New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow at libr/bin/format/mach0/dyldcache.c:64 #12374

Closed
HongxuChen opened this Issue Dec 2, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@HongxuChen
Copy link

HongxuChen commented Dec 2, 2018

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) -
Architecture/bits of the file (mandatory) -
r2 -v full output, not truncated (mandatory) rabin2 3.1.0 20265 @ linux-x86-64 git.3.1.0-46-g23a0cfcdd commit: 23a0cfc build: 2018-12-02__22:59:40

Expected behavior

rabin2 shows binary property or exits abnormally

Actual behavior

rabin2 crashes

=================================================================
==19840==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000248b0 at pc 0x7f5bdbd7be69 bp 0x7ffcab8cd7e0 sp 0x7ffcab8cd7d8
READ of size 8 at 0x6040000248b0 thread T0
    #0 0x7f5bdbd7be68 in r_bin_dyldcache_extract /home/exp/FOT/radare2/libr/..//libr/bin/p/../format/mach0/dyldcache.c:64:16
    #1 0x7f5bdbd7a292 in oneshot /home/exp/FOT/radare2/libr/..//libr/bin/p/bin_xtr_dyldcache.c:118:8
    #2 0x7f5bdbd7a78b in oneshotall /home/exp/FOT/radare2/libr/..//libr/bin/p/bin_xtr_dyldcache.c:155:9
    #3 0x7f5bdbada53d in r_bin_file_xtr_load_bytes /home/exp/FOT/radare2/libr/bin/bfile.c:660:17
    #4 0x7f5bdbab32d0 in r_bin_open_io /home/exp/FOT/radare2/libr/bin/bin.c:411:16
    #5 0x7f5bdbab1b1b in r_bin_open /home/exp/FOT/radare2/libr/bin/bin.c:223:9
    #6 0x56413adc3040 in main /home/exp/FOT/radare2/binr/rabin2/rabin2.c:1009:7
    #7 0x7f5bda445b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x56413acc7119 in _start (/home/exp/FOT/radare2/binr/rabin2/rabin2+0x20119)

0x6040000248b1 is located 0 bytes to the right of 33-byte region [0x604000024890,0x6040000248b1)
allocated by thread T0 here:
    #0 0x56413ad86fd0 in malloc (/home/exp/FOT/radare2/binr/rabin2/rabin2+0xdffd0)
    #1 0x7f5bdad65849 in r_buf_set_bytes /home/exp/FOT/radare2/libr/util/buf.c:347:17
    #2 0x7f5bdbd7e3ed in r_bin_dyldcache_new /home/exp/FOT/radare2/libr/..//libr/bin/p/../format/mach0/dyldcache.c:215:7
    #3 0x7f5bdbd7b179 in load /home/exp/FOT/radare2/libr/..//libr/bin/p/bin_xtr_dyldcache.c:35:23
    #4 0x7f5bdbd7a1df in oneshot /home/exp/FOT/radare2/libr/..//libr/bin/p/bin_xtr_dyldcache.c:113:7
    #5 0x7f5bdbd7a78b in oneshotall /home/exp/FOT/radare2/libr/..//libr/bin/p/bin_xtr_dyldcache.c:155:9
    #6 0x7f5bdbada53d in r_bin_file_xtr_load_bytes /home/exp/FOT/radare2/libr/bin/bfile.c:660:17
    #7 0x7f5bdbab32d0 in r_bin_open_io /home/exp/FOT/radare2/libr/bin/bin.c:411:16
    #8 0x7f5bdbab1b1b in r_bin_open /home/exp/FOT/radare2/libr/bin/bin.c:223:9
    #9 0x56413adc3040 in main /home/exp/FOT/radare2/binr/rabin2/rabin2.c:1009:7
    #10 0x7f5bda445b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/exp/FOT/radare2/libr/..//libr/bin/p/../format/mach0/dyldcache.c:64:16 in r_bin_dyldcache_extract
Shadow bytes around the buggy address:
  0x0c087fffc8c0: fa fa 00 00 00 00 07 fa fa fa 00 00 00 00 07 fa
  0x0c087fffc8d0: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00 00 00
  0x0c087fffc8e0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
  0x0c087fffc8f0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
  0x0c087fffc900: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
=>0x0c087fffc910: fa fa 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
  0x0c087fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fffc940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fffc950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fffc960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19840==ABORTING

Steps to reproduce the behavior

radare added a commit that referenced this issue Dec 3, 2018

@radare radare added this to the 3.1.1 milestone Dec 3, 2018

radare added a commit that referenced this issue Dec 3, 2018

@radare radare closed this in 30f4c7b Dec 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment