New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: stack-buffer-overflow at libr/asm/arch/arm/armass64.c:740 #12376

Closed
HongxuChen opened this Issue Dec 2, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@HongxuChen
Copy link

HongxuChen commented Dec 2, 2018

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) -
Architecture/bits of the file (mandatory) -
r2 -v full output, not truncated (mandatory) rasm2 3.1.0 20265 @ linux-x86-64 git.3.1.0-46-g23a0cfcdd commit: 23a0cfc build: 2018-12-02__22:59:40

Expected behavior

rasm2 exits with error messages

Actual behavior

rasm2 crashes

==12719==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcb1a49150 at pc 0x7fd749638618 bp 0x7ffcb1a49050 sp 0x7ffcb1a49048
WRITE of size 4 at 0x7ffcb1a49150 thread T0
    #0 0x7fd749638617 in parseOperands /home/exp/FOT/radare2-fuzz/libr/asm/p/../arch/arm/armass64.c:740:30
    #1 0x7fd749638617 in parseOpcode /home/exp/FOT/radare2-fuzz/libr/asm/p/../arch/arm/armass64.c:867
    #2 0x7fd749638617 in arm64ass /home/exp/FOT/radare2-fuzz/libr/asm/p/../arch/arm/armass64.c:872
    #3 0x7fd74956725d in assemble /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_arm_cs.c:136:8
    #4 0x7fd749995f25 in r_asm_assemble /home/exp/FOT/radare2-fuzz/libr/asm/asm.c:594:10
    #5 0x7fd74999a986 in r_asm_massemble /home/exp/FOT/radare2-fuzz/libr/asm/asm.c:980:12
    #6 0x7fd7499a13ff in r_asm_rasm_assemble /home/exp/FOT/radare2-fuzz/libr/asm/asm.c:1137:10
    #7 0x56453eb71cfe in rasm_asm /home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2.c:370:16
    #8 0x56453eb71b1e in print_assembly_output /home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2.c:429:8
    #9 0x56453eb6ebd3 in main /home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2.c:804:10
    #10 0x7fd746621b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x56453ea72af9 in _start (/home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2+0x1eaf9)

Address 0x7ffcb1a49150 is located in stack of thread T0 at offset 240 in frame
    #0 0x7fd74962e87f in arm64ass /home/exp/FOT/radare2-fuzz/libr/asm/p/../arch/arm/armass64.c:870

  This frame has 1 object(s):
    [32, 240) 'ops' (line 871) <== Memory access at offset 240 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/exp/FOT/radare2-fuzz/libr/asm/p/../arch/arm/armass64.c:740:30 in parseOperands
Shadow bytes around the buggy address:
  0x1000163411d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000163411e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000163411f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100016341200: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x100016341210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100016341220: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3
  0x100016341230: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100016341240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100016341250: 00 00 00 00 f1 f1 f1 f1 04 f2 f8 f3 00 00 00 00
  0x100016341260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100016341270: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12719==ABORTING
[1]    12719 abort      rasm2 -a arm -b 64 '0 ,0,0,0,0,0,0,'

Steps to reproduce the behavior

  • run rasm2 -a arm -b 64 '0 ,0,0,0,0,0,0,'

Additional Logs, screenshots, source-code, configuration dump, ...

We also find another file generates from r2's pd $s results that also emits such an error when running rasm2 -a arm -b 64 -f $FILE.

@HongxuChen

This comment has been minimized.

Copy link

HongxuChen commented Dec 2, 2018

The crash happens when radare2 is compiled with Clang -fsanitize=address -g -O3.

@radare radare closed this in df167c7 Dec 3, 2018

@radare radare added this to the 3.1.2 milestone Dec 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment