Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in relocs() #6829

Closed
fumfel opened this issue Feb 21, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@fumfel
Copy link

commented Feb 21, 2017

Heap buffer overflow in relocs()

Tested on Git HEAD: a116482

Payload (bins/fuzzed/r2_hbo_relocs) in radare/radare2-regressions#713

To reproduce: r2 -A r2_hbo_relocs

ASAN:

==2310==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000054d0 at pc 0x7fd392d4130b bp 0x7ffc5c79f210 sp 0x7ffc5c79f208
WRITE of size 4 at 0x6110000054d0 thread T0
    #0 0x7fd392d4130a in relocs /XYZ/radare2/libr/..//libr/bin/p/bin_bflt.c:180:33
    #1 0x7fd392cc3427 in r_bin_object_set_items /XYZ/radare2/libr/bin/bin.c:667:16
    #2 0x7fd392cc3427 in r_bin_object_new /XYZ/radare2/libr/bin/bin.c:1246
    #3 0x7fd392cbf17f in r_bin_file_new_from_bytes /XYZ/radare2/libr/bin/bin.c:1434:6
    #4 0x7fd392cbf17f in r_bin_load_io_at_offset_as_sz /XYZ/radare2/libr/bin/bin.c:980
    #5 0x7fd392cbb339 in r_bin_load_io_at_offset_as /XYZ/radare2/libr/bin/bin.c:994:12
    #6 0x7fd392cbb339 in r_bin_load_io /XYZ/radare2/libr/bin/bin.c:837
    #7 0x7fd393f7b93f in r_core_file_do_load_for_io_plugin /XYZ/radare2/libr/core/file.c:421:7
    #8 0x7fd393f7b93f in r_core_bin_load /XYZ/radare2/libr/core/file.c:544
    #9 0x55e329670ef2 in main /XYZ/radare2/binr/radare2/radare2.c:880:14
    #10 0x7fd38cca182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x55e3295a1b38 in _start (/usr/local/bin/radare2+0x20b38)

ASAN:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.

@alvarofe alvarofe closed this in 72794dc Feb 21, 2017

@fumfel

This comment has been minimized.

Copy link
Author

commented Feb 22, 2017

This is CVE-2017-6194.

@Maijin

This comment has been minimized.

Copy link
Collaborator

commented Feb 22, 2017

"This is CVE-2017-6194."

Link/Proof ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.