We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When parsing the wasm file with r2, using the pd command may result in a segmentation fault, because NULL was incorrectly passed to strdup.
pd
NULL
strdup
# date Mon Feb 20 02:38:13 AKST 2023 # r2 -v radare2 5.8.3 0 @ linux-x86-64 git.5.8.3 commit: 5.8.3 build: 2023-02-16__23:25:48 # uname -ms Linux x86_64
Commit : 39f4292
poc.wasm
pwndbg> r /pwn/poc.wasm Starting program: /usr/local/bin/r2 /pwn/poc.wasm [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". ERROR: unknown section id: 13 ERROR: unknown section id: 109 -- Check your IO plugins with 'r2 -L' [0x000000be]> pd Program received signal SIGSEGV, Segmentation fault. __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65 65 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory. pwndbg> context LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ─────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────── RAX 0x0 *RBX 0x555555555640 (__libc_csu_init) ◂— endbr64 RCX 0x0 RDX 0x0 RDI 0x0 *RSI 0x555555680729 ◂— 0x1000005555550000 *R8 0x7ffff6df5852 (wasm_decode) ◂— endbr64 *R9 0x1f *R10 0x555555559010 ◂— 0x6000700070007 *R11 0x7ffff7d95be0 (main_arena+96) —▸ 0x55555582bd80 ◂— 0x0 *R12 0x5555555551c0 (_start) ◂— endbr64 *R13 0x7fffffffe6d0 ◂— 0x2 R14 0x0 R15 0x0 RBP 0x0 *RSP 0x7fffffffcb48 —▸ 0x7ffff7c48383 (strdup+19) ◂— lea r12, [rax + 1] *RIP 0x7ffff7d316e5 (__strlen_avx2+21) ◂— vpcmpeqb ymm1, ymm0, ymmword ptr [rdi] ──────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────── ► 0x7ffff7d316e5 <__strlen_avx2+21> vpcmpeqb ymm1, ymm0, ymmword ptr [rdi] 0x7ffff7d316e9 <__strlen_avx2+25> vpmovmskb eax, ymm1 0x7ffff7d316ed <__strlen_avx2+29> test eax, eax 0x7ffff7d316ef <__strlen_avx2+31> jne __strlen_avx2+272 <__strlen_avx2+272> ↓ 0x7ffff7d317e0 <__strlen_avx2+272> tzcnt eax, eax 0x7ffff7d317e4 <__strlen_avx2+276> add rax, rdi 0x7ffff7d317e7 <__strlen_avx2+279> sub rax, rdx 0x7ffff7d317ea <__strlen_avx2+282> vzeroupper 0x7ffff7d317ed <__strlen_avx2+285> ret 0x7ffff7d317ee <__strlen_avx2+286> nop 0x7ffff7d317f0 <__strlen_avx2+288> tzcnt eax, eax ────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffcb48 —▸ 0x7ffff7c48383 (strdup+19) ◂— lea r12, [rax + 1] 01:0008│ 0x7fffffffcb50 —▸ 0x555555680729 ◂— 0x1000005555550000 02:0010│ 0x7fffffffcb58 —▸ 0x7fffffffcca0 —▸ 0x7fffffffcd00 —▸ 0x7fffffffcd40 —▸ 0x7fffffffcda0 ◂— ... 03:0018│ 0x7fffffffcb60 —▸ 0x5555555551c0 (_start) ◂— endbr64 04:0020│ 0x7fffffffcb68 —▸ 0x7ffff6df4574 (wasm_dis+4394) ◂— mov rdx, rax 05:0028│ 0x7fffffffcb70 ◂— 0x0 06:0030│ 0x7fffffffcb78 —▸ 0x7ffff7d95b80 (main_arena) ◂— 0x0 07:0038│ 0x7fffffffcb80 —▸ 0x555555782140 ◂— ' dd ' ──────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────── ► f 0 0x7ffff7d316e5 __strlen_avx2+21 f 1 0x7ffff7c48383 strdup+19 f 2 0x7ffff6df4574 wasm_dis+4394 f 3 0x7ffff6df5906 wasm_decode+180 f 4 0x7ffff6da22dd r_arch_decode+136 f 5 0x7ffff64ed2e1 r_anal_op+580 f 6 0x7ffff7827c22 r_core_print_disasm+2478 f 7 0x7ffff7772b54 cmd_print+15553 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> bt #0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65 #1 0x00007ffff7c48383 in __GI___strdup (s=0x0) at strdup.c:41 #2 0x00007ffff6df4574 in wasm_dis (op=0x7fffffffcce0, buf=0x555555680630 "\375\240\001\375d\v", buf_len=249, txt=true) at p/wasm/wasm.c:1112 #3 0x00007ffff6df5906 in wasm_decode (s=0x555555677b10, op=0x555555781c10, mask=R_ARCH_OP_MASK_ALL) at p/wasm/plugin.c:366 #4 0x00007ffff6da22dd in r_arch_decode (a=0x55555559a320, op=0x555555781c10, mask=31) at arch.c:225 #5 0x00007ffff64ed2e1 in r_anal_op (anal=0x55555559c910, op=0x555555781c10, addr=197, data=0x555555559937 "\375\240\001\375d\v", len=249, mask=R_ARCH_OP_MASK_ALL) at op.c:113 #6 0x00007ffff7827c22 in r_core_print_disasm (core=0x7ffff5dea010, addr=190, buf=0x555555559930 "A\205\376\377w\375\017\375\240\001\375d\v", len=256, count=64, pdu_condition_type=pdu_instruction, pdu_condition=0x0, count_bytes=false, json=false, pj=0x0, pdf=0x0) at disasm.c:5727 #7 0x00007ffff7772b54 in cmd_print (data=0x7ffff5dea010, input=0x55555574ff61 "d") at cmd_print.c:6708 #8 0x00007ffff77ef9dc in r_cmd_call (cmd=0x5555555e6ff0, input=0x55555574ff60 "pd") at cmd_api.c:520 #9 0x00007ffff778ca90 in r_core_cmd_subst_i (core=0x7ffff5dea010, cmd=0x55555574ff60 "pd", colon=0x0, tmpseek=0x7fffffffe114) at cmd.c:4930 #10 0x00007ffff77882cb in r_core_cmd_subst (core=0x7ffff5dea010, cmd=0x55555574ff60 "pd") at cmd.c:3760 #11 0x00007ffff778fcd2 in run_cmd_depth (core=0x7ffff5dea010, cmd=0x55555574ef30 "pd") at cmd.c:5829 #12 0x00007ffff779017b in r_core_cmd (core=0x7ffff5dea010, cstr=0x55555574eef0 "pd", log=true) at cmd.c:5913 #13 0x00007ffff76ab199 in r_core_prompt_exec (r=0x7ffff5dea010) at core.c:3556 #14 0x00007ffff76aa6ea in r_core_prompt_loop (r=0x7ffff5dea010) at core.c:3374 #15 0x00007ffff7dc7c9f in r_main_radare2 (argc=2, argv=0x7fffffffe6d8) at radare2.c:1700 #16 0x0000555555555638 in main (argc=2, argv=0x7fffffffe6d8) at radare2.c:104 #17 0x00007ffff7bcd083 in __libc_start_main (main=0x5555555555e0 <main>, argc=2, argv=0x7fffffffe6d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe6c8) at ../csu/libc-start.c:308 #18 0x00005555555551ee in _start ()
Q1IQ(@Q1IQ)
The text was updated successfully, but these errors were encountered:
thanks!
Sorry, something went wrong.
13308c9
Fix #21363 - null deref in the wasm disassembler ##crash
a15067a
No branches or pull requests
Description
When parsing the wasm file with r2, using the
pdcommand may result in a segmentation fault, becauseNULLwas incorrectly passed tostrdup.Environment
Commit : 39f4292
Proof of concept
poc.wasm
Stack dump
Credit
Q1IQ(@Q1IQ)
The text was updated successfully, but these errors were encountered: