Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap out of bounds read in r_x509_parse_extension() #13297

fumfel opened this issue Mar 6, 2019 · 0 comments


Copy link

@fumfel fumfel commented Mar 6, 2019

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu 18.04
File format of the file you reverse (mandatory) PE32+
Architecture/bits of the file (mandatory) x86/64
r2 -v full output, not truncated (mandatory) radare2 3.4.0-git 21061 @ linux-x86-64 git.3.3.0-90-g42f846b42 commit: 42f846b build: 2019-03-06__19:39:27

Expected behavior

Disassembly or error message.

Actual behavior

Heap out of bounds read in ASAN build.

Steps to reproduce the behavior

Additional Logs, screenshots, source-code, configuration dump, ...

==840==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200002b6a0 at pc 0x7f82ee5e2a0f bp 0x7fff68984290 sp 0x7fff68984288
READ of size 8 at 0x60200002b6a0 thread T0
#0 0x7f82ee5e2a0e in r_x509_parse_extension radare2/libr/util/x509.c:126:8
#1 0x7f82ee5e2a0e in r_x509_parse_extensions radare2/libr/util/x509.c:148
#2 0x7f82ee5e3d4b in r_x509_parse_tbscertificate radare2/libr/util/x509.c:202:5
#3 0x7f82ee5e45e2 in r_x509_parse_certificate radare2/libr/util/x509.c:231:2
#4 0x7f82ee5daca4 in r_pkcs7_parse_extendedcertificatesandcertificates radare2/libr/util/pkcs7.c:69:24
#5 0x7f82ee5daca4 in r_pkcs7_parse_signeddata radare2/libr/util/pkcs7.c:281
#6 0x7f82ee5daca4 in r_pkcs7_parse_cms radare2/libr/util/pkcs7.c:329
#7 0x7f82f3fe2acb in bin_pe_get_certificate radare2/libr/..//libr/bin/p/../format/pe/pe.c:2487:13
#8 0x7f82f3fe2acb in bin_pe_init radare2/libr/..//libr/bin/p/../format/pe/pe.c:2515
#9 0x7f82f3fe61d6 in Pe64_r_bin_pe_new_buf radare2/libr/..//libr/bin/p/../format/pe/pe.c:3578:7
#10 0x7f82f3fbc031 in load_buffer radare2/libr/..//libr/bin/p/
#11 0x7f82f3ccfc1d in r_bin_object_new radare2/libr/bin/obj.c:180:16
#12 0x7f82f3cc6691 in r_bin_file_new_from_bytes radare2/libr/bin/bfile.c:469:18
#13 0x7f82f3ca0a9f in r_bin_open_io radare2/libr/bin/bin.c:407:13
#14 0x7f82f522ef0b in r_core_file_do_load_for_io_plugin radare2/libr/core/cfile.c:380:7
#15 0x7f82f522ef0b in r_core_bin_load radare2/libr/core/cfile.c:538
#16 0x55d70109cb20 in main radare2/binr/radare2/radare2.c:1165:15
#17 0x7f82edbd0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#18 0x55d700fa5929 in _start (/usr/local/bin/radare2+0x25929)

0x60200002b6a0 is located 0 bytes to the right of 16-byte region [0x60200002b690,0x60200002b6a0)
allocated by thread T0 here:
#0 0x55d70105b1a8 in calloc (/usr/local/bin/radare2+0xdb1a8)
#1 0x7f82ee5ec897 in r_asn1_create_object radare2/libr/util/asn1.c:131:27

SUMMARY: AddressSanitizer: heap-buffer-overflow radare2/libr/util/x509.c:126:8 in r_x509_parse_extension
Shadow bytes around the buggy address:
0x0c047fffd680: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
0x0c047fffd690: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fffd6a0: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fffd6b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fffd6c0: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 fa
=>0x0c047fffd6d0: fa fa 00 00[fa]fa 00 fa fa fa 00 00 fa fa 00 00
0x0c047fffd6e0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fffd6f0: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 fa
0x0c047fffd700: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 fa
0x0c047fffd710: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fffd720: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
devnexen added a commit to devnexen/radare2 that referenced this issue Mar 6, 2019
@XVilka XVilka added the bug label Mar 7, 2019
@XVilka XVilka added this to the 3.4.0 - aprils milestone Mar 7, 2019
@ret2libc ret2libc closed this in ffab804 Mar 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.