Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV in LIEF::BinaryStream::peek_in at BinaryStream/BinaryStream.hpp:205 #806

Closed
bladchan opened this issue Oct 8, 2022 · 0 comments
Closed

SEGV in LIEF::BinaryStream::peek_in at BinaryStream/BinaryStream.hpp:205 #806

bladchan opened this issue Oct 8, 2022 · 0 comments
Assignees
@romainthomas
Labels
bug MachO Parser

Comments

@bladchan
Copy link

bladchan commented Oct 8, 2022
edited

Describe the bug
A bad macho file which can lead LIEF::MachO::Parser::parse() to segmentation fault.
Poc is here : segv_peek_in.zip

To Reproduce

  1. Build the whole project with ASAN
  2. Drive program (compile it with ASAN too):
// read_macho.c
#include <LIEF/LIEF.hpp>

int main(int argc, char** argv){
	
	if(argc != 2) return 0;

	try {
	    std::unique_ptr<LIEF::MachO::FatBinary> macho = LIEF::MachO::Parser::parse(argv[1]);
	} catch (const LIEF::exception& err) {
	    std::cerr << err.what() << std::endl;
	}

	return 0;
}
  1. Run Poc:
$ ./read_macho segv_peek_in.bin

Expected behavior
Parse the Mach-O file without segmentation fault because segmentation fault can cause a Denial of Service (Dos).

Environment (please complete the following information):

  • System and Version : Ubuntu 20.04 + gcc 9.4.0
  • Target format : Mach-O
  • LIEF commit version: 84b0909

Additional context
ASAN says:

$ ./read_macho segv_peek_in.bin
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Command 'Out of range' not parsed!
Relocations corrupted
Relocations corrupted
Relocations corrupted
Relocations corrupted
Relocations corrupted
Relocations corrupted
Dyld Chained Fixups: 14253056 is an unknown format
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3327106==ERROR: AddressSanitizer: SEGV on unknown address 0x629000015300 (pc 0x7fe2193e7c23 bp 0x7ffe90ec4e70 sp 0x7ffe90ec45d8 T0)
==3327106==The signal is caused by a READ memory access.
    #0 0x7fe2193e7c22  (/lib/x86_64-linux-gnu/libc.so.6+0xbbc22)
    #1 0x7fe21990537e in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #2 0x5607123eed70 in LIEF::BinaryStream::peek_in(void*, unsigned long, unsigned long) const /home/ubuntu/test/LIEF_84b0909/include/LIEF/BinaryStream/BinaryStream.hpp:205
    #3 0x560712bb770a in boost::leaf::result<LIEF::MachO::details::dyld_chained_starts_in_image> LIEF::BinaryStream::peek<LIEF::MachO::details::dyld_chained_starts_in_image>() const /home/ubuntu/test/LIEF_84b0909/include/LIEF/BinaryStream/BinaryStream.hpp:259
    #4 0x560712b88899 in boost::leaf::result<LIEF::MachO::details::dyld_chained_starts_in_image> LIEF::BinaryStream::read<LIEF::MachO::details::dyld_chained_starts_in_image>() const /home/ubuntu/test/LIEF_84b0909/include/LIEF/BinaryStream/BinaryStream.hpp:247
    #5 0x560712b607ac in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_chained_fixup<LIEF::MachO::details::MachO32>(LIEF::MachO::details::dyld_chained_fixups_header const&, LIEF::SpanStream&) /home/ubuntu/test/LIEF_84b0909/src/MachO/BinaryParser.tcc:2449
    #6 0x560712b24b93 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_chained_payload<LIEF::MachO::details::MachO32>(LIEF::SpanStream&) /home/ubuntu/test/LIEF_84b0909/src/MachO/BinaryParser.tcc:2315
    #7 0x560712af092e in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF_84b0909/src/MachO/BinaryParser.tcc:143
    #8 0x560712ae084f in LIEF::MachO::BinaryParser::init_and_parse() /home/ubuntu/test/LIEF_84b0909/src/MachO/BinaryParser.cpp:145
    #9 0x560712adfe1f in LIEF::MachO::BinaryParser::parse(std::unique_ptr<LIEF::BinaryStream, std::default_delete<LIEF::BinaryStream> >, unsigned long, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF_84b0909/src/MachO/BinaryParser.cpp:125
    #10 0x560712366586 in LIEF::MachO::Parser::build() /home/ubuntu/test/LIEF_84b0909/src/MachO/Parser.cpp:174
    #11 0x560712362eed in LIEF::MachO::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF_84b0909/src/MachO/Parser.cpp:64
    #12 0x5607121cc8b1 in main /home/ubuntu/test/LIEF_84b0909/read_macho.c:8
    #13 0x7fe219350082 in __libc_start_main ../csu/libc-start.c:308
    #14 0x5607121cc55d in _start (/home/ubuntu/test/LIEF_84b0909/read_macho+0x33055d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbc22) 
==3327106==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romainthomas romainthomas

Labels
bug MachO Parser
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@romainthomas @bladchan