New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow (OOB read) at libr/util/calc.c:384 #12417

Closed
HongxuChen opened this Issue Dec 5, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@HongxuChen
Copy link

HongxuChen commented Dec 5, 2018

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) -
Architecture/bits of the file (mandatory) -
r2 -v full output, not truncated (mandatory) rasm2 3.2.0-git 20321 @ linux-x86-64 git.3.1.3-6-g64f2e25c3 commit: 64f2e25 build: 2018-12-05__23:56:13

Expected behavior

rasm2 exits with error message.

Actual behavior

rasm2 crashes.

==9204==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000013e54 at pc 0x7fef14ac55a9 bp 0x7ffef47dc5b0 sp 0x7ffef47dc5a8
READ of size 1 at 0x602000013e54 thread T0
    #0 0x7fef14ac55a8 in r_num_calc /home/hongxu/FOT/radare2-asan-o0/libr/util/calc.c:384:15
    #1 0x7fef14a4e038 in r_num_math /home/hongxu/FOT/radare2-asan-o0/libr/util/unum.c:412:8
    #2 0x7fef16e9fab8 in parseOperands /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/../arch/arm/armass64.c:761:41
    #3 0x7fef16e9ac59 in parseOpcode /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/../arch/arm/armass64.c:871:9
    #4 0x7fef16e97fd9 in arm64ass /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/../arch/arm/armass64.c:876:7
    #5 0x7fef16e59dc3 in assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/asm_arm_cs.c:136:8
    #6 0x7fef17299bf3 in r_asm_assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:594:10
    #7 0x7fef1729e4d5 in r_asm_massemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:980:12
    #8 0x7fef172a0b80 in r_asm_rasm_assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:1137:10
    #9 0x5646424d867b in rasm_asm /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:370:16
    #10 0x5646424d8593 in print_assembly_output /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:429:8
    #11 0x5646424d60c7 in main /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:804:10
    #12 0x7fef14161b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x5646423db0f9 in _start (/home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2+0x1f0f9)

0x602000013e54 is located 0 bytes to the right of 4-byte region [0x602000013e50,0x602000013e54)
allocated by thread T0 here:
    #0 0x5646423f77f0 in __interceptor_strdup (/home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2+0x3b7f0)
    #1 0x7fef16e9f3cb in parseOperands /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/../arch/arm/armass64.c:722:12
    #2 0x7fef16e9ac59 in parseOpcode /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/../arch/arm/armass64.c:871:9
    #3 0x7fef16e97fd9 in arm64ass /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/../arch/arm/armass64.c:876:7
    #4 0x7fef16e59dc3 in assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/asm_arm_cs.c:136:8
    #5 0x7fef17299bf3 in r_asm_assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:594:10
    #6 0x7fef1729e4d5 in r_asm_massemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:980:12
    #7 0x7fef172a0b80 in r_asm_rasm_assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:1137:10
    #8 0x5646424d867b in rasm_asm /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:370:16
    #9 0x5646424d8593 in print_assembly_output /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:429:8
    #10 0x5646424d60c7 in main /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:804:10
    #11 0x7fef14161b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/radare2-asan-o0/libr/util/calc.c:384:15 in r_num_calc
Shadow bytes around the buggy address:
  0x0c047fffa770: fa fa 03 fa fa fa 05 fa fa fa 00 00 fa fa 00 00
  0x0c047fffa780: fa fa 00 01 fa fa 00 00 fa fa 00 01 fa fa 00 00
  0x0c047fffa790: fa fa 00 01 fa fa 00 00 fa fa 00 01 fa fa 00 00
  0x0c047fffa7a0: fa fa 00 01 fa fa 00 00 fa fa 00 01 fa fa 06 fa
  0x0c047fffa7b0: fa fa 04 fa fa fa 04 fa fa fa 06 fa fa fa 06 fa
=>0x0c047fffa7c0: fa fa 06 fa fa fa 06 fa fa fa[04]fa fa fa fa fa
  0x0c047fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9204==ABORTING
[1]    9204 abort      rasm2 -a arm -b 64 '0 lsr'

Steps to reproduce the behavior

  • Compile radare2 with asan (tried -O3/-O0)
  • run rasm2 -a arm -b 64 '0 lsr' ('10 asr' etc).

@Maijin Maijin added fuzzing bug labels Dec 9, 2018

devnexen added a commit to devnexen/radare2 that referenced this issue Dec 10, 2018

@radare radare closed this in e5c14c1 Dec 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment