Closed
Description
Work environment
| Questions | Answers |
|---|---|
| OS/arch/bits (mandatory) | Ubuntu x86 64 |
| File format of the file you reverse (mandatory) | txt |
| Architecture/bits of the file (mandatory) | - |
| r2 -v full output, not truncated (mandatory) | rasm2 3.1.0-git 20128 @ linux-x86-64 git.3.0.1-296-gdd84bfe3d commit: dd84bfe build: 2018-11-20__15:15:21 |
Expected behavior
rasm2 exits with error message.
Actual behavior
rasm2 crashes.
=================================================================
==14306==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f1763fce729 at pc 0x7f1763ac66e3 bp 0x7ffe01509720 sp 0x7ffe01509718
READ of size 1 at 0x7f1763fce729 thread T0
#0 0x7f1763ac66e2 in opmov /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:2007:16
#1 0x7f1763ad68cd in assemble /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:4831:15
#2 0x7f1763b43fe3 in r_asm_assemble /home/exp/FOT/radare2/libr/asm/asm.c:600:10
#3 0x7f1763b488c5 in r_asm_massemble /home/exp/FOT/radare2/libr/asm/asm.c:986:12
#4 0x7f1763b4af70 in r_asm_rasm_assemble /home/exp/FOT/radare2/libr/asm/asm.c:1143:10
#5 0x55828d39265b in rasm_asm /home/exp/FOT/radare2/binr/rasm2/rasm2.c:370:16
#6 0x55828d392573 in print_assembly_output /home/exp/FOT/radare2/binr/rasm2/rasm2.c:429:8
#7 0x55828d3900a7 in main /home/exp/FOT/radare2/binr/rasm2/rasm2.c:804:10
#8 0x7f1760a12b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#9 0x55828d2950f9 in _start (/home/exp/FOT/radare2/binr/rasm2/rasm2+0x1f0f9)
0x7f1763fce729 is located 55 bytes to the left of global variable '<string literal>' defined in 'p/asm_x86_nz.c:4848:10' (0x7f1763fce760) of size 7
'<string literal>' is ascii string 'x86.nz'
0x7f1763fce729 is located 3 bytes to the right of global variable 'SEG_REG_PREFIXES' defined in 'p/asm_x86_nz.c:76:11' (0x7f1763fce720) of size 6
SUMMARY: AddressSanitizer: global-buffer-overflow /home/exp/FOT/radare2/libr/asm/p/asm_x86_nz.c:2007:16 in opmov
Shadow bytes around the buggy address:
0x0fe36c7f1c90: 04 f9 f9 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
0x0fe36c7f1ca0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
0x0fe36c7f1cb0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 01
0x0fe36c7f1cc0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 06 f9
0x0fe36c7f1cd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe36c7f1ce0: 00 00 00 00 06[f9]f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x0fe36c7f1cf0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 07 f9
0x0fe36c7f1d00: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0fe36c7f1d10: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
0x0fe36c7f1d20: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0fe36c7f1d30: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14306==ABORTING
Aborted
Steps to reproduce the behavior
- Build radare with ASAN
- run
rasm2 -a x86 -b 16 'mov ,[R8-SS:'
Additional Logs, screenshots, source-code, configuration dump, ...
The offset calculated is beyond the bound of SEG_REG_PREFIXES.
gdb$ b /home/exp/FOT/radare2-fuzz/libr/asm/p/asm_x86_nz.c:2007
Breakpoint 1 at 0x7ffff622af60: file p/asm_x86_nz.c, line 2007.
gdb$ run
Starting program: /usr/bin/rasm2 -a x86 -b 16 mov\ ,\[R8-SS:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, opmov (a=0x611000000040, data=0x7fffffffaba0 "", op=0x7fffffffac80) at p/asm_x86_nz.c:2007
2007 data[l++] = SEG_REG_PREFIXES[op->operands[1].regs[0]];
gdb$ p SEG_REG_PREFIXES
$1 = "&.6>de"
gdb$ p op->operands[1].regs[0]
$2 = 9
Metadata
Metadata
Assignees
Labels
No labels