Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

binary->name in machd_reader. c has not been initialized, causing program crashes or random printing of large amounts of data #1038

Closed
ld1ng opened this issue Mar 29, 2024 · 1 comment
Closed

binary->name in machd_reader. c has not been initialized, causing program crashes or random printing of large amounts of data #1038

ld1ng opened this issue Mar 29, 2024 · 1 comment
Assignees
@romainthomas

Comments

@ld1ng
Copy link

ld1ng commented Mar 29, 2024

Hello, I would like to bring to your attention that I encountered a potential issue while using it.

// source code

Macho_Binary_t** macho_binaries = macho_parse(argv[1]);
   ...
for (idx = 0; macho_binaries[idx] != NULL; ++idx) {
    print_binary(macho_binaries[idx]);
  }

Macho_Binary_t** macho_parse(const char *file) {
  FatBinary* fat = Parser::parse(file).release();
   ...
  auto** c_macho_binaries = static_cast<Macho_Binary_t**>(
      malloc((fat->size() + 1) * sizeof(Macho_Binary_t**)));

  for (size_t i = 0; i < nb_bin; ++i) {
    Binary* binary = fat->at(i);
    if (binary != nullptr) {
      c_macho_binaries[i] = static_cast<Macho_Binary_t*>(malloc(sizeof(Macho_Binary_t)));
      init_c_binary(c_macho_binaries[i], binary);
    }
  }
  fat->release_all_binaries();
  c_macho_binaries[nb_bin] = nullptr;
  delete fat;
  return c_macho_binaries;
}

void init_c_binary(Macho_Binary_t* c_binary, Binary* binary) {

  c_binary->handler = reinterpret_cast<void*>(binary);
  c_binary->imagebase = binary->imagebase();
  init_c_header(c_binary, binary);
  init_c_commands(c_binary, binary);
  init_c_symbols(c_binary, binary);
  init_c_sections(c_binary, binary);
  init_c_segments(c_binary, binary);
}
}

It seems that name was not initialized in the macho_parse function, resulting in a large amount of random memory data being printed or the program terminating abnormally when executing fprintf (stdout, "Binary Name:% s \ n", binary ->name);
poc + log : poc.zip

./macho_reader ./poc.bin

Environment (please complete the following information):

  • System and Version : Ubuntu 20.04 + gcc 9.4.0
  • Target format: Mach-O
  • LIEF commit version: bae887e

Asan report

...
nlist[7646].str_idx seems corrupted (0x00000000)
nlist[7647].str_idx seems corrupted (0x00000000)
nlist[7648].str_idx seems corrupted (0x00000000)
nlist[7649].str_idx seems corrupted (0x00000000)
Can't read nlist #23
Can't find the segment that contains the LC_SYMTAB.n_list
AddressSanitizer:DEADLYSIGNAL
=================================================================
==7344==ERROR: AddressSanitizer: SEGV on unknown address S (pc 0x7f46d4996616 bp 0x7fff9d5bd8f0 sp 0x7fff9d5bd018 T0)
==7344==The signal is caused by a READ memory access.
==7344==Hint: address points to the zero page.
    #0 0x7f46d4996615 in __sanitizer::internal_strlen(char const*) ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cc:164
    #1 0x7f46d490d174 in printf_common ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:544
    #2 0x7f46d490dfb6 in __interceptor_vfprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1604
    #3 0x7f46d490e1ce in __interceptor___fprintf_chk ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1666
    #4 0x564d5318fb77 in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:100
    #5 0x564d5318fb77 in print_binary /home/ld1ng/LIEF/examples/c/macho_reader.c:9
    #6 0x564d5318cf3c in main /home/ld1ng/LIEF/examples/c/macho_reader.c:156
    #7 0x7f46d4356082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x564d5318fa7d in _start (/home/ld1ng/LIEF/build/examples/c/macho_reader+0x2aca7d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cc:164 in __sanitizer::internal_strlen(char const*)
==7344==ABORTING

gdb backtrace

pwndbg> bt
#0  0x00007ffff76ab616 in __sanitizer::internal_strlen (s=0xbebebebebebebebe <error: Cannot access memory at address 0xbebebebebebebebe>) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cc:165
#1  0x00007ffff7622175 in printf_common(void *, const char *, typedef __va_list_tag __va_list_tag *) (ctx=ctx@entry=0x7fffffffdd18, format=format@entry=0x55555666e004 "Binary Name: %s\n", aq=0x7fffffffdd20) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:544
#2  0x00007ffff7622fb7 in __interceptor_vfprintf(__sanitizer::__sanitizer_FILE *, const char *, typedef __va_list_tag __va_list_tag *) (stream=0x7ffff72346a0 <_IO_2_1_stdout_>, format=<optimized out>, ap=ap@entry=0x7fffffffdd70) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1604
#3  0x00007ffff76231cf in __interceptor___fprintf_chk (stream=<optimized out>, size=<optimized out>, format=<optimized out>) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1666
#4  0x0000555555800b78 in fprintf (__fmt=0x55555666e004 "Binary Name: %s\n", __stream=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:100
#5  print_binary (binary=0x608000000020) at /home/ld1ng/LIEF/examples/c/macho_reader.c:9
#6  0x00005555557fdf3d in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffdfb8) at /home/ld1ng/LIEF/examples/c/macho_reader.c:156
#7  0x00007ffff706b083 in __libc_start_main (main=0x5555557fdee0 <main>, argc=2, argv=0x7fffffffdfb8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdfa8) at ../csu/libc-start.c:308
#8  0x0000555555800a7e in _start () at /home/ld1ng/LIEF/examples/c/macho_reader.c:162

Hope that helps!
@romainthomas
Copy link
Member

Thank you @ld1ng. This attribute should actually no be present anymore

@mxschmitt mxschmitt mentioned this issue Apr 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romainthomas romainthomas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@romainthomas @ld1ng