New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: stack-buffer-overflow at libr/asm/p/asm_x86_nz.c:4579 #12373

Closed
HongxuChen opened this Issue Dec 2, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@HongxuChen
Copy link

HongxuChen commented Dec 2, 2018

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) -
Architecture/bits of the file (mandatory) -
r2 -v full output, not truncated (mandatory) rasm2 3.1.0 20265 @ linux-x86-64 git.3.1.0-46-g23a0cfcdd commit: 23a0cfc build: 2018-12-02__22:59:40

Expected behavior

rasm2 exits with error message.

Actual behavior

rasm2 crashes.

=================================================================
==14271==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee2380bd0 at pc 0x7f83dd540694 bp 0x7ffee23800d0 sp 0x7ffee23800c8
WRITE of size 4 at 0x7ffee2380bd0 thread T0
    #0 0x7f83dd540693 in parseOperand /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:4579:28
    #1 0x7f83dd53f38b in parseOpcode /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:4760:3
    #2 0x7f83dd539a43 in assemble /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:4838:2
    #3 0x7f83dd5a77a3 in r_asm_assemble /home/exp/FOT/radare2/libr/asm/asm.c:594:10
    #4 0x7f83dd5ac085 in r_asm_massemble /home/exp/FOT/radare2/libr/asm/asm.c:980:12
    #5 0x7f83dd5ae730 in r_asm_rasm_assemble /home/exp/FOT/radare2/libr/asm/asm.c:1137:10
    #6 0x5590ecd9e65b in rasm_asm /home/exp/FOT/radare2/binr/rasm2/rasm2.c:370:16
    #7 0x5590ecd9e573 in print_assembly_output /home/exp/FOT/radare2/binr/rasm2/rasm2.c:429:8
    #8 0x5590ecd9b3e6 in main /home/exp/FOT/radare2/binr/rasm2/rasm2.c:727:12
    #9 0x7f83da472b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x5590ecca10f9 in _start (/home/exp/FOT/radare2/binr/rasm2/rasm2+0x1f0f9)

Address 0x7ffee2380bd0 is located in stack of thread T0 at offset 496 in frame
    #0 0x7f83dd53974f in assemble /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:4828

  This frame has 3 object(s):
    [32, 64) '__data' (line 4829)
    [96, 224) 'op' (line 4831)
    [256, 496) 'instr' (line 4834) <== Memory access at offset 496 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:4579:28 in parseOperand
Shadow bytes around the buggy address:
  0x10005c468120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005c468130: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10005c468140: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x10005c468150: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
  0x10005c468160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005c468170: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3
  0x10005c468180: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005c468190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005c4681a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005c4681b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005c4681c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14271==ABORTING
Aborted

Steps to reproduce the behavior

  • run rasm2 -a x86 -b 32 '0 ,0,[bP-bL-bP-bL-bL-r-bL-bP-bL-bL-'

@HongxuChen HongxuChen changed the title AddressSanitizer: stack-buffer-overflow at libr/asm/p/asm_x86_nz.c AddressSanitizer: stack-buffer-overflow at libr/asm/p/asm_x86_nz.c:4579 Dec 2, 2018

radare added a commit that referenced this issue Dec 2, 2018

Fix #12372 and #12373 - Crash in x86 assembler
0 ,0,[bP-bL-bP-bL-bL-r-bL-bP-bL-bL-
mov ,0,[ax+Bx-ax+Bx-ax+ax+Bx-ax+Bx--
leA ,0,[bP-bL-bL-bP-bL-bP-bL-60@bL-
leA ,0,[bP-bL-r-bP-bL-bP-bL-60@bL-
mov ,0,[ax+Bx-ax+Bx-ax+ax+Bx-ax+Bx--

@radare radare added this to the 3.1.1 milestone Dec 2, 2018

radare added a commit that referenced this issue Dec 3, 2018

Fix #12372 and #12373 - Crash in x86 assembler (#12380)
0 ,0,[bP-bL-bP-bL-bL-r-bL-bP-bL-bL-
mov ,0,[ax+Bx-ax+Bx-ax+ax+Bx-ax+Bx--
leA ,0,[bP-bL-bL-bP-bL-bP-bL-60@bL-
leA ,0,[bP-bL-r-bP-bL-bP-bL-60@bL-
mov ,0,[ax+Bx-ax+Bx-ax+ax+Bx-ax+Bx--

@radare radare closed this Dec 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment