Description
This issue looks different from issue #8673, which is a stack-based overflow and has been patched.
Work environment
| Questions | Answers |
|---|---|
| OS/arch/bits (mandatory) | Ubuntu x86 64 |
| File format of the file you reverse (mandatory) | dex |
| Architecture/bits of the file (mandatory) | ARM, Dalvik dex file version 035. |
| r2 -v full output, not truncated (mandatory) | radare2 2.6.0-git 17938 @ linux-x86-64 git.2.5.0-80-g0767f40 commit: 0767f40 build: 2018-04-17__10:33:03 |
Expected behavior
Successful processing of dex format
Actual behavior
heap-buffer-overflow
Steps to reproduce the behavior
- download the attached POC
- checkout commit 0767f40
- build with ASAN: ASAN='address' sys/asan.sh
- run: radare2 -A $POC
Vulnerable code
// libr/util/hex.c
314 R_API int r_hex_bin2str(const ut8 *in, int len, char *out) {
315 int i, idx;
316 char tmp[5];
317 if (len < 0)
318 return 0;
319 for (idx = i = 0; i < len; i++, idx += 2) {
_320 snprintf (tmp, sizeof (tmp), "%02x", in[i]);_
321 memcpy (out+idx, tmp, 2);
322 }
323 out[idx] = 0;
324 return len;
325 }
Additional Logs, screenshots, source-code, configuration dump, ...
==31621==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000bfc1 at pc 0x7f17af392af2 bp 0x7fffd8713a50 sp 0x7fffd8713a40
READ of size 1 at 0x61200000bfc1 thread T0
#0 0x7f17af392af1 in r_hex_bin2str /home/test/radare2/libr/util/hex.c:320
#1 0x7f17b0b7480d in r_asm_disassemble /home/test/radare2/libr/asm/asm.c:479
#2 0x7f17b4a651f3 in r_core_anal_op /home/test/radare2/libr/core/canal.c:836
#3 0x7f17b4a71f1e in fcn_callconv /home/test/radare2/libr/core/canal.c:2420
#4 0x7f17b4a75bdc in r_core_anal_all /home/test/radare2/libr/core/canal.c:3026
#5 0x7f17b493b4dd in cmd_anal_all /home/test/radare2/libr/core/cmd_anal.c:6292
#6 0x7f17b493d78a in cmd_anal /home/test/radare2/libr/core/cmd_anal.c:6667
#7 0x7f17b4a59c6e in r_cmd_call /home/test/radare2/libr/core/cmd_api.c:233
#8 0x7f17b49bef3e in r_core_cmd_subst_i /home/test/radare2/libr/core/cmd.c:2686
#9 0x7f17b49b83f0 in r_core_cmd_subst /home/test/radare2/libr/core/cmd.c:1733
#10 0x7f17b49c40a0 in r_core_cmd /home/test/radare2/libr/core/cmd.c:3368
#11 0x7f17b49c4e63 in r_core_cmd0 /home/test/radare2/libr/core/cmd.c:3535
#12 0x55de9fdf2076 in main /home/test/radare2/binr/radare2/radare2.c:1286
#13 0x7f17aed0e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x55de9fdebd38 in _start (/home/test/radare2/binr/radare2/radare2+0x6d38)
0x61200000bfc1 is located 0 bytes to the right of 257-byte region [0x61200000bec0,0x61200000bfc1)
allocated by thread T0 here:
#0 0x7f17b4f5279a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x7f17b489f139 in r_core_init /home/test/radare2/libr/core/core.c:1743
#2 0x55de9fded756 in main /home/test/radare2/binr/radare2/radare2.c:486
#3 0x7f17aed0e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
POC
radare2_2-6-0_radare2_heap-buffer-overflow_r_hex_bin2str.dex.zip