Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap out of bounds read in read_u32_leb128() #7260

Closed
fumfel opened this issue Apr 12, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@fumfel
Copy link

commented Apr 12, 2017

Heap out of bounds read in read_u32_leb128()

Tested on Git HEAD: 03591de

Payload: radare/radare2-regressions#797

Command: r2 -A r2_hbo_read_u32_leb128

ASAN:

==25448==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c7d3 at pc 0x7fdbfa1de0e2 bp 0x7fff9a5bb160 sp 0x7fff9a5bb150
READ of size 1 at 0x60d00000c7d3 thread T0
    #0 0x7fdbfa1de0e1 in read_u32_leb128 XYZ/Desktop/radare2/libr/util/uleb128.c:141
    #1 0x7fdbfedf3208 in consume_u32 XYZ/Desktop/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:14
    #2 0x7fdbfedf3208 in consume_u8 XYZ/Desktop/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:28
    #3 0x7fdbfedf3208 in r_bin_wasm_get_global_entries XYZ/Desktop/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:588
    #4 0x7fdbfedf3208 in r_bin_wasm_get_globals XYZ/Desktop/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:1060
    #5 0x7fdbfedf7268 in r_bin_wasm_init XYZ/Desktop/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:687
    #6 0x7fdbfeb1e41d in r_bin_object_new XYZ/Desktop/radare2/libr/bin/bin.c:1300
    #7 0x7fdbfeb21e66 in r_bin_file_new_from_bytes XYZ/Desktop/radare2/libr/bin/bin.c:1524
    #8 0x7fdbfeb21e66 in r_bin_load_io_at_offset_as_sz XYZ/Desktop/radare2/libr/bin/bin.c:1079
    #9 0x7fdbfeb23562 in r_bin_load_io_at_offset_as XYZ/Desktop/radare2/libr/bin/bin.c:1093
    #10 0x7fdbfeb24805 in r_bin_load_io XYZ/Desktop/radare2/libr/bin/bin.c:936
    #11 0x7fdbffdc8fe8 in r_core_file_do_load_for_io_plugin XYZ/Desktop/radare2/libr/core/file.c:429
    #12 0x7fdbffdc8fe8 in r_core_bin_load XYZ/Desktop/radare2/libr/core/file.c:566
    #13 0x56481bdb45d3 in main XYZ/Desktop/radare2/binr/radare2/radare2.c:925
    #14 0x7fdbf9cfa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x56481bdb7f48 in _start (/usr/local/bin/radare2+0xdf48)

0x60d00000c7d3 is located 0 bytes to the right of 131-byte region [0x60d00000c750,0x60d00000c7d3)
allocated by thread T0 here:
    #0 0x7fdc003a9602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fdbfa18086e in r_buf_set_bytes XYZ/Desktop/radare2/libr/util/buf.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/Desktop/radare2/libr/util/uleb128.c:141 read_u32_leb128
Shadow bytes around the buggy address:
  0x0c1a7fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98e0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c1a7fff98f0: 00 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa
  0x0c1a7fff9900: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff9910: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
  0x0c1a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 fa
  0x0c1a7fff9930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1a7fff9940: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25448==ABORTING

@radare radare closed this Apr 12, 2017

@radare

This comment has been minimized.

Copy link
Owner

commented Apr 12, 2017

@radare radare added this to the 1.4.0 milestone Apr 12, 2017

@attritionorg

This comment has been minimized.

Copy link

commented Apr 12, 2017

Can you link the fixing commit please? Don't see it.

@radare

This comment has been minimized.

Copy link
Owner

commented Apr 12, 2017

here 3aca1b1

@attritionorg

This comment has been minimized.

Copy link

commented Apr 12, 2017

Thanks!

@radare

This comment has been minimized.

Copy link
Owner

commented Apr 12, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.