Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Function r_parse_parse Lacks Boundary Check #14303

Closed
mmmdzz opened this issue Jun 15, 2019 · 3 comments
Closed

Function r_parse_parse Lacks Boundary Check #14303

mmmdzz opened this issue Jun 15, 2019 · 3 comments
Milestone

Comments

@mmmdzz
Copy link

mmmdzz commented Jun 15, 2019

For x86.pseudo (and other RParsePlugins), function replace lacks a boundary check for newstr, leading heap-/stack-based buffer over-write. So do other RParsePlugins.

Such buffer overflow could be trigger from rasm2. As r_parse_parse, which actually calls function replace for x86.pseudo, could extend buf_asm and write back to buf_asm, it would cause a heap-based buffer over-write.

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86/64
r2 -v full output, not truncated (mandatory) radare2 3.6.0-git 22043 @ linux-x86-64 git.3.5.1-235-ga1ade7d87 commit: a1ade7d build: 2019-06-15__00:21:43

Expected behavior

NO CRASH

Actual behavior

$ rasm2 -d -a x86 -b 64 -F :x86.pseudo a6
while (CX != 0) { var = *(DS*16 + SI) - *(ES*16 + DI); SI++; DI++; CX--; if (!var) break; }
double free or corruption (out)
Aborted (core dumped)

Steps to reproduce the behavior

  • Follow actions mentioned above.

Additional Logs, screenshots, source-code, configuration dump, ...

Output of valgrind: valgrind.txt

@mmmdzz
Copy link
Author

mmmdzz commented Jun 15, 2019

Similar error for avr

$ rasm2 -d -a avr -F :avr.pseudo 1294
Segmentation fault

Other RParsePlugins also lack boundary checking.

@radare
Copy link
Collaborator

radare commented Jun 15, 2019 via email

@radare radare added this to the 3.6.0 milestone Jun 15, 2019
@radare
Copy link
Collaborator

radare commented Jun 15, 2019

fixed, rbufstr overflows are tricky to fix, i created a wrapper function that handles bigger buffers for such cases, but the proper fix should be by redesigning RParse api. i will work on that on that after the release

@radare radare closed this as completed in b282620 Jun 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants