radare2 invalid memory access in r_endian.h

[gsharpsh00ter]

An invalid memory access issue was found in r_endian.h when handling crafted elf files, which may
lead to potential attack.

ctf@ubuntu:~/fuzz/radare2/crashes$ /home/g/radare2/bin/radare2 -v
radare2 2.1.0-git 16375 @ linux-x86-32 git.2.0.1-82-g95a8576
commit: 95a857636067c1cb3d00e5e5a304d834a961c3a6 build: 2017-10-22__23:30:40

ctf@ubuntu:~/fuzz/radare2/crashes$ gdb -q /home/g/radare2/bin/radare2
Reading symbols from /home/g/radare2/bin/radare2...done.
(gdb) r -q -c ia ./radare2-sigsegv-r-endian-143-poc 
Starting program: /home/g/radare2/bin/radare2 -q -c ia ./radare2-sigsegv-r-endian-143-poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Warning: Cannot initialize program headers
Warning: Cannot initialize dynamic section

Program received signal SIGSEGV, Segmentation fault.
r_read_le16 (src=0x78176204) at /home/ctf/source/radare2/libr/include/r_endian.h:143
143		return (((ut16)s[1]) << 8) | (((ut16)s[0]) << 0);
(gdb) print s
$1 = (const unsigned char *) 0x78176204 <error: Cannot access memory at address 0x78176204>
(gdb) bt
#0  r_read_le16 (src=0x78176204) at /home/ctf/source/radare2/libr/include/r_endian.h:143
#1  r_read_ble16 (big_endian=false, src=0x78176204) at /home/ctf/source/radare2/libr/include/r_endian.h:317
#2  store_versioninfo_gnu_verneed (sz=<optimized out>, shdr=0x8016abe8, bin=0x80132ac0) at /home/ctf/source/radare2/libr/..//libr/bin/p/../format/elf/elf.c:915
#3  store_versioninfo (bin=0x80132ac0) at /home/ctf/source/radare2/libr/..//libr/bin/p/../format/elf/elf.c:992
#4  elf_init (bin=<optimized out>) at /home/ctf/source/radare2/libr/..//libr/bin/p/../format/elf/elf.c:1088
#5  0xb78beb13 in Elf64_r_bin_elf_new_buf (buf=0x80132a88, verbose=true) at /home/ctf/source/radare2/libr/..//libr/bin/p/../format/elf/elf.c:3069
#6  0xb788ca1b in load_bytes (arch=0x80132728, buf=0x80144d78 "\177ELF\002\001\001", sz=30824, loadaddr=0, sdb=0x8014c5e8) at /home/ctf/source/radare2/libr/..//libr/bin/p/bin_elf.c:53
#7  0xb77c2d1f in r_bin_object_new (binfile=binfile@entry=0x80132728, plugin=plugin@entry=0x800cd0f0, baseaddr=18446744073709551615, loadaddr=0, offset=0, sz=30824) at bin.c:1335
#8  0xb77c4d3e in r_bin_file_new_from_bytes (xtrname=0x0, steal_ptr=true, offset=0, pluginname=0x0, fd=3, loadaddr=0, baseaddr=18446744073709551615, rawstr=<optimized out>, file_sz=30824, sz=30824, 
    bytes=0x80144d78 "\177ELF\002\001\001", file=0x801325d0 "./radare2-sigsegv-r-endian-143-poc", bin=<optimized out>) at bin.c:1562
#9  r_bin_load_io_at_offset_as_sz (bin=<optimized out>, fd=3, baseaddr=18446744073709551615, loadaddr=0, xtr_idx=0, offset=0, name=0x0, sz=30824) at bin.c:1113
#10 0xb77c5daf in r_bin_load_io_at_offset_as (bin=0x800c88c8, fd=3, baseaddr=18446744073709551615, loadaddr=0, xtr_idx=0, offset=0, name=0x0) at bin.c:1127
#11 0xb77c6616 in r_bin_load_io (bin=0x800c88c8, fd=3, baseaddr=18446744073709551615, loadaddr=0, xtr_idx=0) at bin.c:1020
#12 0xb7da2d56 in r_core_file_do_load_for_io_plugin (loadaddr=0, baseaddr=18446744073709551615, r=0x80011300 <r>) at file.c:406
#13 r_core_bin_load (r=0x80011300 <r>, filenameuri=0x801325d0 "./radare2-sigsegv-r-endian-143-poc", baddr=18446744073709551615) at file.c:563
#14 0x800064e4 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at radare2.c:1007
(gdb) 

The POC file has been attached to reproduce the issue.
radare2-sigsegv-r-endian-143-poc.zip

[Maijin]

Use code identation in markdown please.

[radare]

cant reproduce, tried on linux and mac with valgrind

[radare]

cant reproduce

…

On 24 Oct 2017, at 10:05, Maijin ***@***.***> wrote: Use code identation in markdown please. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#8731 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lj3Ggx9UvaHlAvPvBtXx4SAb1jtfks5svZpmgaJpZM4QCv2E>.

[radare]

also tested on openbsd and also with asan. 0 issues here

[gsharpsh00ter]

Are you sure you can't reproduce this issue? I can reproduce it easily on a 32bit ubuntu linux box.

ctf@ubuntu:~$ radare2 -v
radare2 2.1.0-git 16386 @ linux-x86-32 git.2.0.1-93-gcd8e103
commit: cd8e1037cd530560dfecdde224b5b0d0fafae31d build: 2017-10-24__20:30:19
ctf@ubuntu:~$ radare2 -q -c "ia" ./radare2-sigsegv-r-endian-143-poc 
Warning: Cannot initialize program headers
Warning: Cannot initialize dynamic section
Segmentation fault

My enviroment is as flow:

ctf@ubuntu:~$ uname -a
Linux ubuntu 4.8.0-59-generic #64-Ubuntu SMP Thu Jun 29 19:37:59 UTC 2017 i686 i686 i686 GNU/Linux
ctf@ubuntu:~$ cat /etc/*lease
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION="Ubuntu 16.10"
NAME="Ubuntu Kylin"
VERSION="16.10 (Yakkety Yak)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Kylin 16.10"
VERSION_ID="16.10"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=yakkety
UBUNTU_CODENAME=yakkety
ctf@ubuntu:~$

I think the key point is a 32bit system must be used to reproduce it.

[radare]

i can reproduce that now on openbsd-6.2 on 32bit

[fgeek]

@gsharpsh00ter did you use american fuzzy lop to find this issue?

[gsharpsh00ter]

@fgeek yes, it was found by AFL.