Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use-after-free in get_relocs_64() #7301

Closed
fumfel opened this issue Apr 18, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@fumfel
Copy link

commented Apr 18, 2017

Use-after-free in get_relocs_64()

Tested on Git HEAD: 7327642

Payload: radare/radare2-regressions#805

Command: r2 -A r2_uaf_get_relocs_64

ASAN:

==4572==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000012824 at pc 0x7f2cf00eba68 bp 0x7fffdee66fa0 sp 0x7fffdee66f90
READ of size 4 at 0x604000012824 thread T0
    #0 0x7f2cf00eba67 in get_relocs_64 XYZ/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1740
    #1 0x7f2cf00be79d in relocs XYZ/radare2/libr/..//libr/bin/p/bin_mach0.c:363
    #2 0x7f2ceff044cc in r_bin_object_set_items XYZ/radare2/libr/bin/bin.c:762
    #3 0x7f2ceff06074 in r_bin_object_new XYZ/radare2/libr/bin/bin.c:1337
    #4 0x7f2ceff09d80 in r_bin_file_new_from_bytes XYZ/radare2/libr/bin/bin.c:1524
    #5 0x7f2ceff09d80 in r_bin_load_io_at_offset_as_sz XYZ/radare2/libr/bin/bin.c:1079
    #6 0x7f2ceff0b042 in r_bin_load_io_at_offset_as XYZ/radare2/libr/bin/bin.c:1093
    #7 0x7f2ceff0c2e5 in r_bin_load_io XYZ/radare2/libr/bin/bin.c:936
    #8 0x7f2cf11b499c in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/file.c:429
    #9 0x7f2cf11b499c in r_core_bin_load XYZ/radare2/libr/core/file.c:566
    #10 0x562ca37738ff in main XYZ/radare2/binr/radare2/radare2.c:929
    #11 0x7f2ceb0d982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x562ca3776f68 in _start (/usr/local/bin/radare2+0xdf68)

0x604000012824 is located 20 bytes inside of 48-byte region [0x604000012810,0x604000012840)
freed by thread T0 here:
    #0 0x7f2cf17962ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x7f2cf00ce0b1 in init_items XYZ/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1137

previously allocated by thread T0 here:
    #0 0x7f2cf1796602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f2cf00c9a45 in init_items XYZ/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1133

SUMMARY: AddressSanitizer: heap-use-after-free XYZ/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1740 get_relocs_64
Shadow bytes around the buggy address:
  0x0c087fffa4b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fffa4c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fffa4d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fffa4e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fffa4f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=>0x0c087fffa500: fa fa fd fd[fd]fd fd fd fa fa 00 00 00 00 00 00
  0x0c087fffa510: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
  0x0c087fffa520: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
  0x0c087fffa530: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
  0x0c087fffa540: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
  0x0c087fffa550: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==4572==ABORTING

@radare

This comment has been minimized.

Copy link
Owner

commented Apr 18, 2017

Thanks! fixed in d1e8ac6

@radare radare closed this Apr 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.