New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGSEGV (Too large variable on stack) in grub_ext2_read_block() #7723

Closed
fumfel opened this Issue Jun 11, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@fumfel

fumfel commented Jun 11, 2017

SIGSEGV (Too large variable on stack) in grub_ext2_read_block()

Git HEAD: ba25be4

Payload (bins/fuzzed/r2_sigsegv_grub_ext2_read_block) in radare/radare2-regressions#881

To reproduce: r2 -A r2_sigsegv_grub_ext2_read_block

ASAN:

==13184==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcef7dce98 (pc 0x7f9c7499cecc bp 0x7ffcf37dcf70 sp 0x7ffcef7dcea0 T0)
    #0 0x7f9c7499cecb in grub_ext2_read_block XYZ/radare2/shlr/grub/fs/ext2.c:389:4
    #1 0x7f9c74991326 in grub_fshelp_read_file XYZ/radare2/shlr/grub/fs/fshelp.c:305:15
    #2 0x7f9c7499b116 in grub_ext2_read_file XYZ/radare2/shlr/grub/fs/ext2.c:504:9
    #3 0x7f9c7499b116 in grub_ext2_iterate_dir XYZ/radare2/shlr/grub/fs/ext2.c:672
    #4 0x7f9c749999a1 in grub_ext2_dir XYZ/radare2/shlr/grub/fs/ext2.c:882:3
    #5 0x7f9c7497ae95 in ext2__mount XYZ/radare2/libr/fs/p/fs_grub_base.c:74:8
    #6 0x7f9c74985fc4 in r_fs_mount XYZ/radare2/libr/fs/fs.c:151:7
    #7 0x7f9c77d7537d in cmd_mount XYZ/radare2/libr/core/./cmd_mount.c:49:9
    #8 0x7f9c77f3a25c in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:226:10
    #9 0x7f9c77e28ae1 in r_core_cmd_subst_i XYZ/radare2/libr/core/cmd.c:2156:12
    #10 0x7f9c77d70d1e in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1360:9
    #11 0x7f9c77d6a626 in r_core_cmd XYZ/radare2/libr/core/cmd.c:2764:9
    #12 0x7f9c77d555ad in r_core_cmdf XYZ/radare2/libr/core/cmd.c:2922:8
    #13 0x7f9c77f142d7 in bin_info XYZ/radare2/libr/core/cbin.c:621:4
    #14 0x7f9c77f142d7 in r_core_bin_info XYZ/radare2/libr/core/cbin.c:2873
    #15 0x7f9c77f04fd0 in r_core_bin_set_env XYZ/radare2/libr/core/cbin.c:115:3
    #16 0x7f9c77e8e263 in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/file.c:434:2
    #17 0x7f9c77e8e263 in r_core_bin_load XYZ/radare2/libr/core/file.c:567
    #18 0x556a34e7013d in main XYZ/radare2/binr/radare2/radare2.c:952:14
    #19 0x7f9c70671510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
    #20 0x556a34d7ce29 in _start (/usr/local/bin/radare2+0x20e29)

SUMMARY: AddressSanitizer: stack-overflow XYZ/radare2/shlr/grub/fs/ext2.c:389:4 in grub_ext2_read_block
==13184==ABORTING

More context in Valgrind:

=30719== Memcheck, a memory error detector
==30719== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==30719== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==30719== Command: r2 -A r2_sigsegv_grub_ext2_read_block
==30719== 
asm.arch: cannot find (ext2)
anal.arch: cannot find 'ext2'
asm.arch: cannot find (ext2)
==30719== Warning: client switching stacks?  SP change: 0xffeffe180 --> 0xffaffe180
==30719==          to suppress, use: --max-stackframe=67108864 or greater
==30719== Invalid write of size 8
==30719==    at 0x7601628: grub_ext4_find_leaf (ext2.c:339)
==30719==    by 0x7601628: grub_ext2_read_block (ext2.c:397)
==30719==  Address 0xffaffe178 is on thread 1's stack
==30719== 
==30719== 
==30719== Process terminating with default action of signal 11 (SIGSEGV)
==30719==  Access not within mapped region at address 0xFFAFFE178
==30719==    at 0x7601628: grub_ext4_find_leaf (ext2.c:339)
==30719==    by 0x7601628: grub_ext2_read_block (ext2.c:397)
==30719==  If you believe this happened as a result of a stack
==30719==  overflow in your program's main thread (unlikely but
==30719==  possible), you can try to increase the size of the
==30719==  main thread stack using the --main-stacksize= flag.
==30719==  The main thread stack size used in this run was 8388608.
==30719== Invalid write of size 8
==30719==    at 0x4A28680: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==30719==  Address 0xffaffe170 is on thread 1's stack
==30719== 
==30719== 
==30719== Process terminating with default action of signal 11 (SIGSEGV)
==30719==  Access not within mapped region at address 0xFFAFFE170
==30719==    at 0x4A28680: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==30719==  If you believe this happened as a result of a stack
==30719==  overflow in your program's main thread (unlikely but
==30719==  possible), you can try to increase the size of the
==30719==  main thread stack using the --main-stacksize= flag.
==30719==  The main thread stack size used in this run was 8388608.
==30719== 
==30719== HEAP SUMMARY:
==30719==     in use at exit: 947,788 bytes in 7,462 blocks
==30719==   total heap usage: 12,401 allocs, 4,939 frees, 20,322,068 bytes allocated
==30719== 
==30719== LEAK SUMMARY:
==30719==    definitely lost: 3,168 bytes in 9 blocks
==30719==    indirectly lost: 0 bytes in 0 blocks
==30719==      possibly lost: 0 bytes in 0 blocks
==30719==    still reachable: 944,620 bytes in 7,453 blocks
==30719==         suppressed: 0 bytes in 0 blocks
==30719== Rerun with --leak-check=full to see details of leaked memory
==30719== 
==30719== For counts of detected and suppressed errors, rerun with: -v
==30719== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

@radare radare closed this in 65000a7 Jun 12, 2017

@fgeek

This comment has been minimized.

Show comment
Hide comment
@fgeek

fgeek Jun 21, 2017

CVE-2017-9763 has been assigned for this issue.

fgeek commented Jun 21, 2017

CVE-2017-9763 has been assigned for this issue.

leberus added a commit to leberus/radare2 that referenced this issue Jul 26, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment