5279a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 <#1> 0x7f17b489f139 in r_core_init /home/test/radare2/libr/core/core.c:1743
#2 <#2> 0x55de9fded756 in main /home/test/radare2/binr/radare2/radare2.c:486
#3 <#3> 0x7f17aed0e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
POC
radare2_2-6-0_radare2_heap-buffer-overflow_r_hex_bin2str.dex.zip <https://github.com/radare/radare2/files/1920450/radare2_2-6-0_radare2_heap-buffer-overflow_r_hex_bin2str.dex.zip>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#9915>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lhAzBFUMiGtxH1pvnc7JCQ9PSg0Kks5tpggsgaJpZM4TYhso>.
|
|
please send a pr to r2r with that dex file |
SakiiR
pushed a commit
to SakiiR/radare2
that referenced
this issue
Jul 1, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue looks different from issue #8673, which is a stack-based overflow and has been patched.
Work environment
Expected behavior
Successful processing of dex format
Actual behavior
heap-buffer-overflow
Steps to reproduce the behavior
Vulnerable code
Additional Logs, screenshots, source-code, configuration dump, ...
==31621==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000bfc1 at pc 0x7f17af392af2 bp 0x7fffd8713a50 sp 0x7fffd8713a40
READ of size 1 at 0x61200000bfc1 thread T0
#0 0x7f17af392af1 in r_hex_bin2str /home/test/radare2/libr/util/hex.c:320
#1 0x7f17b0b7480d in r_asm_disassemble /home/test/radare2/libr/asm/asm.c:479
#2 0x7f17b4a651f3 in r_core_anal_op /home/test/radare2/libr/core/canal.c:836
#3 0x7f17b4a71f1e in fcn_callconv /home/test/radare2/libr/core/canal.c:2420
#4 0x7f17b4a75bdc in r_core_anal_all /home/test/radare2/libr/core/canal.c:3026
#5 0x7f17b493b4dd in cmd_anal_all /home/test/radare2/libr/core/cmd_anal.c:6292
#6 0x7f17b493d78a in cmd_anal /home/test/radare2/libr/core/cmd_anal.c:6667
#7 0x7f17b4a59c6e in r_cmd_call /home/test/radare2/libr/core/cmd_api.c:233
#8 0x7f17b49bef3e in r_core_cmd_subst_i /home/test/radare2/libr/core/cmd.c:2686
#9 0x7f17b49b83f0 in r_core_cmd_subst /home/test/radare2/libr/core/cmd.c:1733
#10 0x7f17b49c40a0 in r_core_cmd /home/test/radare2/libr/core/cmd.c:3368
#11 0x7f17b49c4e63 in r_core_cmd0 /home/test/radare2/libr/core/cmd.c:3535
#12 0x55de9fdf2076 in main /home/test/radare2/binr/radare2/radare2.c:1286
#13 0x7f17aed0e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x55de9fdebd38 in _start (/home/test/radare2/binr/radare2/radare2+0x6d38)
0x61200000bfc1 is located 0 bytes to the right of 257-byte region [0x61200000bec0,0x61200000bfc1)
allocated by thread T0 here:
#0 0x7f17b4f5279a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x7f17b489f139 in r_core_init /home/test/radare2/libr/core/core.c:1743
#2 0x55de9fded756 in main /home/test/radare2/binr/radare2/radare2.c:486
#3 0x7f17aed0e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
POC
radare2_2-6-0_radare2_heap-buffer-overflow_r_hex_bin2str.dex.zip
The text was updated successfully, but these errors were encountered: