Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address sanitizer reports heap buffer overflow on 32 bit linux system #8748

Closed
gsharpsh00ter opened this issue Oct 27, 2017 · 0 comments
Closed

Address sanitizer reports heap buffer overflow on 32 bit linux system #8748

gsharpsh00ter opened this issue Oct 27, 2017 · 0 comments
Labels
fuzzing

Comments

@gsharpsh00ter
Copy link

Address sanitizer reports heap buffer overflow on 32 bit linux system when radare2 handles crafted data.
My enviroment:

ctf@ubuntu:/home/g$ uname -a
Linux ubuntu 4.8.0-59-generic #64-Ubuntu SMP Thu Jun 29 19:37:59 UTC 2017 i686 i686 i686 GNU/Linux
ctf@ubuntu:/home/g$ cat /etc/os-release 
NAME="Ubuntu Kylin"
VERSION="16.10 (Yakkety Yak)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Kylin 16.10"
VERSION_ID="16.10"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=yakkety
UBUNTU_CODENAME=yakkety

Radare2 build information:

ctf@ubuntu:/home/g$ /home/g/radare2/bin/radare2 -v
radare2 2.1.0-git 16386 @ linux-x86-32 git.2.0.1-93-gcd8e103
commit: cd8e1037cd530560dfecdde224b5b0d0fafae31d build: 2017-10-24__20:30:19

ASAN reports on heap buffer overflow:

ctf@ubuntu:/home/g$ /home/g/radare2/bin/radare2 ./poc-sigsegv-1
=================================================================
==32137==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb0304c7e at pc 0xb63bca05 bp 0xbffc3658 sp 0xbffc3648
READ of size 1 at 0xb0304c7e thread T0
    #0 0xb63bca04 in string_scan_range /home/ctf/source/radare2/libr/bin/bin.c:356
    #1 0xb63c539c in get_strings_range /home/ctf/source/radare2/libr/bin/bin.c:423
    #2 0xb63c6440 in get_strings /home/ctf/source/radare2/libr/bin/bin.c:510
    #3 0xb63db006 in r_bin_object_set_items /home/ctf/source/radare2/libr/bin/bin.c:824
    #4 0xb63dcb9d in r_bin_object_new /home/ctf/source/radare2/libr/bin/bin.c:1372
    #5 0xb63e09fe in r_bin_file_new_from_bytes /home/ctf/source/radare2/libr/bin/bin.c:1562
    #6 0xb63e09fe in r_bin_load_io_at_offset_as_sz /home/ctf/source/radare2/libr/bin/bin.c:1113
    #7 0xb63e1e6e in r_bin_load_io_at_offset_as /home/ctf/source/radare2/libr/bin/bin.c:1127
    #8 0xb63e2ec5 in r_bin_load_io /home/ctf/source/radare2/libr/bin/bin.c:1020
    #9 0xb6dbb534 in r_core_file_do_load_for_io_plugin /home/ctf/source/radare2/libr/core/file.c:406
    #10 0xb6dbb534 in r_core_bin_load /home/ctf/source/radare2/libr/core/file.c:563
    #11 0x8008b6c3 in main /home/ctf/source/radare2/binr/radare2/radare2.c:1007
    #12 0xb35b6275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #13 0x80091b12  (/home/g/radare2/bin/radare2+0xdb12)

ASAN:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
ctf@ubuntu:/home/g$ /home/g/radare2/bin/radare2 ./poc-sigsegv-2
=================================================================
==32565==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb1f2713f at pc 0xb63dca05 bp 0xbfd20578 sp 0xbfd20568
READ of size 1 at 0xb1f2713f thread T0
    #0 0xb63dca04 in string_scan_range /home/ctf/source/radare2/libr/bin/bin.c:356
    #1 0xb63e539c in get_strings_range /home/ctf/source/radare2/libr/bin/bin.c:423
    #2 0xb63e6440 in get_strings /home/ctf/source/radare2/libr/bin/bin.c:510
    #3 0xb63fb006 in r_bin_object_set_items /home/ctf/source/radare2/libr/bin/bin.c:824
    #4 0xb63fcb9d in r_bin_object_new /home/ctf/source/radare2/libr/bin/bin.c:1372
    #5 0xb64009fe in r_bin_file_new_from_bytes /home/ctf/source/radare2/libr/bin/bin.c:1562
    #6 0xb64009fe in r_bin_load_io_at_offset_as_sz /home/ctf/source/radare2/libr/bin/bin.c:1113
    #7 0xb6401e6e in r_bin_load_io_at_offset_as /home/ctf/source/radare2/libr/bin/bin.c:1127
    #8 0xb6402ec5 in r_bin_load_io /home/ctf/source/radare2/libr/bin/bin.c:1020
    #9 0xb6ddb534 in r_core_file_do_load_for_io_plugin /home/ctf/source/radare2/libr/core/file.c:406
    #10 0xb6ddb534 in r_core_bin_load /home/ctf/source/radare2/libr/core/file.c:563
    #11 0x8009f6c3 in main /home/ctf/source/radare2/binr/radare2/radare2.c:1007
    #12 0xb35d6275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #13 0x800a5b12  (/home/g/radare2/bin/radare2+0xdb12)

ASAN:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
ctf@ubuntu:/home/g$ /home/g/radare2/bin/radare2 ./poc-sigsegv-3
=================================================================
==540==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb1e2713f at pc 0xb6361a05 bp 0xbfd0e968 sp 0xbfd0e958
READ of size 1 at 0xb1e2713f thread T0
    #0 0xb6361a04 in string_scan_range /home/ctf/source/radare2/libr/bin/bin.c:356
    #1 0xb636a39c in get_strings_range /home/ctf/source/radare2/libr/bin/bin.c:423
    #2 0xb636b440 in get_strings /home/ctf/source/radare2/libr/bin/bin.c:510
    #3 0xb6380006 in r_bin_object_set_items /home/ctf/source/radare2/libr/bin/bin.c:824
    #4 0xb6381b9d in r_bin_object_new /home/ctf/source/radare2/libr/bin/bin.c:1372
    #5 0xb63859fe in r_bin_file_new_from_bytes /home/ctf/source/radare2/libr/bin/bin.c:1562
    #6 0xb63859fe in r_bin_load_io_at_offset_as_sz /home/ctf/source/radare2/libr/bin/bin.c:1113
    #7 0xb6386e6e in r_bin_load_io_at_offset_as /home/ctf/source/radare2/libr/bin/bin.c:1127
    #8 0xb6387ec5 in r_bin_load_io /home/ctf/source/radare2/libr/bin/bin.c:1020
    #9 0xb6d60534 in r_core_file_do_load_for_io_plugin /home/ctf/source/radare2/libr/core/file.c:406
    #10 0xb6d60534 in r_core_bin_load /home/ctf/source/radare2/libr/core/file.c:563
    #11 0x8006d6c3 in main /home/ctf/source/radare2/binr/radare2/radare2.c:1007
    #12 0xb355b275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #13 0x80073b12  (/home/g/radare2/bin/radare2+0xdb12)

0xb1e2713f is located 1 bytes to the left of 208-byte region [0xb1e27140,0xb1e27210)
allocated by thread T0 here:
    #0 0xb7265ca4 in calloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xc3ca4)
    #1 0xb6385442 in r_bin_load_io_at_offset_as_sz /home/ctf/source/radare2/libr/bin/bin.c:1068

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ctf/source/radare2/libr/bin/bin.c:356 in string_scan_range
Shadow bytes around the buggy address:
  0x363c4dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x363c4de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x363c4df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x363c4e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x363c4e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x363c4e20: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00
  0x363c4e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x363c4e40: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x363c4e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x363c4e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x363c4e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==540==ABORTING
ctf@ubuntu:/home/g$ /home/g/radare2/bin/radare2 ./poc-sigsegv-4
=================================================================
==1715==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2116dde at pc 0xb63dca05 bp 0xbf99f218 sp 0xbf99f208
READ of size 1 at 0xb2116dde thread T0
    #0 0xb63dca04 in string_scan_range /home/ctf/source/radare2/libr/bin/bin.c:356
    #1 0xb63e539c in get_strings_range /home/ctf/source/radare2/libr/bin/bin.c:423
    #2 0xb63e6440 in get_strings /home/ctf/source/radare2/libr/bin/bin.c:510
    #3 0xb63fb006 in r_bin_object_set_items /home/ctf/source/radare2/libr/bin/bin.c:824
    #4 0xb63fcb9d in r_bin_object_new /home/ctf/source/radare2/libr/bin/bin.c:1372
    #5 0xb64009fe in r_bin_file_new_from_bytes /home/ctf/source/radare2/libr/bin/bin.c:1562
    #6 0xb64009fe in r_bin_load_io_at_offset_as_sz /home/ctf/source/radare2/libr/bin/bin.c:1113
    #7 0xb6401e6e in r_bin_load_io_at_offset_as /home/ctf/source/radare2/libr/bin/bin.c:1127
    #8 0xb6402ec5 in r_bin_load_io /home/ctf/source/radare2/libr/bin/bin.c:1020
    #9 0xb6ddb534 in r_core_file_do_load_for_io_plugin /home/ctf/source/radare2/libr/core/file.c:406
    #10 0xb6ddb534 in r_core_bin_load /home/ctf/source/radare2/libr/core/file.c:563
    #11 0x800486c3 in main /home/ctf/source/radare2/binr/radare2/radare2.c:1007
    #12 0xb35d6275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #13 0x8004eb12  (/home/g/radare2/bin/radare2+0xdb12)

ASAN:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
ctf@ubuntu:/home/g$
[poc-asan-heap-buffer-overflow.zip](https://github.com/radare/radare2/files/1421035/poc-asan-heap-buffer-overflow.zip)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Maijin @gsharpsh00ter