[AFL] r2 crash in r_bin_java_read_next_attr_from_buffer #1833

Closed
ekse opened this Issue Dec 14, 2014 · 0 comments

Comments

Projects
None yet
1 participant
@ekse
Contributor

ekse commented Dec 14, 2014

I did some fuzzing of the handling of Java class files and got a bunch of crashes.

crash file : https://www.dropbox.com/sh/466tsvrq8qrewyj/AADlSLWhLbhzqMqN9n1G2L0wa/java/1/id_000002%2Csig_11%2Csrc_000000%2Cop_flip4%2Cpos_354?dl=1
original : https://www.dropbox.com/sh/466tsvrq8qrewyj/AACIzmyCHmpq0OYrU9tijfjga/java/HelloWorld.class?dl=0

gdb output

r_bin_java_read_next_attr_from_buffer (
    buffer=buffer@entry=0x911a858 <error: Cannot access memory at address 0x911a858>,
    sz=3204448229, buf_offset=16777602) at class.c:1975
1975                    sz = R_BIN_JAVA_UINT (buffer, offset);
(gdb) print buffer
$1 = (unsigned char *) 0x911a858 <error: Cannot access memory at address 0x911a858>

Backtrace

#0  r_bin_java_read_next_attr_from_buffer (
    buffer=buffer@entry=0x911a858 <error: Cannot access memory at address 0x911a858>,
    sz=3204448229, buf_offset=16777602) at class.c:1975
#1  0xb7d4eef6 in r_bin_java_code_attr_new (buffer=0x811a837 "", sz=3221225478,
    buf_offset=353) at class.c:3246
#2  0xb7d43624 in r_bin_java_read_next_attr_from_buffer (
    buffer=buffer@entry=0x811a837 "", sz=<optimized out>, buf_offset=353)
    at class.c:1986
#3  0xb7d4eef6 in r_bin_java_code_attr_new (buffer=0x811a820 "", sz=29, buf_offset=330)
    at class.c:3246
#4  0xb7d43624 in r_bin_java_read_next_attr_from_buffer (
    buffer=buffer@entry=0x811a820 "", sz=<optimized out>, buf_offset=330)
    at class.c:1986
#5  0xb7d439ec in r_bin_java_read_next_attr (bin=bin@entry=0x8119830, offset=330,
    buf=buf@entry=0x8119680 "\312\376\272\276", len=426) at class.c:1959
#6  0xb7d58b28 in r_bin_java_read_next_method (bin=bin@entry=0x8119830, offset=322,
    buf=buf@entry=0x8119680 "\312\376\272\276", len=426) at class.c:1383
#7  0xb7d590ac in r_bin_java_parse_methods (bin=bin@entry=0x8119830, offset=320,
    buf=buf@entry=0x8119680 "\312\376\272\276", len=426) at class.c:2172
#8  0xb7d5ab78 in r_bin_java_load_bin (bin=0x8119830,
    buf=0x8119680 "\312\376\272\276", buf_sz=426) at class.c:2254
#9  0xb7d5add8 in r_bin_java_new_bin (bin=bin@entry=0x8119830, loadaddr=0,
    kv=kv@entry=0x8112f70, buf=0x8119680 "\312\376\272\276", len=426) at class.c:2211
#10 0xb7d5aec0 in r_bin_java_new_buf (buf=0x8119658, loadaddr=0, kv=0x8112f70)
    at class.c:2892
#11 0xb7c8f117 in load_bytes (buf=0x8112d50 "\312\376\272\276", sz=426, loadaddr=0,
    sdb=0x8112f70)
    at /home/ml2/tools/afl-0.89b/projects/radare2/libr/..//libr/bin/p/bin_java.c:67
#12 0xb7bf8b55 in r_bin_object_new (binfile=binfile@entry=0x8112cc8,
    plugin=plugin@entry=0x80e6870, baseaddr=0, loadaddr=0, offset=0, sz=426)
    at bin.c:838
#13 0xb7bfcc17 in r_bin_file_new_from_bytes (xtrname=0x0, offset=0, pluginname=0x0,
    fd=<optimized out>, loadaddr=0, baseaddr=0, rawstr=<optimized out>,
    file_sz=<optimized out>, sz=<optimized out>, bytes=0x8112b18 "\312\376\272\276",
    file=<optimized out>, bin=0x80df540) at bin.c:976
#14 r_bin_load_io_at_offset_as_sz (bin=bin@entry=0x80df540, desc=desc@entry=0x811c6a8,
    baseaddr=0, loadaddr=0, xtr_idx=xtr_idx@entry=0, offset=0, name=name@entry=0x0,
    sz=134217728) at bin.c:582
#15 0xb7bfd81c in r_bin_load_io_at_offset_as (bin=0x80df540, desc=0x811c6a8,
    baseaddr=0, loadaddr=0, xtr_idx=0, offset=0, name=0x0) at bin.c:597
#16 0xb7bfe32b in r_bin_load_io (bin=0x80df540, desc=0x811c6a8, baseaddr=0,
    loadaddr=0, xtr_idx=0) at bin.c:496
#17 0xb7ee52a6 in r_core_file_do_load_for_io_plugin (loadaddr=0, baseaddr=0,
    r=0x8053300 <r>) at file.c:338
#18 r_core_bin_load (r=0x8053300 <r>,
    filenameuri=0x811c6d0 "results-radare2/crashes/id:000002,sig:11,src:000000,op:flip4
pos:354", baddr=0) at file.c:470
#19 0x0804c0eb in main (argc=2, argv=0xbffff704, envp=0xbffff710) at radare2.c:546

Analysis

The sz value in r_bin_java_code_attr_new is clearly too large. which will result in a crash in r_bin_java_read_next_attr_from_buffer.

#1  0xb7d4eef6 in r_bin_java_code_attr_new (buffer=0x811a837 "", sz=3221225478,
    buf_offset=353) at class.c:3246

Another function, r_bin_java_read_next_attr, checks that the size is inside the bounds of the buffer before calling r_bin_java_read_next_attr_from_buffer, but r_bin_java_code_attr_new does no such checking.

r_bin_java_read_next_attr in class.c:1948
    if (sz + offset > len ){
        eprintf ("[X] r_bin_java: Error unable to parse remainder of classfile in Attribute len "
            "(0x%x) + offset (0x%"PFMT64x") exceeds length of buffer (0x%"PFMT64x").\n", sz, offset, len);
        return attr;
    }

@radare radare closed this in 65b580d Dec 16, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment