New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-based OOB write when parsing dwarf die info #2083
Comments
|
@OctavioGalland can we add this binary to our test suite? https://github.com/rizinorg/rizin-testbins |
|
@thestr4ng3r sure! |
thestr4ng3r
added a commit
that referenced
this issue
Dec 10, 2021
5 tasks
thestr4ng3r
added a commit
that referenced
this issue
Dec 10, 2021
thestr4ng3r
added a commit
that referenced
this issue
Dec 10, 2021
|
Thanks. Can you confirm it is fixed on dev? |
|
Yes, it doesn't crash anymore. |
XVilka
pushed a commit
that referenced
this issue
Dec 23, 2021
XVilka
pushed a commit
that referenced
this issue
Dec 23, 2021
XVilka
pushed a commit
that referenced
this issue
Dec 23, 2021
XVilka
pushed a commit
that referenced
this issue
Dec 23, 2021
XVilka
pushed a commit
that referenced
this issue
Dec 24, 2021
XVilka
pushed a commit
that referenced
this issue
Dec 24, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Work environment
rizin -vfull output, not truncated (mandatory)Expected behavior
Analyzing binaries shouldn't trigger an OOB memory write.
Actual behavior
There is a heap-based out of bounds write in
parse_diewhen reversing an amd64 elf binary with dwarf debug info, respectively.Steps to reproduce the behavior
Analyze the binary attached below with aaa on an asan build to reproduce the crash.
binary.zip
Additional Logs, screenshots, source code, configuration dump, ...
The issue seems to be that at
dwarf.c:1223the linedie->attr_values = calloc(sizeof(RzBinDwarfAttrValue), attr_count);gets executed withattr_countequal to 0, so this is equivalent to amalloc(0)(I think in this case a chunk with the smallest allocatable size is returned, which should be around 16 or 32 bytes, but indwarf.c:1730a die_attribute gets written, which is 40 bytes in size).This happens because in
dwarf.c:1729the loop gets runattr_count - 1times, but asabbrev->countis 0 and is of typesize_tthis results in an undeflow which then triggers the OOB write.The text was updated successfully, but these errors were encountered: