Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap out of bounds read in consume_init_expr() #7265

Closed
fumfel opened this issue Apr 13, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@fumfel
Copy link

commented Apr 13, 2017

Heap out of bounds read in consume_init_expr()

Tested on Git HEAD: 825caa9

Payload: radare/radare2-regressions#798

Command: r2 -A r2_hoobr_consume_init_expr

ASAN:

==17478==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000054c4 at pc 0x7f7669604713 bp 0x7fffa92e0f30 sp 0x7fffa92e0f20
READ of size 1 at 0x6110000054c4 thread T0
    #0 0x7f7669604712 in consume_init_expr XYZ/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:72
    #1 0x7f7669604712 in r_bin_wasm_get_data_entries XYZ/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:476
    #2 0x7f7669604712 in r_bin_wasm_get_datas XYZ/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:1167
    #3 0x7f7669604b02 in r_bin_wasm_init XYZ/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:715
    #4 0x7f766932fc1d in r_bin_object_new XYZ/radare2/libr/bin/bin.c:1300
    #5 0x7f766933393e in r_bin_file_new_from_bytes XYZ/radare2/libr/bin/bin.c:1524
    #6 0x7f766933393e in r_bin_load_io_at_offset_as_sz XYZ/radare2/libr/bin/bin.c:1079
    #7 0x7f7669334dc2 in r_bin_load_io_at_offset_as XYZ/radare2/libr/bin/bin.c:1093
    #8 0x7f7669335ee5 in r_bin_load_io XYZ/radare2/libr/bin/bin.c:936
    #9 0x7f766a5d8ad5 in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/file.c:429
    #10 0x7f766a5d8ad5 in r_core_bin_load XYZ/radare2/libr/core/file.c:566
    #11 0x560ea6a74c34 in main XYZ/radare2/binr/radare2/radare2.c:929
    #12 0x7f766450682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x560ea6a78468 in _start (/usr/local/bin/radare2+0xe468)

0x6110000054c4 is located 0 bytes to the right of 196-byte region [0x611000005400,0x6110000054c4)
allocated by thread T0 here:
    #0 0x7f766abb7602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f766498c179 in r_buf_set_bytes XYZ/radare2/libr/util/buf.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:72 consume_init_expr
Shadow bytes around the buggy address:
  0x0c227fff8a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8a90: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
  0x0c227fff8aa0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8ac0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8ae0: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==17478==ABORTING

@radare radare closed this Apr 13, 2017

@radare

This comment has been minimized.

Copy link
Owner

commented Apr 13, 2017

@radare radare added this to the 1.4.0 milestone Apr 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.