Closed
Description
Work environment
| Questions | Answers |
|---|---|
| OS/arch/bits (mandatory) | Ubuntu x86 64 |
| File format of the file you reverse (mandatory) | - |
| Architecture/bits of the file (mandatory) | txt |
| r2 -v full output, not truncated (mandatory) | rasm2 3.1.0-git 20128 @ linux-x86-64 git.3.0.1-296-gdd84bfe3d commit: dd84bfe build: 2018-11-20__15:15:21 |
Expected behavior
rasm2 exits with an error message.
Actual behavior
rasm2 crashes with the error message that suggests it's a stack overflow relevant to char op[128] I'm not sure whether it's reporting correctly since that array is then duplicated and accessed with the duplicated one.
=================================================================
==2020==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe560eff20 at pc 0x7f88ddd1b019 bp 0x7ffe560efaf0 sp 0x7ffe560efae8
READ of size 1 at 0x7ffe560eff20 thread T0
#0 0x7f88ddd1b018 in getToken /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4299:18
#1 0x7f88ddd1b018 in parseReg /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4423
#2 0x7f88ddd1568c in parseOperand /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4651:13
#3 0x7f88ddd12b80 in parseOpcode /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4736:3
#4 0x7f88ddd0db0c in assemble /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4813:2
#5 0x7f88dddab6c7 in r_asm_assemble /home/exp/FOT/radare2-fuzz/libr/asm/asm.c:600:10
#6 0x7f88dddb0399 in r_asm_massemble /home/exp/FOT/radare2-fuzz/libr/asm/asm.c:986:12
#7 0x7f88dddb741f in r_asm_rasm_assemble /home/exp/FOT/radare2-fuzz/libr/asm/asm.c:1143:10
#8 0x56386d287a9e in rasm_asm /home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2.c:370:16
#9 0x56386d28796d in print_assembly_output /home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2.c:429:8
#10 0x56386d284bdf in main /home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2.c:804:10
#11 0x7f88daa30b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x56386d188af9 in _start (/home/exp/FOT/radare2-fuzz/binr/rasm2/rasm2+0x1eaf9)
Address 0x7ffe560eff20 is located in stack of thread T0 at offset 224 in frame
#0 0x7f88ddd0d8bf in assemble /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4803
This frame has 3 object(s):
[32, 64) '__data' (line 4804)
[96, 224) 'op' (line 4806) <== Memory access at offset 224 overflows this variable
[256, 496) 'instr' (line 4809)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:4299:18 in getToken
Shadow bytes around the buggy address:
0x10004ac15f90: f8 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac15fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac15fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac15fc0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x10004ac15fd0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004ac15fe0: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
0x10004ac15ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac16000: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x10004ac16010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac16020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004ac16030: f1 f1 f1 f1 f8 f2 f8 f2 f8 f2 f8 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2020==ABORTING
[1] 2020 abort rasm2 -a x86 -b 32
Steps to reproduce the behavior
- Build
radare2with ASAN - Run
rasm2 -a x86 -b 32 '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00,mm' - Observations: 1) preceding zeros substituted with other chars also triggers this crash, but the length seems important; 2)
mmseems relevant, changing toxmmor something else will not trigger crash; 3) crash also with-b 16/-b 64.
Metadata
Metadata
Assignees
Labels
No labels