New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: stack-buffer-overflow at libr/util/strbuf.c:47 #12372

Closed
HongxuChen opened this Issue Dec 2, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@HongxuChen
Copy link

HongxuChen commented Dec 2, 2018

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) -
Architecture/bits of the file (mandatory) -
r2 -v full output, not truncated (mandatory) rasm2 3.1.0 20265 @ linux-x86-64 git.3.1.0-46-g23a0cfcdd commit: 23a0cfc build: 2018-12-02__22:14:42

Expected behavior

rasm2 exits with error message.

Actual behavior

rasm2 crashes

==18218==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd9fdaa2c0 at pc 0x5633d5693872 bp 0x7ffd9fdaa200 sp 0x7ffd9fda99b0
READ of size 60 at 0x7ffd9fdaa2c0 thread T0
    #0 0x5633d5693871 in __asan_memcpy (/home/exp/FOT/radare2/binr/rasm2/rasm2+0xdd871)
    #1 0x7f8e9deb3831 in r_strbuf_setbin /home/exp/FOT/radare2/libr/util/strbuf.c:47:3
    #2 0x7f8ea080695c in r_asm_op_set_buf /home/exp/FOT/radare2/libr/asm/op.c:74:3
    #3 0x7f8ea075c99c in assemble /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:4867:2
    #4 0x7f8ea07f8e8d in r_asm_assemble /home/exp/FOT/radare2/libr/asm/asm.c:594:10
    #5 0x7f8ea07fdd3e in r_asm_massemble /home/exp/FOT/radare2/libr/asm/asm.c:980:12
    #6 0x7f8ea080482f in r_asm_rasm_assemble /home/exp/FOT/radare2/libr/asm/asm.c:1137:10
    #7 0x5633d56d3dce in rasm_asm /home/exp/FOT/radare2/binr/rasm2/rasm2.c:370:16
    #8 0x5633d56d3cdb in print_assembly_output /home/exp/FOT/radare2/binr/rasm2/rasm2.c:429:8
    #9 0x5633d56d06f0 in main /home/exp/FOT/radare2/binr/rasm2/rasm2.c:727:12
    #10 0x7f8e9d482b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x5633d55d4af9 in _start (/home/exp/FOT/radare2/binr/rasm2/rasm2+0x1eaf9)

Address 0x7ffd9fdaa2c0 is located in stack of thread T0 at offset 64 in frame
    #0 0x7f8ea075c0ef in assemble /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:4828

  This frame has 3 object(s):
    [32, 64) '__data' (line 4829)
    [96, 224) 'op' (line 4831) <== Memory access at offset 64 partially underflows this variable
    [256, 496) 'instr' (line 4834)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/exp/FOT/radare2/binr/rasm2/rasm2+0xdd871) in __asan_memcpy
Shadow bytes around the buggy address:
  0x100033fad400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033fad410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033fad420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033fad430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033fad440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100033fad450: f1 f1 f1 f1 00 00 00 00[f2]f2 f2 f2 00 00 00 00
  0x100033fad460: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x100033fad470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033fad480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3
  0x100033fad490: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100033fad4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18218==ABORTING

Steps to reproduce the behavior

  • run rasm2 -a x86 -b 64 $STRING where $STRING is one of the followings:
leA ,0,[bP-bL-bL-bP-bL-bP-bL-60@bL-
leA ,0,[bP-bL-r-bP-bL-bP-bL-60@bL-
mov ,0,[ax+Bx-ax+Bx-ax+ax+Bx-ax+Bx--
@HongxuChen

This comment has been minimized.

Copy link

HongxuChen commented Dec 2, 2018

Wait for a while, seems something gets wrong on my machine. Will double check...

@HongxuChen

This comment has been minimized.

Copy link

HongxuChen commented Dec 2, 2018

The above strings seem to only crash with Clang -fsanitize=address -O3.

For mov ,0,[ax+Bx-ax+Bx-ax+ax+Bx-ax+Bx--, normal build of rasm2 output f2 is wrong.

radare added a commit that referenced this issue Dec 2, 2018

Fix #12372 and #12373 - Crash in x86 assembler
0 ,0,[bP-bL-bP-bL-bL-r-bL-bP-bL-bL-
mov ,0,[ax+Bx-ax+Bx-ax+ax+Bx-ax+Bx--
leA ,0,[bP-bL-bL-bP-bL-bP-bL-60@bL-
leA ,0,[bP-bL-r-bP-bL-bP-bL-60@bL-
mov ,0,[ax+Bx-ax+Bx-ax+ax+Bx-ax+Bx--

@radare radare added this to the 3.1.1 milestone Dec 2, 2018

@radare radare closed this in 9b46d38 Dec 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment