Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AFL] r2 crash in r_bin_java_read_next_attr_from_buffer #1833

Closed
ekse opened this issue Dec 14, 2014 · 0 comments
Closed

[AFL] r2 crash in r_bin_java_read_next_attr_from_buffer #1833

ekse opened this issue Dec 14, 2014 · 0 comments

Comments

@ekse
Copy link
Contributor

@ekse ekse commented Dec 14, 2014

I did some fuzzing of the handling of Java class files and got a bunch of crashes.

crash file : https://www.dropbox.com/sh/466tsvrq8qrewyj/AADlSLWhLbhzqMqN9n1G2L0wa/java/1/id_000002%2Csig_11%2Csrc_000000%2Cop_flip4%2Cpos_354?dl=1
original : https://www.dropbox.com/sh/466tsvrq8qrewyj/AACIzmyCHmpq0OYrU9tijfjga/java/HelloWorld.class?dl=0

gdb output

r_bin_java_read_next_attr_from_buffer (
    buffer=buffer@entry=0x911a858 <error: Cannot access memory at address 0x911a858>,
    sz=3204448229, buf_offset=16777602) at class.c:1975
1975                    sz = R_BIN_JAVA_UINT (buffer, offset);
(gdb) print buffer
$1 = (unsigned char *) 0x911a858 <error: Cannot access memory at address 0x911a858>

Backtrace

#0  r_bin_java_read_next_attr_from_buffer (
    buffer=buffer@entry=0x911a858 <error: Cannot access memory at address 0x911a858>,
    sz=3204448229, buf_offset=16777602) at class.c:1975
#1  0xb7d4eef6 in r_bin_java_code_attr_new (buffer=0x811a837 "", sz=3221225478,
    buf_offset=353) at class.c:3246
#2  0xb7d43624 in r_bin_java_read_next_attr_from_buffer (
    buffer=buffer@entry=0x811a837 "", sz=<optimized out>, buf_offset=353)
    at class.c:1986
#3  0xb7d4eef6 in r_bin_java_code_attr_new (buffer=0x811a820 "", sz=29, buf_offset=330)
    at class.c:3246
#4  0xb7d43624 in r_bin_java_read_next_attr_from_buffer (
    buffer=buffer@entry=0x811a820 "", sz=<optimized out>, buf_offset=330)
    at class.c:1986
#5  0xb7d439ec in r_bin_java_read_next_attr (bin=bin@entry=0x8119830, offset=330,
    buf=buf@entry=0x8119680 "\312\376\272\276", len=426) at class.c:1959
#6  0xb7d58b28 in r_bin_java_read_next_method (bin=bin@entry=0x8119830, offset=322,
    buf=buf@entry=0x8119680 "\312\376\272\276", len=426) at class.c:1383
#7  0xb7d590ac in r_bin_java_parse_methods (bin=bin@entry=0x8119830, offset=320,
    buf=buf@entry=0x8119680 "\312\376\272\276", len=426) at class.c:2172
#8  0xb7d5ab78 in r_bin_java_load_bin (bin=0x8119830,
    buf=0x8119680 "\312\376\272\276", buf_sz=426) at class.c:2254
#9  0xb7d5add8 in r_bin_java_new_bin (bin=bin@entry=0x8119830, loadaddr=0,
    kv=kv@entry=0x8112f70, buf=0x8119680 "\312\376\272\276", len=426) at class.c:2211
#10 0xb7d5aec0 in r_bin_java_new_buf (buf=0x8119658, loadaddr=0, kv=0x8112f70)
    at class.c:2892
#11 0xb7c8f117 in load_bytes (buf=0x8112d50 "\312\376\272\276", sz=426, loadaddr=0,
    sdb=0x8112f70)
    at /home/ml2/tools/afl-0.89b/projects/radare2/libr/..//libr/bin/p/bin_java.c:67
#12 0xb7bf8b55 in r_bin_object_new (binfile=binfile@entry=0x8112cc8,
    plugin=plugin@entry=0x80e6870, baseaddr=0, loadaddr=0, offset=0, sz=426)
    at bin.c:838
#13 0xb7bfcc17 in r_bin_file_new_from_bytes (xtrname=0x0, offset=0, pluginname=0x0,
    fd=<optimized out>, loadaddr=0, baseaddr=0, rawstr=<optimized out>,
    file_sz=<optimized out>, sz=<optimized out>, bytes=0x8112b18 "\312\376\272\276",
    file=<optimized out>, bin=0x80df540) at bin.c:976
#14 r_bin_load_io_at_offset_as_sz (bin=bin@entry=0x80df540, desc=desc@entry=0x811c6a8,
    baseaddr=0, loadaddr=0, xtr_idx=xtr_idx@entry=0, offset=0, name=name@entry=0x0,
    sz=134217728) at bin.c:582
#15 0xb7bfd81c in r_bin_load_io_at_offset_as (bin=0x80df540, desc=0x811c6a8,
    baseaddr=0, loadaddr=0, xtr_idx=0, offset=0, name=0x0) at bin.c:597
#16 0xb7bfe32b in r_bin_load_io (bin=0x80df540, desc=0x811c6a8, baseaddr=0,
    loadaddr=0, xtr_idx=0) at bin.c:496
#17 0xb7ee52a6 in r_core_file_do_load_for_io_plugin (loadaddr=0, baseaddr=0,
    r=0x8053300 <r>) at file.c:338
#18 r_core_bin_load (r=0x8053300 <r>,
    filenameuri=0x811c6d0 "results-radare2/crashes/id:000002,sig:11,src:000000,op:flip4
pos:354", baddr=0) at file.c:470
#19 0x0804c0eb in main (argc=2, argv=0xbffff704, envp=0xbffff710) at radare2.c:546

Analysis

The sz value in r_bin_java_code_attr_new is clearly too large. which will result in a crash in r_bin_java_read_next_attr_from_buffer.

#1  0xb7d4eef6 in r_bin_java_code_attr_new (buffer=0x811a837 "", sz=3221225478,
    buf_offset=353) at class.c:3246

Another function, r_bin_java_read_next_attr, checks that the size is inside the bounds of the buffer before calling r_bin_java_read_next_attr_from_buffer, but r_bin_java_code_attr_new does no such checking.

r_bin_java_read_next_attr in class.c:1948
    if (sz + offset > len ){
        eprintf ("[X] r_bin_java: Error unable to parse remainder of classfile in Attribute len "
            "(0x%x) + offset (0x%"PFMT64x") exceeds length of buffer (0x%"PFMT64x").\n", sz, offset, len);
        return attr;
    }
@radare radare closed this in 65b580d Dec 16, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.