Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap out of bounds read in r_read_le32() (wasm_dis:655 - WASM_OP_F64CONST) #14228

Closed
pventuzelo opened this issue Jun 5, 2019 · 0 comments
Closed

Heap out of bounds read in r_read_le32() (wasm_dis:655 - WASM_OP_F64CONST) #14228

pventuzelo opened this issue Jun 5, 2019 · 0 comments

Comments

@pventuzelo
Copy link

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu 18.04 x64
File format of the file you reverse (mandatory) WASM
Architecture/bits of the file (mandatory) WASM
r2 -v full output, not truncated (mandatory) radare2 3.6.0-git 21939 @ linux-x86-64 git.3.5.1-159-g24dfc45c3 commit: 24dfc45 build: 2019-06-05__16:54:39

Expected behavior

Disassembly of file or error message.

Actual behavior

Heap out of bounds read in ASAN build.

Steps to reproduce the behavior

Additional Logs, screenshots, source-code, configuration dump, ...

ASAN report:

==3759==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000016300 at pc 0x7fb03a620513 bp 0x7ffee94a4570 sp 0x7ffee94a4560
READ of size 1 at 0x611000016300 thread T0
    #0 0x7fb03a620512 in r_read_le32 XYZ/radare2/libr/include/r_endian.h:176
    #1 0x7fb03a620674 in r_read_at_le32 XYZ/radare2/libr/include/r_endian.h:185
    #2 0x7fb03a620693 in r_read_le64 XYZ/radare2/libr/include/r_endian.h:199
    #3 0x7fb03a6206e0 in r_read_at_le64 XYZ/radare2/libr/include/r_endian.h:206
    #4 0x7fb03a622ef9 in wasm_dis XYZ/radare2/libr/..//libr/anal/p/../../asm/arch/wasm/wasm.c:655
    #5 0x7fb03a624556 in wasm_op XYZ/radare2/libr/..//libr/anal/p/anal_wasm.c:79
    #6 0x7fb03a66bc56 in r_anal_op XYZ/radare2/libr/anal/op.c:153
    #7 0x7fb03e82c985 in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:3680
    #8 0x7fb03e5e6f44 in r_core_anal_refs XYZ/radare2/libr/core/cmd_anal.c:7641
    #9 0x7fb03e5ed3d9 in cmd_anal_all XYZ/radare2/libr/core/cmd_anal.c:8212
    #10 0x7fb03e5f4908 in cmd_anal XYZ/radare2/libr/core/cmd_anal.c:9051
    #11 0x7fb03e7f740f in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:244
    #12 0x7fb03e6deb61 in r_core_cmd_subst_i XYZ/radare2/libr/core/cmd.c:3276
    #13 0x7fb03e6d3067 in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:2172
    #14 0x7fb03e6e7ef0 in r_core_cmd XYZ/radare2/libr/core/cmd.c:4111
    #15 0x7fb03e6e8fd4 in r_core_cmd0 XYZ/radare2/libr/core/cmd.c:4276
    #16 0x7fb04621eb6a in r_main_radare2 XYZ/radare2/libr/main/radare2.c:1391
    #17 0x560feb23c829 in main XYZ/radare2/binr/radare2/radare2.c:48
    #18 0x7fb0450b6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #19 0x560feb23c729 in _start (XYZ/radare2/binr/radare2/radare2+0x729)

0x611000016300 is located 0 bytes to the right of 256-byte region [0x611000016200,0x611000016300)
allocated by thread T0 here:
    #0 0x7fb0465d3b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7fb03e82c4cb in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:3647
    #2 0x7fb03e5e6f44 in r_core_anal_refs XYZ/radare2/libr/core/cmd_anal.c:7641
    #3 0x7fb03e5ed3d9 in cmd_anal_all XYZ/radare2/libr/core/cmd_anal.c:8212
    #4 0x7fb03e5f4908 in cmd_anal XYZ/radare2/libr/core/cmd_anal.c:9051
    #5 0x7fb03e7f740f in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:244
    #6 0x7fb03e6deb61 in r_core_cmd_subst_i XYZ/radare2/libr/core/cmd.c:3276
    #7 0x7fb03e6d3067 in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:2172
    #8 0x7fb03e6e7ef0 in r_core_cmd XYZ/radare2/libr/core/cmd.c:4111
    #9 0x7fb03e6e8fd4 in r_core_cmd0 XYZ/radare2/libr/core/cmd.c:4276
    #10 0x7fb04621eb6a in r_main_radare2 XYZ/radare2/libr/main/radare2.c:1391
    #11 0x560feb23c829 in main XYZ/radare2/binr/radare2/radare2.c:48
    #12 0x7fb0450b6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/radare2/libr/include/r_endian.h:176 in r_read_le32
Shadow bytes around the buggy address:
  0x0c227fffac10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fffac20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffac30: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fffac40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fffac50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fffac60:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fffac70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fffac80: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c227fffac90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffaca0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c227fffacb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3759==ABORTING
@pventuzelo pventuzelo changed the title Heap out of bounds read in r_read_le32() (wasm) Heap out of bounds read in r_read_le32() (wasm_dis) Jun 5, 2019
@radare radare closed this as completed in db972ef Jun 5, 2019
@pventuzelo pventuzelo changed the title Heap out of bounds read in r_read_le32() (wasm_dis) Heap out of bounds read in r_read_le32() (wasm_dis:655) Jun 6, 2019
@pventuzelo pventuzelo mentioned this issue Jun 6, 2019
Closed
@pventuzelo pventuzelo changed the title Heap out of bounds read in r_read_le32() (wasm_dis:655) Heap out of bounds read in r_read_le32() (wasm_dis:655 - WASM_OP_F64CONST) Jun 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pventuzelo