New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow (OOB read) at libr/asm/arch/arm/armass.c:6549 #12418

Closed
HongxuChen opened this Issue Dec 5, 2018 · 0 comments

Comments

Projects
None yet
3 participants
@HongxuChen
Copy link

HongxuChen commented Dec 5, 2018

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) -
Architecture/bits of the file (mandatory) -
r2 -v full output, not truncated (mandatory) rasm2 3.2.0-git 20321 @ linux-x86-64 git.3.1.3-6-g64f2e25c3 commit: 64f2e25 build: 2018-12-05__23:56:13

Expected behavior

rasm2 exits with error message.

Actual behavior

rasm2 crashes.

=================================================================
==10333==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000013e94 at pc 0x7f76536c8753 bp 0x7fff96f8ec30 sp 0x7fff96f8ec28
READ of size 1 at 0x602000013e94 thread T0
    #0 0x7f76536c8752 in armass_assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/../arch/arm/armass.c:6549:7
    #1 0x7f76536c6e3c in assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/asm_arm_cs.c:140:12
    #2 0x7f7653b06bf3 in r_asm_assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:594:10
    #3 0x7f7653b0b4d5 in r_asm_massemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:980:12
    #4 0x7f7653b0db80 in r_asm_rasm_assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:1137:10
    #5 0x556b93e6867b in rasm_asm /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:370:16
    #6 0x556b93e68593 in print_assembly_output /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:429:8
    #7 0x556b93e65406 in main /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:727:12
    #8 0x7f76509ceb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x556b93d6b0f9 in _start (/home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2+0x1f0f9)

0x602000013e94 is located 0 bytes to the right of 4-byte region [0x602000013e90,0x602000013e94)
allocated by thread T0 here:
    #0 0x556b93d877f0 in __interceptor_strdup (/home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2+0x3b7f0)
    #1 0x7f7653b069a6 in r_asm_assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:570:12
    #2 0x7f7653b0b4d5 in r_asm_massemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:980:12
    #3 0x7f7653b0db80 in r_asm_rasm_assemble /home/hongxu/FOT/radare2-asan-o0/libr/asm/asm.c:1137:10
    #4 0x556b93e6867b in rasm_asm /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:370:16
    #5 0x556b93e68593 in print_assembly_output /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:429:8
    #6 0x556b93e65406 in main /home/hongxu/FOT/radare2-asan-o0/binr/rasm2/rasm2.c:727:12
    #7 0x7f76509ceb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/radare2-asan-o0/libr/asm/p/../arch/arm/armass.c:6549:7 in armass_assemble
Shadow bytes around the buggy address:
  0x0c047fffa780: fa fa 00 01 fa fa 00 00 fa fa 00 01 fa fa 00 00
  0x0c047fffa790: fa fa 00 01 fa fa 00 00 fa fa 00 01 fa fa 00 00
  0x0c047fffa7a0: fa fa 00 01 fa fa 00 00 fa fa 00 01 fa fa 06 fa
  0x0c047fffa7b0: fa fa 04 fa fa fa 04 fa fa fa fd fd fa fa 00 03
  0x0c047fffa7c0: fa fa 00 03 fa fa 00 03 fa fa fd fa fa fa 04 fa
=>0x0c047fffa7d0: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10333==ABORTING
[1]    10333 abort      rasm2 -a arm -b 64 -f /tmp/test01

Steps to reproduce the behavior

  • compile radare with asan (tried -O3/-O0)
  • run rasm2 -a arm -b 64 -f $FILE
    crashes.zip

Additional Logs, screenshots, source-code, configuration dump, ...

Index j may reach length of str inside armass_assemble(const char *str, ut64 off, int thumb).

@Maijin Maijin added fuzzing bug labels Dec 9, 2018

devnexen added a commit to devnexen/radare2 that referenced this issue Dec 10, 2018

radare added a commit that referenced this issue Dec 10, 2018

@radare radare closed this Dec 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment