New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack buffer underflow in grub_memmove() #7683

Closed
fumfel opened this Issue Jun 5, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@fumfel

fumfel commented Jun 5, 2017

Stack buffer underflow in grub_memmove()

Git HEAD: ad76483

Payload in radare/radare2-regressions#875

To reproduce: r2 -A r2_sbu_grub_memmove

ASAN:

==32384==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffd57d028f8 at pc 0x7fc9c5b6ac47 bp 0x7ffd57d01c40 sp 0x7ffd57d01c38
WRITE of size 16 at 0x7ffd57d028f8 thread T0
    #0 0x7fc9c5b6ac46 in grub_memmove XYZ/radare2/shlr/grub/kern/misc.c:98:7
    #1 0x7fc9c5b67800 in grub_disk_read XYZ/radare2/shlr/grub/kern/disk.c:488:3
    #2 0x7fc9c5b68268 in grub_disk_read_ex XYZ/radare2/shlr/grub/kern/disk.c:563:12
    #3 0x7fc9c5b0754d in grub_fshelp_read_file XYZ/radare2/shlr/grub/fs/fshelp.c:333:4
    #4 0x7fc9c5b1134d in grub_ext2_read_file XYZ/radare2/shlr/grub/fs/ext2.c:504:9
    #5 0x7fc9c5b1134d in grub_ext2_iterate_dir XYZ/radare2/shlr/grub/fs/ext2.c:690
    #6 0x7fc9c5b0faf2 in grub_ext2_dir XYZ/radare2/shlr/grub/fs/ext2.c:876:3
    #7 0x7fc9c5af0c58 in ext2__mount XYZ/radare2/libr/fs/p/fs_grub_base.c:74:8
    #8 0x7fc9c5afbeaa in r_fs_mount XYZ/radare2/libr/fs/fs.c:151:7
    #9 0x7fc9c8f20dfb in cmd_mount XYZ/radare2/libr/core/./cmd_mount.c:49:9
    #10 0x7fc9c90e76af in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:226:10
    #11 0x7fc9c8fd5811 in r_core_cmd_subst_i XYZ/radare2/libr/core/cmd.c:2191:12
    #12 0x7fc9c8f1d5b7 in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1395:9
    #13 0x7fc9c8f16d24 in r_core_cmd XYZ/radare2/libr/core/cmd.c:2799:9
    #14 0x7fc9c8f0183f in r_core_cmdf XYZ/radare2/libr/core/cmd.c:2957:8
    #15 0x7fc9c90c1752 in bin_info XYZ/radare2/libr/core/cbin.c:621:4
    #16 0x7fc9c90c1752 in r_core_bin_info XYZ/radare2/libr/core/cbin.c:2870
    #17 0x7fc9c90b1e41 in r_core_bin_set_env XYZ/radare2/libr/core/cbin.c:115:3
    #18 0x7fc9c903d974 in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/file.c:434:2
    #19 0x7fc9c903d974 in r_core_bin_load XYZ/radare2/libr/core/file.c:567
    #20 0x555f8a113f6b in main XYZ/radare2/binr/radare2/radare2.c:952:14
    #21 0x7fc9c1bc782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #22 0x555f8a043f38 in _start (/usr/local/bin/radare2+0x20f38)

ASAN:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
@radare

This comment has been minimized.

Show comment
Hide comment
@radare

radare Jun 5, 2017

Owner

FIxed in master

Owner

radare commented Jun 5, 2017

FIxed in master

@radare radare closed this Jun 5, 2017

@radare

This comment has been minimized.

Show comment
Hide comment
@radare

radare Jun 5, 2017

Owner

in 796dd28 to be more precise

Owner

radare commented Jun 5, 2017

in 796dd28 to be more precise

@radare

This comment has been minimized.

Show comment
Hide comment
@radare

radare Jun 5, 2017

Owner

this is a bug in grub, feel free to report upstream

Owner

radare commented Jun 5, 2017

this is a bug in grub, feel free to report upstream

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment