You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
rasm2 crashes with the error message that suggests it's a stack overflow relevant to char op[128]I'm not sure whether it's reporting correctly since that array is then duplicated and accessed with the duplicated one.
=================================================================
==2020==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe560eff20 at pc 0x7f88ddd1b019 bp 0x7ffe560efaf0 sp 0x7ffe560efae8
READ of size 1 at 0x7ffe560eff20 thread T0
#0 0x7f88ddd1b018 in getToken /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4299:18
#1 0x7f88ddd1b018 in parseReg /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4423
#2 0x7f88ddd1568c in parseOperand /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4651:13
#3 0x7f88ddd12b80 in parseOpcode /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4736:3
#4 0x7f88ddd0db0c in assemble /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4813:2
#5 0x7f88dddab6c7 in r_asm_assemble /home/exp/FOT/radare2-fuzz/libr/asm/asm.c:600:10
#6 0x7f88dddb0399 in r_asm_massemble /home/exp/FOT/radare2-fuzz/libr/asm/asm.c:986:12
#7 0x7f88dddb741f in r_asm_rasm_assemble /home/exp/FOT/radare2-fuzz/libr/asm/asm.c:1143:10
#8 0x56386d287a9e in rasm_asm /home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2.c:370:16
#9 0x56386d28796d in print_assembly_output /home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2.c:429:8
#10 0x56386d284bdf in main /home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2.c:804:10
#11 0x7f88daa30b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x56386d188af9 in _start (/home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2+0x1eaf9)
Address 0x7ffe560eff20 is located in stack of thread T0 at offset 224 in frame
#0 0x7f88ddd0d8bf in assemble /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4803
This frame has 3 object(s):
[32, 64) '__data' (line 4804)
[96, 224) 'op' (line 4806) <== Memory access at offset 224 overflows this variable
[256, 496) 'instr' (line 4809)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4299:18 in getToken
Shadow bytes around the buggy address:
0x10004ac15f90: f8 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac15fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac15fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac15fc0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x10004ac15fd0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004ac15fe0: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
0x10004ac15ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac16000: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x10004ac16010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac16020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac16030: f1 f1 f1 f1 f8 f2 f8 f2 f8 f2 f8 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2020==ABORTING
[1] 2020 abort rasm2 -a x86 -b 32
Steps to reproduce the behavior
Build radare2 with ASAN
Run rasm2 -a x86 -b 32 '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00,mm'
Observations: 1) preceding zeros substituted with other chars also triggers this crash, but the length seems important; 2) mm seems relevant, changing to xmm or something else will not trigger crash; 3) crash also with -b 16/-b 64.
The text was updated successfully, but these errors were encountered:
Work environment
Expected behavior
rasm2 exits with an error message.
Actual behavior
rasm2 crashes with the error message that suggests it's a stack overflow relevant to
char op[128]
I'm not sure whether it's reporting correctly since that array is then duplicated and accessed with the duplicated one.Steps to reproduce the behavior
radare2
with ASANrasm2 -a x86 -b 32 '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00,mm'
mm
seems relevant, changing toxmm
or something else will not trigger crash; 3) crash also with-b 16
/-b 64
.The text was updated successfully, but these errors were encountered: