Memory corruption on 32bit system #8742

gsharpsh00ter · 2017-10-26T03:52:15Z

A memory corruption issue was found in radare2 on 32bit linux system when handling crafted ELF file.
Build information:

ctf@ubuntu:/home/g$ /home/g/radare2/bin/radare2 -v
radare2 2.1.0-git 16386 @ linux-x86-32 git.2.0.1-93-gcd8e103
commit: cd8e1037cd530560dfecdde224b5b0d0fafae31d build: 2017-10-24__20:30:19

Backtrace:

ctf@ubuntu:/home/g$ /home/g/radare2/bin/radare2 ./poc-free-memory-corruption-on-32bit 
Warning: Cannot initialize strings table
Warning: Cannot initialize dynamic strings
Warning: section.shstrtab not found or invalid
Warning: Cannot initialize dynamic section
*** Error in `/home/g/radare2/bin/radare2': free(): invalid next size (fast): 0x80f88710 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67f0a)[0xb55e1f0a]
/lib/i386-linux-gnu/libc.so.6(+0x6eb07)[0xb55e8b07]
/lib/i386-linux-gnu/libc.so.6(+0x6f446)[0xb55e9446]
/home/g/radare2/lib/libr_bin.so(+0x10566c)[0xb6fca66c]
/home/g/radare2/lib/libr_bin.so(Elf64_r_bin_elf_new_buf+0xf3)[0xb6fcff33]
/home/g/radare2/lib/libr_bin.so(+0xd796b)[0xb6f9c96b]
/home/g/radare2/lib/libr_bin.so(+0x349f7)[0xb6ef99f7]
/home/g/radare2/lib/libr_bin.so(r_bin_load_io_at_offset_as_sz+0x756)[0xb6efbd76]
/home/g/radare2/lib/libr_bin.so(r_bin_load_io_at_offset_as+0xb7)[0xb6efce77]
/home/g/radare2/lib/libr_bin.so(r_bin_load_io+0x72)[0xb6efd8a2]
/home/g/radare2/lib/libr_core.so(r_core_bin_load+0x1a16)[0xb74ab0e6]
/home/g/radare2/bin/radare2(main+0x2319)[0x80034098]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb5592276]
/home/g/radare2/bin/radare2(+0x2161)[0x80031161]
======= Memory map: ========
8002f000-80038000 r-xp 00000000 08:01 536986     /home/g/radare2/bin/radare2
80038000-80039000 r--p 00008000 08:01 536986     /home/g/radare2/bin/radare2
80039000-8003a000 rw-p 00009000 08:01 536986     /home/g/radare2/bin/radare2
8003a000-8009b000 rw-p 00000000 00:00 0 
80e95000-80fa8000 rw-p 00000000 00:00 0          [heap]
b5300000-b5321000 rw-p 00000000 00:00 0 
b5321000-b5400000 ---p 00000000 00:00 0 
b549d000-b54b9000 r-xp 00000000 08:01 394771     /lib/i386-linux-gnu/libgcc_s.so.1
b54b9000-b54ba000 r--p 0001b000 08:01 394771     /lib/i386-linux-gnu/libgcc_s.so.1
b54ba000-b54bb000 rw-p 0001c000 08:01 394771     /lib/i386-linux-gnu/libgcc_s.so.1
b54d8000-b54f1000 r--s 00000000 08:01 678397     /home/g/radare2/share/radare2/2.1.0-git/opcodes/x86.sdb
b54f1000-b54f3000 rw-p 00000000 00:00 0 
b54f3000-b54f5000 r-xp 00000000 08:01 397367     /lib/i386-linux-gnu/libutil-2.24.so
b54f5000-b54f6000 r--p 00001000 08:01 397367     /lib/i386-linux-gnu/libutil-2.24.so
b54f6000-b54f7000 rw-p 00002000 08:01 397367     /lib/i386-linux-gnu/libutil-2.24.so
b54f7000-b54fa000 r-xp 00000000 08:01 397352     /lib/i386-linux-gnu/libdl-2.24.so
b54fa000-b54fb000 r--p 00002000 08:01 397352     /lib/i386-linux-gnu/libdl-2.24.so
b54fb000-b54fc000 rw-p 00003000 08:01 397352     /lib/i386-linux-gnu/libdl-2.24.so
b54fc000-b554f000 r-xp 00000000 08:01 397353     /lib/i386-linux-gnu/libm-2.24.so
b554f000-b5550000 ---p 00053000 08:01 397353     /lib/i386-linux-gnu/libm-2.24.so
b5550000-b5551000 r--p 00053000 08:01 397353     /lib/i386-linux-gnu/libm-2.24.so
b5551000-b5552000 rw-p 00054000 08:01 397353     /lib/i386-linux-gnu/libm-2.24.so
b5552000-b556b000 r-xp 00000000 08:01 536917     /home/g/radare2/lib/libr_socket.so.2.1.0-git
b556b000-b556c000 r--p 00018000 08:01 536917     /home/g/radare2/lib/libr_socket.so.2.1.0-git
b556c000-b556d000 rw-p 00019000 08:01 536917     /home/g/radare2/lib/libr_socket.so.2.1.0-git
b556d000-b5578000 r-xp 00000000 08:01 536907     /home/g/radare2/lib/libr_lang.so.2.1.0-git
b5578000-b5579000 r--p 0000a000 08:01 536907     /home/g/radare2/lib/libr_lang.so.2.1.0-git
b5579000-b557a000 rw-p 0000b000 08:01 536907     /home/g/radare2/lib/libr_lang.so.2.1.0-git
b557a000-b572d000 r-xp 00000000 08:01 397349     /lib/i386-linux-gnu/libc-2.24.so
b572d000-b572e000 ---p 001b3000 08:01 397349     /lib/i386-linux-gnu/libc-2.24.so
b572e000-b5730000 r--p 001b3000 08:01 397349     /lib/i386-linux-gnu/libc-2.24.so
b5730000-b5731000 rw-p 001b5000 08:01 397349     /lib/i386-linux-gnu/libc-2.24.so
b5731000-b5734000 rw-p 00000000 00:00 0 
b5734000-b574d000 r-xp 00000000 08:01 397363     /lib/i386-linux-gnu/libpthread-2.24.so
b574d000-b574e000 r--p 00018000 08:01 397363     /lib/i386-linux-gnu/libpthread-2.24.so
b574e000-b574f000 rw-p 00019000 08:01 397363     /lib/i386-linux-gnu/libpthread-2.24.so
b574f000-b5751000 rw-p 00000000 00:00 0 
b5751000-b5948000 r-xp 00000000 08:01 536979     /home/g/radare2/lib/libr_util.so.2.1.0-git
b5948000-b594a000 r--p 001f6000 08:01 536979     /home/g/radare2/lib/libr_util.so.2.1.0-git
b594a000-b5952000 rw-p 001f8000 08:01 536979     /home/g/radare2/lib/libr_util.so.2.1.0-git
b5952000-b595e000 rw-p 00000000 00:00 0 
b595e000-b5982000 r-xp 00000000 08:01 536890     /home/g/radare2/lib/libr_crypto.so.2.1.0-git
b5982000-b5983000 r--p 00023000 08:01 536890     /home/g/radare2/lib/libr_crypto.so.2.1.0-git
b5983000-b5984000 rw-p 00024000 08:01 536890     /home/g/radare2/lib/libr_crypto.so.2.1.0-git
b5984000-b5995000 rw-p 00000000 00:00 0 
b5995000-b59bb000 r-xp 00000000 08:01 536894     /home/g/radare2/lib/libr_egg.so.2.1.0-git
b59bb000-b59bc000 r--p 00025000 08:01 536894     /home/g/radare2/lib/libr_egg.so.2.1.0-git
b59bc000-b59bd000 rw-p 00026000 08:01 536894     /home/g/radare2/lib/libr_egg.so.2.1.0-git
b59bd000-b59cf000 r-xp 00000000 08:01 536896     /home/g/radare2/lib/libr_flag.so.2.1.0-git
b59cf000-b59d0000 r--p 00011000 08:01 536896     /home/g/radare2/lib/libr_flag.so.2.1.0-git
b59d0000-b59d1000 rw-p 00012000 08:01 536896     /home/g/radare2/lib/libr_flag.so.2.1.0-git
b59d1000-b5a02000 r-xp 00000000 08:01 536909     /home/g/radare2/lib/libr_magic.so.2.1.0-git
b5a02000-b5a03000 r--p 00030000 08:01 536909     /home/g/radare2/lib/libr_magic.so.2.1.0-git
b5a03000-b5a04000 rw-p 00031000 08:01 536909     /home/g/radare2/lib/libr_magic.so.2.1.0-git
b5a04000-b5a24000 r-xp 00000000 08:01 536900     /home/g/radare2/lib/libr_hash.so.2.1.0-git
b5a24000-b5a25000 r--p 0001f000 08:01 536900     /home/g/radare2/lib/libr_hash.so.2.1.0-git
b5a25000-b5a26000 rw-p 00020000 08:01 536900     /home/g/radare2/lib/libr_hash.so.2.1.0-git
b5a26000-b5a2b000 r-xp 00000000 08:01 536974     /home/g/radare2/lib/libr_syscall.so.2.1.0-git
b5a2b000-b5a2c000 ---p 00005000 08:01 536974     /home/g/radare2/lib/libr_syscall.so.2.1.0-git
b5a2c000-b5a2d000 r--p 00005000 08:01 536974     /home/g/radare2/lib/libr_syscall.so.2.1.0-git
b5a2d000-b5a2e000 rw-p 00006000 08:01 536974     /home/g/radare2/lib/libr_syscall.so.2.1.0-git
b5a2e000-b5fec000 r-xp 00000000 08:01 536876     /home/g/radare2/lib/libr_asm.so.2.1.0-git
b5fec000-b604a000 r--p 005bd000 08:01 536876     /home/g/radare2/lib/libr_asm.so.2.1.0-git
b604a000-b637c000 rw-p 0061b000 08:01 536876     /home/g/radare2/lib/libr_asm.so.2.1.0-git
b637c000-b6453000 rw-p 00000000 00:00 0 
b6453000-b6496000 r-xp 00000000 08:01 536898     /home/g/radare2/lib/libr_fs.so.2.1.0-git
b6496000-b6497000 r--p 00042000 08:01 536898     /home/g/radare2/lib/libr_fs.so.2.1.0-git
b6497000-b6498000 rw-p 00043000 08:01 536898     /home/g/radare2/lib/libr_fs.so.2.1.0-git
b6498000-b649f000 rw-p 00000000 00:00 0 
b649f000-b6552000 r-xp 00000000 08:01 536902     /home/g/radare2/lib/libr_io.so.2.1.0-git
b6552000-b6553000 r--p 000b2000 08:01 536902     /home/g/radare2/lib/libr_io.so.2.1.0-git
b6553000-b655e000 rw-p 000b3000 08:01 536902     /home/g/radare2/lib/libr_io.so.2.1.0-git
b655e000-b6565000 rw-p 00000000 00:00 0 
b6565000-b6572000 r-xp 00000000 08:01 536880     /home/g/radare2/lib/libr_bp.so.2.1.0-git
b6572000-b6573000 r--p 0000c000 08:01 536880     /home/g/radare2/lib/libr_bp.so.2.1.0-git
b6573000-b6574000 rw-p 0000d000 08:01 536880     /home/g/radare2/lib/libr_bp.so.2.1.0-git
b6574000-b6588000 r-xp 00000000 08:01 536913     /home/g/radare2/lib/libr_reg.so.2.1.0-git
b6588000-b6589000 r--p 00013000 08:01 536913     /home/g/radare2/lib/libr_reg.so.2.1.0-git
b6589000-b658a000 rw-p 00014000 08:01 536913     /home/g/radare2/lib/libr_reg.so.2.1.0-git
b658a000-b658c000 rw-p 00000000 00:00 0 
b658c000-b6acd000 r-xp 00000000 08:01 536874     /home/g/radare2/lib/libr_anal.so.2.1.0-git
b6acd000-b6ae5000 r--p 00540000 08:01 536874     /home/g/radare2/lib/libr_anal.so.2.1.0-git
b6ae5000-b6d8e000 rw-p 00558000 08:01 536874     /home/g/radare2/lib/libr_anal.so.2.1.0-git
b6d8e000-b6e50000 rw-p 00000000 00:00 0 
b6e50000-b6ec3000 r-xp 00000000 08:01 536892     /home/g/radare2/lib/libr_debug.so.2.1.0-git
b6ec3000-b6ec4000 r--p 00072000 08:01 536892     /home/g/radare2/lib/libr_debug.so.2.1.0-git
b6ec4000-b6ec5000 rw-p 00073000 08:01 536892     /home/g/radare2/lib/libr_debug.so.2.1.0-git
b6ec5000-b71ee000 r-xp 00000000 08:01 536878     /home/g/radare2/lib/libr_bin.so.2.1.0-git
b71ee000-b71f0000 r--p 00328000 08:01 536878     /home/g/radare2/lib/libr_bin.so.2.1.0-git
b71f0000-b71f4000 rw-p 0032a000 08:01 536878     /home/g/radare2/lib/libr_bin.so.2.1.0-git
b71f4000-b71ff000 r-xp 00000000 08:01 536882     /home/g/radare2/lib/libr_config.so.2.1.0-git
b71ff000-b7200000 r--p 0000a000 08:01 536882     /home/g/radare2/lib/libr_config.so.2.1.0-git
b7200000-b7201000 rw-p 0000b000 08:01 536882     /home/g/radare2/lib/libr_config.so.2.1.0-git
b7201000-b7261000 r-xp 00000000 08:01 536886     /home/g/radare2/lib/libr_cons.so.2.1.0-git
b7261000-b7262000 r--p 0005f000 08:01 536886     /home/g/radare2/lib/libr_cons.so.2.1.0-git
b7262000-b7263000 rw-p 00060000 08:01 536886     /home/g/radare2/lib/libr_cons.so.2.1.0-git
b7263000-b7266000 rw-p 00000000 00:00 0 
b7266000-b727f000 r-xp 00000000 08:01 536915     /home/g/radare2/lib/libr_search.so.2.1.0-git
b727f000-b7280000 r--p 00018000 08:01 536915     /home/g/radare2/lib/libr_search.so.2.1.0-git
b7280000-b7281000 rw-p 00019000 08:01 536915     /home/g/radare2/lib/libr_search.so.2.1.0-git
b7281000-b72fd000 r-xp 00000000 08:01 536911     /home/g/radare2/lib/libr_parse.so.2.1.0-git
b72fd000-b72fe000 r--p 0007b000 08:01 536911     /home/g/radare2/lib/libr_parse.so.2.1.0-git
b72fe000-b72ff000 rw-p 0007c000 08:01 536911     /home/g/radare2/lib/libr_parse.so.2.1.0-git
b72ff000-b730f000 rw-p 00000000 00:00 0 
b730f000-b76c1000 r-xp 00000000 08:01 536888     /home/g/radare2/lib/libr_core.so.2.1.0-git
b76c1000-b76c2000 ---p 003b2000 08:01 536888     /home/g/radare2/lib/libr_core.so.2.1.0-git
b76c2000-b76c3000 r--p 003b2000 08:01 536888     /home/g/radare2/lib/libr_core.so.2.1.0-git
b76c3000-b76cd000 rw-p 003b3000 08:01 536888     /home/g/radare2/lib/libr_core.so.2.1.0-git
b76cd000-b76ce000 rw-p 00000000 00:00 0 
b76db000-b76dc000 rw-p 00000000 00:00 0 
b76dc000-b76df000 r--s 00000000 08:01 1709578    /home/g/poc-free-memory-corruption-on-32bit
b76df000-b76e3000 r--s 00000000 08:01 678414     /home/g/radare2/share/radare2/2.1.0-git/syscall/linux-x86-32.sdb
b76e3000-b76e5000 r-xp 00000000 08:01 678210     /home/g/radare2/lib/radare2/2.1.0-git/asm_propeller.so
b76e5000-b76e6000 r--p 00001000 08:01 678210     /home/g/radare2/lib/radare2/2.1.0-git/asm_propeller.so
b76e6000-b76e7000 rw-p 00002000 08:01 678210     /home/g/radare2/lib/radare2/2.1.0-git/asm_propeller.so
b76e7000-b76eb000 r--s 00000000 08:01 678414     /home/g/radare2/share/radare2/2.1.0-git/syscall/linux-x86-32.sdb
b76eb000-b76ee000 rw-p 00000000 00:00 0 
b76ee000-b76f0000 r--p 00000000 00:00 0          [vvar]
b76f0000-b76f2000 r-xp 00000000 00:00 0          [vdso]
b76f2000-b7715000 r-xp 00000000 08:01 397345     /lib/i386-linux-gnu/ld-2.24.so
b7715000-b7716000 r--p 00022000 08:01 397345     /lib/i386-linux-gnu/ld-2.24.so
b7716000-b7717000 rw-p 00023000 08:01 397345     /lib/i386-linux-gnu/ld-2.24.so
bf950000-bf971000 rw-p 00000000 00:00 0          [stack]
Aborted

Enviroment:

ctf@ubuntu:/home/g$ uname -a
Linux ubuntu 4.8.0-59-generic #64-Ubuntu SMP Thu Jun 29 19:37:59 UTC 2017 i686 i686 i686 GNU/Linux
ctf@ubuntu:/home/g$ cat /etc/*lease
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION="Ubuntu 16.10"
NAME="Ubuntu Kylin"
VERSION="16.10 (Yakkety Yak)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Kylin 16.10"
VERSION_ID="16.10"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=yakkety
UBUNTU_CODENAME=yakkety
ctf@ubuntu:/home/g$

A POC file has been attached to reproduce this issue.

poc-free-memory-corruption-on-32bit.zip

The text was updated successfully, but these errors were encountered:

radare · 2017-10-26T09:19:20Z

cant reproduce

kazarmy · 2017-10-28T04:01:05Z

Reproduced with slightly different number of calls in backtrace.
@gsharpsh00ter Does commit 0b973e2 solve your problem?

gsharpsh00ter · 2017-10-30T02:46:25Z

@kazarmy Yes, the problem seems has been solved, I can't reproduce it with commit 0b973e2

radare added this to the 2.1.0 milestone Oct 26, 2017

Maijin closed this as completed Oct 30, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Memory corruption on 32bit system #8742

Memory corruption on 32bit system #8742

gsharpsh00ter commented Oct 26, 2017

radare commented Oct 26, 2017

kazarmy commented Oct 28, 2017

gsharpsh00ter commented Oct 30, 2017

Memory corruption on 32bit system #8742

Memory corruption on 32bit system #8742

Comments

gsharpsh00ter commented Oct 26, 2017

radare commented Oct 26, 2017

kazarmy commented Oct 28, 2017

gsharpsh00ter commented Oct 30, 2017