Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap out of bounds read in parse_import_ptr() #9970

Closed
fumfel opened this issue Apr 27, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@fumfel
Copy link

commented Apr 27, 2018

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu 16.04 x64
File format of the file you reverse (mandatory) Mach-O
Architecture/bits of the file (mandatory) x86-64
r2 -v full output, not truncated (mandatory) radare2 2.6.0-git 18015 @ linux-x86-64 git.2.5.0-144-g484017f commit: 484017f build: 2018-04-27__09:48:58

Expected behavior

Dissasembly of file or error message.

Actual behavior

Heap out of bounds read in ASAN build.

Steps to reproduce the behavior

Additional Logs, screenshots, source-code, configuration dump, ...

ASAN log:

==10582==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000fa78 at pc 0x7f23ff240307 bp 0x7ffe1022cb10 sp 0x7ffe1022cb00
READ of size 4 at 0x60400000fa78 thread T0
    #0 0x7f23ff240306 in parse_import_ptr XYZ/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1653
    #1 0x7f23ff240306 in get_relocs_64 XYZ/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1936
    #2 0x7f23ff2113b8 in relocs XYZ/radare2/libr/..//libr/bin/p/bin_mach0.c:435
    #3 0x7f23ff05ee53 in r_bin_object_set_items XYZ/radare2/libr/bin/obj.c:198
    #4 0x7f23ff060f5e in r_bin_object_new XYZ/radare2/libr/bin/obj.c:94
    #5 0x7f23ff0584cb in r_bin_file_new_from_bytes XYZ/radare2/libr/bin/file.c:496
    #6 0x7f23ff0297a5 in r_bin_load_io_at_offset_as_sz XYZ/radare2/libr/bin/bin.c:488
    #7 0x7f23ff029bb9 in r_bin_load_io_at_offset_as XYZ/radare2/libr/bin/bin.c:505
    #8 0x7f23ff029bb9 in r_bin_load_io XYZ/radare2/libr/bin/bin.c:363
    #9 0x7f240046d27b in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/file.c:410
    #10 0x7f240046d27b in r_core_bin_load XYZ/radare2/libr/core/file.c:567
    #11 0x55ca05cb7c58 in main XYZ/radare2/binr/radare2/radare2.c:1064
    #12 0x7f23f9c3682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x55ca05cbdda8 in _start (/usr/local/bin/radare2+0x10da8)

0x60400000fa78 is located 0 bytes to the right of 40-byte region [0x60400000fa50,0x60400000fa78)
allocated by thread T0 here:
    #0 0x7f2400aee79a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
    #1 0x7f23ff221ee6 in parse_dysymtab XYZ/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:508
    #2 0x7f23ff221ee6 in init_items XYZ/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:978

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1653 parse_import_ptr
Shadow bytes around the buggy address:
  0x0c087fff9ef0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c087fff9f00: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c087fff9f10: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00 00 00
  0x0c087fff9f20: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
  0x0c087fff9f30: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
=>0x0c087fff9f40: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00[fa]
  0x0c087fff9f50: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c087fff9f60: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c087fff9f70: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c087fff9f80: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c087fff9f90: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10582==ABORTING

radare added a commit that referenced this issue May 6, 2018

@radare radare closed this in 6020876 May 6, 2018

SakiiR pushed a commit to SakiiR/radare2 that referenced this issue Jul 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.