Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

memory corruption in flirt signature loading #11274

Closed
oddcoder opened this issue Aug 27, 2018 · 5 comments
Closed

memory corruption in flirt signature loading #11274

oddcoder opened this issue Aug 27, 2018 · 5 comments
Labels
zignatures Native radare2 signatures file format handing
Milestone
2.9.0

Comments

@oddcoder
Copy link
Contributor

memory corruption in flirt signature loading

Work environment

Questions Answers
OS/arch/bits (mandatory) gentoo x64
File format of the file you reverse (mandatory) N/A.
Architecture/bits of the file (mandatory) N/A.
r2 -v full output, not truncated (mandatory) radare2 2.9.0-git 19237 @ linux-x86-64 git.2.8.0-226-ge2df259a8 commit: e2df259 build: 2018-08-27__12:31:45

Expected behavior

Flirt database loading

Actual behavior

memory corruption

Steps to reproduce the behavior

➜ r2 -N -
[0x00000000]> zfs ./libsslMT_13_msvc_x86.sig 
malloc(): memory corruption
[1]    32074 abort      r2 -N -
➜

Additional Logs, screenshots, source-code, configuration dump, ...

libsslMT_13_msvc_x86.sig.zip
@radare
Copy link
Collaborator

radare commented Aug 27, 2018 via email

@oddcoder
Copy link
Contributor Author 

=================================================================
==3526==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000050986 at pc 0x7fcc0c6c00f1 bp 0x7ffdc26831d0 sp 0x7ffdc26831c0
WRITE of size 1 at 0x619000050986 thread T0
    #0 0x7fcc0c6c00f0 in read_module_referenced_functions /home/oddcoder/projects/radare2/libr/anal/flirt.c:801
    #1 0x7fcc0c6c0ac6 in parse_leaf /home/oddcoder/projects/radare2/libr/anal/flirt.c:964
    #2 0x7fcc0c6c128a in parse_tree /home/oddcoder/projects/radare2/libr/anal/flirt.c:1055
    #3 0x7fcc0c6c20d3 in flirt_parse /home/oddcoder/projects/radare2/libr/anal/flirt.c:1393
    #4 0x7fcc0c6c2502 in r_sign_flirt_scan /home/oddcoder/projects/radare2/libr/anal/flirt.c:1470
    #5 0x7fcc0e728615 in cmdFlirt /home/oddcoder/projects/radare2/libr/core/cmd_zign.c:516
    #6 0x7fcc0e72b622 in cmd_zign /home/oddcoder/projects/radare2/libr/core/cmd_zign.c:817
    #7 0x7fcc0e8b8062 in r_cmd_call /home/oddcoder/projects/radare2/libr/core/cmd_api.c:237
    #8 0x7fcc0e813580 in r_core_cmd_subst_i /home/oddcoder/projects/radare2/libr/core/cmd.c:2901
    #9 0x7fcc0e80c279 in r_core_cmd_subst /home/oddcoder/projects/radare2/libr/core/cmd.c:1930
    #10 0x7fcc0e8189fa in r_core_cmd /home/oddcoder/projects/radare2/libr/core/cmd.c:3605
    #11 0x7fcc0e6d0cec in r_core_prompt_exec /home/oddcoder/projects/radare2/libr/core/core.c:2511
    #12 0x55d28f1cf3ae in main /home/oddcoder/projects/radare2/binr/radare2/radare2.c:1396
    #13 0x7fcc0899bf09 in __libc_start_main (/lib64/libc.so.6+0x20f09)
    #14 0x55d28f1c8199 in _start (/home/oddcoder/projects/radare2/binr/radare2/radare2+0x7199)

0x619000050986 is located 0 bytes to the right of 1030-byte region [0x619000050580,0x619000050986)
allocated by thread T0 here:
    #0 0x7fcc0ee4bf18 in __interceptor_calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/libasan.so.4+0xdef18)
    #1 0x7fcc0c6bff29 in read_module_referenced_functions /home/oddcoder/projects/radare2/libr/anal/flirt.c:771
    #2 0x7fcc0c6c0ac6 in parse_leaf /home/oddcoder/projects/radare2/libr/anal/flirt.c:964
    #3 0x7fcc0c6c128a in parse_tree /home/oddcoder/projects/radare2/libr/anal/flirt.c:1055
    #4 0x7fcc0c6c20d3 in flirt_parse /home/oddcoder/projects/radare2/libr/anal/flirt.c:1393
    #5 0x7fcc0c6c2502 in r_sign_flirt_scan /home/oddcoder/projects/radare2/libr/anal/flirt.c:1470
    #6 0x7fcc0e728615 in cmdFlirt /home/oddcoder/projects/radare2/libr/core/cmd_zign.c:516
    #7 0x7fcc0e72b622 in cmd_zign /home/oddcoder/projects/radare2/libr/core/cmd_zign.c:817
    #8 0x7fcc0e8b8062 in r_cmd_call /home/oddcoder/projects/radare2/libr/core/cmd_api.c:237
    #9 0x7fcc0e813580 in r_core_cmd_subst_i /home/oddcoder/projects/radare2/libr/core/cmd.c:2901
    #10 0x7fcc0e80c279 in r_core_cmd_subst /home/oddcoder/projects/radare2/libr/core/cmd.c:1930
    #11 0x7fcc0e8189fa in r_core_cmd /home/oddcoder/projects/radare2/libr/core/cmd.c:3605
    #12 0x7fcc0e6d0cec in r_core_prompt_exec /home/oddcoder/projects/radare2/libr/core/core.c:2511
    #13 0x55d28f1cf3ae in main /home/oddcoder/projects/radare2/binr/radare2/radare2.c:1396
    #14 0x7fcc0899bf09 in __libc_start_main (/lib64/libc.so.6+0x20f09)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/oddcoder/projects/radare2/libr/anal/flirt.c:801 in read_module_referenced_functions
Shadow bytes around the buggy address:
  0x0c32800020e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c32800020f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280002130:[06]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280002140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280002150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280002160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280002170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280002180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3526==ABORTING

@XVilka XVilka added bug zignatures Native radare2 signatures file format handing labels Aug 28, 2018
@ret2libc ret2libc self-assigned this Aug 29, 2018
@ret2libc
Copy link
Contributor

@oddcoder is this a valid flirt database or a handmade one?

@oddcoder
Copy link
Contributor Author

it is real flirt database pulled from here https://github.com/Maktm/FLIRTDB/tree/master/openssl/windows

@ret2libc ret2libc removed their assignment Aug 29, 2018
@XVilka XVilka added this to the 2.9.0 milestone Aug 30, 2018
@radare radare closed this as completed in c415dac Aug 31, 2018
@fgeek
Copy link

fgeek commented Sep 14, 2018

CVE-2018-15834 has been assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
zignatures Native radare2 signatures file format handing
Projects
None yet
Milestone
2.9.0
Development

No branches or pull requests
5 participants
@XVilka @fgeek @ret2libc @radare @oddcoder