Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap out of bounds read in _inst__sts() #10091

Closed
fumfel opened this issue May 14, 2018 · 2 comments

Comments

@fumfel
Copy link

commented May 14, 2018

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu 16.04 x64
File format of the file you reverse (mandatory) Binary
Architecture/bits of the file (mandatory) AVR
r2 -v full output, not truncated (mandatory) radare2 2.6.0-git 18143 @ linux-x86-64 git.2.5.0-230-g51d2b78 commit: 51d2b78 build: 2018-05-11__12:21:00

Expected behavior

Disassembly of file or error message.

Actual behavior

Heap out of bounds read in ASAN build.

Steps to reproduce the behavior

Additional Logs, screenshots, source-code, configuration dump, ...

==22865==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100004e481 at pc 0x7f385f640051 bp 0x7fff7e5cb800 sp 0x7fff7e5cb7f0
READ of size 1 at 0x61100004e481 thread T0
    #0 0x7f385f640050 in _inst__sts XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:929
    #1 0x7f385f63a520 in avr_op_analyze XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:1564
    #2 0x7f385f646328 in avr_op XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:1642
    #3 0x7f385f87c8f0 in r_anal_op XYZ/radare2/libr/anal/op.c:105
    #4 0x7f386209fec6 in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:3022
    #5 0x7f3861df5a51 in r_core_anal_refs XYZ/radare2/libr/core/cmd_anal.c:5989
    #6 0x7f3861edb07a in cmd_anal_all XYZ/radare2/libr/core/cmd_anal.c:6385
    #7 0x7f3861edb07a in cmd_anal XYZ/radare2/libr/core/cmd_anal.c:6721
    #8 0x7f3862069be5 in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:233
    #9 0x7f3861f581a7 in r_core_cmd_subst_i XYZ/radare2/libr/core/cmd.c:2694
    #10 0x7f3861e1b523 in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1747
    #11 0x7f3861e1d68e in r_core_cmd XYZ/radare2/libr/core/cmd.c:3385
    #12 0x55fe18069e2e in main XYZ/radare2/binr/radare2/radare2.c:1295
    #13 0x7f385b6c782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x55fe1806e8a8 in _start (/usr/local/bin/radare2+0x108a8)

0x61100004e481 is located 1 bytes to the right of 256-byte region [0x61100004e380,0x61100004e480)
allocated by thread T0 here:
    #0 0x7f38625ed602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f386209f9bc in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:2982

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:929 _inst__sts
Shadow bytes around the buggy address:
  0x0c2280001c40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2280001c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2280001c60: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c2280001c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2280001c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2280001c90:[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280001ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280001cb0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c2280001cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280001cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2280001ce0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==22865==ABORTING
@XVilka XVilka added this to the 2.6.0 milestone May 15, 2018
@radare radare closed this in d04c787 May 15, 2018
@radare

This comment has been minimized.

Copy link
Collaborator

commented May 15, 2018

thanks, it seems like every other instruction of this plugin is affected, gonna fix in the next commit

@radare

This comment has been minimized.

Copy link
Collaborator

commented May 15, 2018

fixed the others

SakiiR pushed a commit to SakiiR/radare2 that referenced this issue Jul 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.