New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integer Overflow in r_asm_massemble at libr/asm/asm.c
#15543
Comments
|
This seem to have CVE-2019-19590 assigned. |
|
cant reproduce. its not crashing or failing for me, but i see the problem in the code and just pushed a blind fix, can you confirm the issue is gone now? |
|
btw: |
|
i fixed the rasm2 crash, and actually i think r_file_slurp() have the bug, because it is unable to open > 2GB files and actually i dont think we even want that to happen |
I have checked the poc. It seems the bug is still there. In current patch, if the variable /* Tokenize */
for (tokens[0] = lbuf, ctr = 0;
((ptr = strchr (tokens[ctr], ';')) ||
(ptr = strchr (tokens[ctr], '\n')) ||
(ptr = strchr (tokens[ctr], '\r')));) {
if (ctr + 1 >= tokens_size) {
const int new_tokens_size = tokens_size * 2;
char **new_tokens = realloc (tokens, sizeof (char*) * new_tokens_size);
if (new_tokens) {
tokens_size = new_tokens_size;
tokens = new_tokens;
ctr++;
} else {
// tokens has already been freed
eprintf("Too many tokens");
return NULL;
}
}
*ptr = '\0';
tokens[ctr] = ptr + 1;
}or this kind of patch /* Tokenize */
for (tokens[0] = lbuf, ctr = 0;
((ptr = strchr (tokens[ctr], ';')) ||
(ptr = strchr (tokens[ctr], '\n')) ||
(ptr = strchr (tokens[ctr], '\r')));) {
ctr++;
if (ctr >= tokens_size) {
const int new_tokens_size = tokens_size * 2;
// check integer overflow
if (new_tokens_size < tokens_size) {
eprintf("Too many tokens");
free(tokens);
return NULL:
}
char **new_tokens = realloc (tokens, sizeof (char*) * new_tokens_size);
if (new_tokens) {
tokens_size = new_tokens_size;
tokens = new_tokens;
}
}
*ptr = '\0';
tokens[ctr] = ptr + 1;
}Thanks for your quick fix and reply. |
|
@radare Moreover, for the integer overflow in |
tokens would not be freed by the realloc here: |
|
I think I know why @radare was not able to reproduce. The command must look like $ cat poc.py
f = open("poc.r", "w")
f.write("\"/a " + ";" * (2 ** 31 + 16) + "\")
f.close()
$ python poc.py
$ r2 -i poc.r malloc://1024 # Expect No CrashIn addition, there was another bug that caused a segfault for me before even going into |
|
The r_asm_massemble() overflow should be properly fixed now. |
Thanks for your fix. I have checked the poc and the bug has gone. BTW, for I guess the issue could be closed? |
Work environment
Expected behavior
Actual behavior
Steps to reproduce the behavior
Additional Logs, screenshots, source-code, configuration dump, ...
In r_asm_massemble at libr/asm/asm.c, when r2 tries to assemble a long input with too many tokens, new_token_size will be integer-overflowed to zero. Later, realloc(tokens, sizeof (char*) * new_tokens_size) will actually free
tokens, leading a Use-After-Free. More serious, the freed tokens can be filled with arbitrary data, which can be used to exploit to RCE.The bug code is listed below, a quick fix will be to add a upper boundary check for
new_token_sizeThe text was updated successfully, but these errors were encountered: