Skip to content

AddressSanitizer: global-buffer-overflow at asm_x86_nz.c:2007 #12242

Closed
@hongxuchen

Description

@hongxuchen

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) txt
Architecture/bits of the file (mandatory) -
r2 -v full output, not truncated (mandatory) rasm2 3.1.0-git 20128 @ linux-x86-64 git.3.0.1-296-gdd84bfe3d commit: dd84bfe build: 2018-11-20__15:15:21

Expected behavior

rasm2 exits with error message.

Actual behavior

rasm2 crashes.

=================================================================
==14306==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f1763fce729 at pc 0x7f1763ac66e3 bp 0x7ffe01509720 sp 0x7ffe01509718
READ of size 1 at 0x7f1763fce729 thread T0
    #0 0x7f1763ac66e2 in opmov /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:2007:16
    #1 0x7f1763ad68cd in assemble /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:4831:15
    #2 0x7f1763b43fe3 in r_asm_assemble /home/exp/FOT/radare2/libr/asm/asm.c:600:10
    #3 0x7f1763b488c5 in r_asm_massemble /home/exp/FOT/radare2/libr/asm/asm.c:986:12
    #4 0x7f1763b4af70 in r_asm_rasm_assemble /home/exp/FOT/radare2/libr/asm/asm.c:1143:10
    #5 0x55828d39265b in rasm_asm /home/exp/FOT/radare2/binr/rasm2/rasm2.c:370:16
    #6 0x55828d392573 in print_assembly_output /home/exp/FOT/radare2/binr/rasm2/rasm2.c:429:8
    #7 0x55828d3900a7 in main /home/exp/FOT/radare2/binr/rasm2/rasm2.c:804:10
    #8 0x7f1760a12b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x55828d2950f9 in _start (/home/exp/FOT/radare2/binr/rasm2/rasm2+0x1f0f9)

0x7f1763fce729 is located 55 bytes to the left of global variable '<string literal>' defined in 'p/asm_x86_nz.c:4848:10' (0x7f1763fce760) of size 7
  '<string literal>' is ascii string 'x86.nz'
0x7f1763fce729 is located 3 bytes to the right of global variable 'SEG_REG_PREFIXES' defined in 'p/asm_x86_nz.c:76:11' (0x7f1763fce720) of size 6
SUMMARY: AddressSanitizer: global-buffer-overflow /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:2007:16 in opmov
Shadow bytes around the buggy address:
  0x0fe36c7f1c90: 04 f9 f9 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
  0x0fe36c7f1ca0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
  0x0fe36c7f1cb0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 01
  0x0fe36c7f1cc0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 06 f9
  0x0fe36c7f1cd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe36c7f1ce0: 00 00 00 00 06[f9]f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x0fe36c7f1cf0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 07 f9
  0x0fe36c7f1d00: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0fe36c7f1d10: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0fe36c7f1d20: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0fe36c7f1d30: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14306==ABORTING
Aborted

Steps to reproduce the behavior

  • Build radare with ASAN
  • run rasm2 -a x86 -b 16 'mov ,[R8-SS:'

Additional Logs, screenshots, source-code, configuration dump, ...

The offset calculated is beyond the bound of SEG_REG_PREFIXES.

gdb$ b /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:2007
Breakpoint 1 at 0x7ffff622af60: file p/asm_x86_nz.c, line 2007.
gdb$ run
Starting program: /usr/bin/rasm2 -a x86 -b 16 mov\ ,\[R8-SS:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, opmov (a=0x611000000040, data=0x7fffffffaba0 "", op=0x7fffffffac80) at p/asm_x86_nz.c:2007
2007                            data[l++] = SEG_REG_PREFIXES[op->operands[1].regs[0]];
gdb$ p SEG_REG_PREFIXES
$1 = "&.6>de"
gdb$ p op->operands[1].regs[0]
$2 = 9

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions