Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ragg2 crash on long valid input. #14211

Closed
mmmdzz opened this issue Jun 2, 2019 · 2 comments
Closed

ragg2 crash on long valid input. #14211

mmmdzz opened this issue Jun 2, 2019 · 2 comments

Comments

@mmmdzz
Copy link

mmmdzz commented Jun 2, 2019

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86/64
r2 -v full output, not truncated (mandatory) radare2 3.6.0-git 21923 @ linux-x86-64 git.3.5.1-149-g573f2caa3 commit: 573f2ca build: 2019-06-02__15:06:21

Expected behavior

$ ragg2 -a x86 -b 64 hello.r
$ <output asmcode>

Actual behavior

$ ragg2 -a x86 -b 64 hello.r
$ Segmentation fault (core dumped)

Steps to reproduce the behavior

Unzip hello.zip and you will get hello.r

Additional Logs, screenshots, source-code, configuration dump, ...

After checking the source code, the vulnerability is caused by lacking boundary checking for "egg->lang.elem_n++", resulting a heap buffer overflow. It could be fixed quickly by adding associated checking.

@mmmdzz
Copy link
Author

mmmdzz commented Jun 2, 2019

More output from valgrind:

--28891-- REDIR: 0x5183db0 (libc.so.6:__strstr_sse2_unaligned) redirected to 0x4c376e0 (strstr)
--28891-- REDIR: 0x5167590 (libc.so.6:__GI_strstr) redirected to 0x4c37760 (__strstr_sse2)
--28891-- REDIR: 0x524e510 (libc.so.6:__strncmp_sse42) redirected to 0x4c33570 (__strncmp_sse42)
==28891== Invalid read of size 1
==28891==    at 0x8A97D89: skipspaces (egg_lang.c:16)
==28891==    by 0x8A995FC: r_egg_mkvar (egg_lang.c:531)
==28891==    by 0x8A9B9FD: rcc_next (egg_lang.c:1134)
==28891==    by 0x8A9C38C: r_egg_lang_parsechar (egg_lang.c:1304)
==28891==    by 0x8A97376: r_egg_compile (egg.c:345)
==28891==    by 0x4E4B1FD: r_main_ragg2 (ragg2.c:399)
==28891==    by 0x108739: main (ragg2.c:6)
==28891==  Address 0x4141414141414141 is not stack'd, malloc'd or (recently) free'd
==28891== 
==28891== 
==28891== Process terminating with default action of signal 11 (SIGSEGV)
==28891==  General Protection Fault
==28891==    at 0x8A97D89: skipspaces (egg_lang.c:16)
==28891==    by 0x8A995FC: r_egg_mkvar (egg_lang.c:531)
==28891==    by 0x8A9B9FD: rcc_next (egg_lang.c:1134)
==28891==    by 0x8A9C38C: r_egg_lang_parsechar (egg_lang.c:1304)
==28891==    by 0x8A97376: r_egg_compile (egg.c:345)
==28891==    by 0x4E4B1FD: r_main_ragg2 (ragg2.c:399)
==28891==    by 0x108739: main (ragg2.c:6)
==28891== 
==28891== HEAP SUMMARY:
==28891==     in use at exit: 62,805 bytes in 216 blocks
==28891==   total heap usage: 952 allocs, 736 frees, 119,960 bytes allocated
==28891== 
==28891== Searching for pointers to 216 not-freed blocks
==28891== Checked 5,563,432 bytes
==28891== 
==28891== LEAK SUMMARY:
==28891==    definitely lost: 0 bytes in 0 blocks
==28891==    indirectly lost: 0 bytes in 0 blocks
==28891==      possibly lost: 0 bytes in 0 blocks
==28891==    still reachable: 62,805 bytes in 216 blocks
==28891==         suppressed: 0 bytes in 0 blocks
==28891== Rerun with --leak-check=full to see details of leaked memory
==28891== 
==28891== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==28891== 
==28891== 1 errors in context 1 of 1:
==28891== Invalid read of size 1
==28891==    at 0x8A97D89: skipspaces (egg_lang.c:16)
==28891==    by 0x8A995FC: r_egg_mkvar (egg_lang.c:531)
==28891==    by 0x8A9B9FD: rcc_next (egg_lang.c:1134)
==28891==    by 0x8A9C38C: r_egg_lang_parsechar (egg_lang.c:1304)
==28891==    by 0x8A97376: r_egg_compile (egg.c:345)
==28891==    by 0x4E4B1FD: r_main_ragg2 (ragg2.c:399)
==28891==    by 0x108739: main (ragg2.c:6)
==28891==  Address 0x4141414141414141 is not stack'd, malloc'd or (recently) free'd
==28891== 
==28891== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    28891 segmentation fault (core dumped) 

@lowlyw
Copy link
Collaborator

lowlyw commented Jun 3, 2019

the bug is we write into the elem

egg->lang.elem[egg->lang.elem_n++] = c;

without checking elem_n. i'd say that elem should probably be an RBuffer

lowlyw added a commit that referenced this issue Jun 3, 2019
inputs. this should be refactored to use an RBuffer to enable dynamic
resizing, but for now just patching it to bail out if we are about to
overwrite the allocated statically sized buffer
@Maijin Maijin closed this as completed Jun 3, 2019
@radare radare reopened this Jun 3, 2019
@radare radare closed this as completed Jun 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants