Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid read error/heap buffer overflow at mdmp.c:364 #10464

Closed
macromachine opened this issue Jun 24, 2018 · 2 comments

Comments

Projects
None yet
4 participants
@macromachine
Copy link

commented Jun 24, 2018

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 32
File format of the file you reverse (mandatory) Mini Dump crash report
Architecture/bits of the file (mandatory) x86/64 etc.
r2 -v full output, not truncated (mandatory) radare2 2.7.0-git 18523 @ linux-x86-64 git.2.6.0-343-g6402c87a8 commit: 6402c87 build: 2018-06-24__11:44:42

Expected behavior

r2 should analyze a mini dump crash report binary quickly

Actual behavior

r2 leads to the non-pointer error/heap buffer overflow

Steps to reproduce the behavior

Download POC1 or POC2
run r2 -A -Q $POC*
The Address Sanitizer output (ASAN_OPTIONS=detect_odr_violation=0:abort_on_error=1:symbolize=1:detect_leaks=0):

$POC1:


AddressSanitizer:DEADLYSIGNAL
=================================================================
==9940==ERROR: AddressSanitizer: SEGV on unknown address 0x61600100449b (pc 0x7f59ff771878 bp 0x7fff87dc2ad0 sp 0x7fff87dc1ec0 T0)
==9940==The signal is caused by a READ memory access.
    #0 0x7f59ff771877 in r_bin_mdmp_init_directory_entry /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/../format/mdmp/mdmp.c:364:22
    #1 0x7f59ff770354 in r_bin_mdmp_init_directory /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/../format/mdmp/mdmp.c:663:3
    #2 0x7f59ff76ef59 in r_bin_mdmp_init /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/../format/mdmp/mdmp.c:786:7
    #3 0x7f59ff76ecd9 in r_bin_mdmp_new_buf /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/../format/mdmp/mdmp.c:832:7
    #4 0x7f59ff7674b6 in load_bytes /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/bin_mdmp.c:195:13
    #5 0x7f59ff5dd14d in r_bin_object_new /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/obj.c:58:16
    #6 0x7f59ff5d4d1e in r_bin_file_new_from_bytes /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/file.c:514:6
    #7 0x7f59ff5addb1 in r_bin_load_io_at_offset_as_sz /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/bin.c:463:14
    #8 0x7f59ff5ac196 in r_bin_load_io_at_offset_as /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/bin.c:480:12
    #9 0x7f59ff5abf8f in r_bin_load_io /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/bin.c:360:9
    #10 0x7f5a009a60d2 in r_core_file_do_load_for_io_plugin /home/hjwang/Fuzzing_Object/radare_asan/libr/core/file.c:412:7
    #11 0x7f5a009a1ae9 in r_core_bin_load /home/hjwang/Fuzzing_Object/radare_asan/libr/core/file.c:569:4
    #12 0x562651ee7c25 in main /home/hjwang/Fuzzing_Object/radare_asan/binr/radare2/radare2.c:1070:15
    #13 0x7f59f9526b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x562651de7ed9 in _start (/home/hjwang/Fuzzing_Object/radare_asan/binr/radare2/radare2+0x22ed9)

AddressSanitizer can not provide additional info.

$POC2

==15560==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000005588 at pc 0x7fa653883823 bp 0x7fffb3a1b110 sp 0x7fffb3a1b108
READ of size 4 at 0x616000005588 thread T0
    #0 0x7fa653883822 in r_bin_mdmp_init_directory_entry /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/../format/mdmp/mdmp.c:364:22
    #1 0x7fa653882354 in r_bin_mdmp_init_directory /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/../format/mdmp/mdmp.c:663:3
    #2 0x7fa653880f59 in r_bin_mdmp_init /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/../format/mdmp/mdmp.c:786:7
    #3 0x7fa653880cd9 in r_bin_mdmp_new_buf /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/../format/mdmp/mdmp.c:832:7
    #4 0x7fa6538794b6 in load_bytes /home/hjwang/Fuzzing_Object/radare_asan/libr/..//libr/bin/p/bin_mdmp.c:195:13
    #5 0x7fa6536ef14d in r_bin_object_new /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/obj.c:58:16
    #6 0x7fa6536e6d1e in r_bin_file_new_from_bytes /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/file.c:514:6
    #7 0x7fa6536bfdb1 in r_bin_load_io_at_offset_as_sz /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/bin.c:463:14
    #8 0x7fa6536be196 in r_bin_load_io_at_offset_as /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/bin.c:480:12
    #9 0x7fa6536bdf8f in r_bin_load_io /home/hjwang/Fuzzing_Object/radare_asan/libr/bin/bin.c:360:9
    #10 0x7fa654ab80d2 in r_core_file_do_load_for_io_plugin /home/hjwang/Fuzzing_Object/radare_asan/libr/core/file.c:412:7
    #11 0x7fa654ab3ae9 in r_core_bin_load /home/hjwang/Fuzzing_Object/radare_asan/libr/core/file.c:569:4
    #12 0x55a7c1393c25 in main /home/hjwang/Fuzzing_Object/radare_asan/binr/radare2/radare2.c:1070:15
    #13 0x7fa64d638b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x55a7c1293ed9 in _start (/home/hjwang/Fuzzing_Object/radare_asan/binr/radare2/radare2+0x22ed9)

Address 0x616000005588 is a wild pointer.

@XVilka XVilka added the bug label Jun 25, 2018

@macromachine macromachine changed the title null pointer error/heap buffer overflow at mdmp.c:364 invalid read error/heap buffer overflow at mdmp.c:364 Jun 25, 2018

@Maijin Maijin added the fuzzing label Jul 7, 2018

@radare radare added this to the 2.7.0 milestone Jul 9, 2018

radare added a commit that referenced this issue Jul 9, 2018

@radare radare closed this in eb7deb2 Jul 9, 2018

@macromachine

This comment has been minimized.

Copy link
Author

commented Aug 27, 2018

CVE-2018-14016

@macromachine

This comment has been minimized.

Copy link
Author

commented Aug 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.