Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack buffer overflow in dalvik_disassemble() #6885

Closed
fumfel opened this issue Mar 2, 2017 · 0 comments

Comments

Projects
None yet
2 participants
@fumfel
Copy link

commented Mar 2, 2017

Stack buffer overflow in dalvik_disassemble()

Tested on Git HEAD: 0744e33

Payload (bins/fuzzed/r2_sbo_dalvik_disassemble) in radare/radare2-regressions#721

To reproduce: r2 -A r2_sbo_dalvik_disassemble

ASAN:

==2604==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe491e5460 at pc 0x56425c850b51 bp 0x7ffe491e4f40 sp 0x7ffe491e46c8
WRITE of size 1157 at 0x7ffe491e5460 thread T0
    #0 0x56425c850b50 in vsprintf /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1338:1
    #1 0x56425c851e3d in __interceptor_sprintf /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1369:1
    #2 0x7f921939e5fb in dalvik_disassemble /XYZ/radare2/libr/asm/p/asm_dalvik.c:318:6
    #3 0x7f92194bfec1 in r_asm_disassemble /XYZ/radare2/libr/asm/asm.c:388:9
    #4 0x7f921dd3f1bf in r_core_anal_op /XYZ/radare2/libr/core/canal.c:741:6
    #5 0x7f921dd4f55e in fcn_callconv /XYZ/radare2/libr/core/canal.c:2248:9
    #6 0x7f921dd59de0 in r_core_anal_all /XYZ/radare2/libr/core/canal.c:2780:5
    #7 0x7f921db993db in cmd_anal_all /XYZ/radare2/libr/core/./cmd_anal.c:5149:4
    #8 0x7f921db993db in cmd_anal /XYZ/radare2/libr/core/./cmd_anal.c:5499
    #9 0x7f921dd377cf in r_cmd_call /XYZ/radare2/libr/core/cmd_api.c:226:10
    #10 0x7f921dc36b1c in r_core_cmd_subst_i /XYZ/radare2/libr/core/cmd.c:2082:16
    #11 0x7f921db8b287 in r_core_cmd_subst /XYZ/radare2/libr/core/cmd.c:1359:9
    #12 0x7f921db854a7 in r_core_cmd /XYZ/radare2/libr/core/cmd.c:2656:9
    #13 0x56425c906c8a in main /XYZ/radare2/binr/radare2/radare2.c:1084:12
    #14 0x7f92169c082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x56425c834b38 in _start (/usr/local/bin/radare2+0x20b38)

ASAN:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.

More context in Valgrind report (I can overwrite return address! - please consider using stack canaries, because are disabled by default).

==25534== Memcheck, a memory error detector
==25534== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==25534== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==25534== Command: r2 -A r2_sbo_dalvik_disassemble
==25534== 
# adler32 checksum doesn't match. Type this to fix it:
wx `#sha1 $s-32 @32` @12 ; wx `#adler32 $s-12 @12` @8
[==25534== Jump to the invalid address stated on the next line
==25534==    at 0x4141414141414141: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x41414140: ???
==25534==    by 0x43: ???
==25534==    by 0x3153B7: ??? (in /usr/local/bin/radare2)
==25534==  Address 0x4141414141414141 is not stack'd, malloc'd or (recently) free'd
==25534== 
==25534== 
==25534== Process terminating with default action of signal 11 (SIGSEGV)
==25534==  Bad permissions for mapped region at address 0x4141414141414141
==25534==    at 0x4141414141414141: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x4141414141414140: ???
==25534==    by 0x41414140: ???
==25534==    by 0x43: ???
==25534==    by 0x3153B7: ??? (in /usr/local/bin/radare2)
==25534== 
==25534== HEAP SUMMARY:
==25534==     in use at exit: 1,175,379 bytes in 16,481 blocks
==25534==   total heap usage: 75,971 allocs, 59,490 frees, 23,543,639 bytes allocated
==25534== 
==25534== LEAK SUMMARY:
==25534==    definitely lost: 18,447 bytes in 20 blocks
==25534==    indirectly lost: 4,187 bytes in 2 blocks
==25534==      possibly lost: 0 bytes in 0 blocks
==25534==    still reachable: 1,152,745 bytes in 16,459 blocks
==25534==         suppressed: 0 bytes in 0 blocks
==25534== Rerun with --leak-check=full to see details of leaked memory
==25534== 
==25534== For counts of detected and suppressed errors, rerun with: -v
==25534== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

@h4ng3r h4ng3r self-assigned this Mar 2, 2017

@h4ng3r h4ng3r added the Android label Mar 2, 2017

h4ng3r added a commit to h4ng3r/radare2 that referenced this issue Mar 2, 2017

h4ng3r added a commit to h4ng3r/radare2 that referenced this issue Mar 2, 2017

@alvarofe alvarofe closed this in f41e941 Mar 2, 2017

radare added a commit that referenced this issue Mar 3, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.