om crash

[ret2libc]

Work environment

Questions	Answers
OS/arch/bits (mandatory)
File format of the file you reverse (mandatory)	none
Architecture/bits of the file (mandatory)	x64
r2 -v full output, not truncated (mandatory)	radare2 3.4.0-git 23115 @ linux-x86-64 git.3.3.0-134-g917fcda0a commit: 917fcda build: 2019-03-12__18:49:58

Expected behavior

At least no crash.

Actual behavior

=================================================================
==22461==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200005d5b3 at pc 0x7fb30e6d7184 bp 0x7ffed83ac080 sp 0x7ffed83ac070                                                                         
READ of size 1 at 0x60200005d5b3 thread T0                        
    #0 0x7fb30e6d7183 in cmd_open_map ../libr/core/cmd_open.c:802
    #1 0x7fb30e6db9e6 in cmd_open ../libr/core/cmd_open.c:1418    
    #2 0x7fb30e773528 in r_cmd_call ../libr/core/cmd_api.c:235
    #3 0x7fb30e767108 in r_core_cmd_subst_i ../libr/core/cmd.c:3027
    #4 0x7fb30e75fc9b in r_core_cmd_subst ../libr/core/cmd.c:2036
    #5 0x7fb30e76c59c in r_core_cmd ../libr/core/cmd.c:3761
    #6 0x7fb30e791fbc in r_core_prompt_exec ../libr/core/core.c:2971
    #7 0x7fb310a9adb4 in r_main_radare2 ../libr/main/radare2.c:1447
    #8 0x401165 in main ../binr/radare2/radare2.c:48              
    #9 0x7fb3108d1412 in __libc_start_main ../csu/libc-start.c:308
    #10 0x40108d in _start (/usr/local/bin/radare2+0x40108d)

0x60200005d5b3 is located 0 bytes to the right of 3-byte region [0x60200005d5b0,0x60200005d5b3)
allocated by thread T0 here:
    #0 0x7fb310b76e60 in strdup (/lib64/libasan.so.5+0x3be60)
    #1 0x7fb30e75f26e in r_core_cmd_subst ../libr/core/cmd.c:1956
    #2 0x7fb30e76c59c in r_core_cmd ../libr/core/cmd.c:3761
    #3 0x7fb30e791fbc in r_core_prompt_exec ../libr/core/core.c:2971
    #4 0x7fb310a9adb4 in r_main_radare2 ../libr/main/radare2.c:1447
    #5 0x401165 in main ../binr/radare2/radare2.c:48
    #6 0x7fb3108d1412 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../libr/core/cmd_open.c:802 in cmd_open_map
Shadow bytes around the buggy address:
  0x0c0480003a60: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480003a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c0480003a80: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480003a90: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c0480003aa0: fa fa fd fa fa fa fd fa fa fa 03 fa fa fa 03 fa
=>0x0c0480003ab0: fa fa 03 fa fa fa[03]fa fa fa 01 fa fa fa fa fa
  0x0c0480003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22461==ABORTING

Steps to reproduce the behavior

$ radare2 -m 0x100010000 -
[0x100010000]> om

[radare]

Asan only crash. I was surprised we didnt catched this bug before

…

On 12 Mar 2019, at 19:06, Riccardo Schirone ***@***.***> wrote: Work environment Questions Answers OS/arch/bits (mandatory) File format of the file you reverse (mandatory) none Architecture/bits of the file (mandatory) x64 r2 -v full output, not truncated (mandatory) radare2 3.4.0-git 23115 @ linux-x86-64 git.3.3.0-134-g917fcda0a commit: 917fcda build: 2019-03-12__18:49:58 Expected behavior At least no crash. Actual behavior ================================================================= ==22461==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200005d5b3 at pc 0x7fb30e6d7184 bp 0x7ffed83ac080 sp 0x7ffed83ac070 READ of size 1 at 0x60200005d5b3 thread T0 #0 0x7fb30e6d7183 in cmd_open_map ../libr/core/cmd_open.c:802 #1 0x7fb30e6db9e6 in cmd_open ../libr/core/cmd_open.c:1418 #2 0x7fb30e773528 in r_cmd_call ../libr/core/cmd_api.c:235 #3 0x7fb30e767108 in r_core_cmd_subst_i ../libr/core/cmd.c:3027 #4 0x7fb30e75fc9b in r_core_cmd_subst ../libr/core/cmd.c:2036 #5 0x7fb30e76c59c in r_core_cmd ../libr/core/cmd.c:3761 #6 0x7fb30e791fbc in r_core_prompt_exec ../libr/core/core.c:2971 #7 0x7fb310a9adb4 in r_main_radare2 ../libr/main/radare2.c:1447 #8 0x401165 in main ../binr/radare2/radare2.c:48 #9 0x7fb3108d1412 in __libc_start_main ../csu/libc-start.c:308 #10 0x40108d in _start (/usr/local/bin/radare2+0x40108d) 0x60200005d5b3 is located 0 bytes to the right of 3-byte region [0x60200005d5b0,0x60200005d5b3) allocated by thread T0 here: #0 0x7fb310b76e60 in strdup (/lib64/libasan.so.5+0x3be60) #1 0x7fb30e75f26e in r_core_cmd_subst ../libr/core/cmd.c:1956 #2 0x7fb30e76c59c in r_core_cmd ../libr/core/cmd.c:3761 #3 0x7fb30e791fbc in r_core_prompt_exec ../libr/core/core.c:2971 #4 0x7fb310a9adb4 in r_main_radare2 ../libr/main/radare2.c:1447 #5 0x401165 in main ../binr/radare2/radare2.c:48 #6 0x7fb3108d1412 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow ../libr/core/cmd_open.c:802 in cmd_open_map Shadow bytes around the buggy address: 0x0c0480003a60: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa 0x0c0480003a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd 0x0c0480003a80: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c0480003a90: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003aa0: fa fa fd fa fa fa fd fa fa fa 03 fa fa fa 03 fa =>0x0c0480003ab0: fa fa 03 fa fa fa[03]fa fa fa 01 fa fa fa fa fa 0x0c0480003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==22461==ABORTING Steps to reproduce the behavior $ radare2 -m 0x100010000 - [0x100010000]> om — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ret2libc]

This was introduced in this huge commit 82416b0 (libr_main stuff). Unfortunately to keep travis-time short we are not enforcing asan build on each commit, so you have to manually look at the travis report to notice it.

[radare]

maybe because globals dont work the same in shared libs?

…

On 12 Mar 2019, at 19:53, Riccardo Schirone ***@***.***> wrote: This was introduced in this huge commit 82416b0 <82416b0> (libr_main stuff). Unfortunately to keep travis-time short we are not enforcing asan build on each commit, so you have to manually look at the travis report to notice it. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#13361 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-luSbv4e1Pshka7myrFZqBmJRlyrYks5vV_epgaJpZM4brjDJ>.

[radare]

oneline reproducer r2 -qcom -

…

On 12 Mar 2019, at 19:30, Pancake Nopcode ***@***.***> wrote: Asan only crash. I was surprised we didnt catched this bug before On 12 Mar 2019, at 19:06, Riccardo Schirone ***@***.*** ***@***.***>> wrote: > Work environment > > Questions Answers > OS/arch/bits (mandatory) > File format of the file you reverse (mandatory) none > Architecture/bits of the file (mandatory) x64 > r2 -v full output, not truncated (mandatory) radare2 3.4.0-git 23115 @ linux-x86-64 git.3.3.0-134-g917fcda0a commit: 917fcda <917fcda> build: 2019-03-12__18:49:58 > Expected behavior > > At least no crash. > > Actual behavior > > ================================================================= > ==22461==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200005d5b3 at pc 0x7fb30e6d7184 bp 0x7ffed83ac080 sp 0x7ffed83ac070 > READ of size 1 at 0x60200005d5b3 thread T0 > #0 0x7fb30e6d7183 in cmd_open_map ../libr/core/cmd_open.c:802 > #1 0x7fb30e6db9e6 in cmd_open ../libr/core/cmd_open.c:1418 > #2 0x7fb30e773528 in r_cmd_call ../libr/core/cmd_api.c:235 > #3 0x7fb30e767108 in r_core_cmd_subst_i ../libr/core/cmd.c:3027 > #4 0x7fb30e75fc9b in r_core_cmd_subst ../libr/core/cmd.c:2036 > #5 0x7fb30e76c59c in r_core_cmd ../libr/core/cmd.c:3761 > #6 0x7fb30e791fbc in r_core_prompt_exec ../libr/core/core.c:2971 > #7 0x7fb310a9adb4 in r_main_radare2 ../libr/main/radare2.c:1447 > #8 0x401165 in main ../binr/radare2/radare2.c:48 > #9 0x7fb3108d1412 in __libc_start_main ../csu/libc-start.c:308 > #10 0x40108d in _start (/usr/local/bin/radare2+0x40108d) > > 0x60200005d5b3 is located 0 bytes to the right of 3-byte region [0x60200005d5b0,0x60200005d5b3) > allocated by thread T0 here: > #0 0x7fb310b76e60 in strdup (/lib64/libasan.so.5+0x3be60) > #1 0x7fb30e75f26e in r_core_cmd_subst ../libr/core/cmd.c:1956 > #2 0x7fb30e76c59c in r_core_cmd ../libr/core/cmd.c:3761 > #3 0x7fb30e791fbc in r_core_prompt_exec ../libr/core/core.c:2971 > #4 0x7fb310a9adb4 in r_main_radare2 ../libr/main/radare2.c:1447 > #5 0x401165 in main ../binr/radare2/radare2.c:48 > #6 0x7fb3108d1412 in __libc_start_main ../csu/libc-start.c:308 > > SUMMARY: AddressSanitizer: heap-buffer-overflow ../libr/core/cmd_open.c:802 in cmd_open_map > Shadow bytes around the buggy address: > 0x0c0480003a60: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa > 0x0c0480003a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd > 0x0c0480003a80: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd > 0x0c0480003a90: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa > 0x0c0480003aa0: fa fa fd fa fa fa fd fa fa fa 03 fa fa fa 03 fa > =>0x0c0480003ab0: fa fa 03 fa fa fa[03]fa fa fa 01 fa fa fa fa fa > 0x0c0480003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c0480003ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c0480003ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c0480003af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c0480003b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==22461==ABORTING > Steps to reproduce the behavior > > $ radare2 -m 0x100010000 - > [0x100010000]> om > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub <#13361>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-llAeBokJH18g-2lsoNglIyohNMjVks5vV-yPgaJpZM4brjDJ>. >