In Rizin of the current version, an integer overflow is found in get_long_object(). It further leads to a heap buffer overflow. The attacker can launch the DoS attack with a malformed binary.
ERROR: Undefined type in free_object (0)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x14)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x2)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x40)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x40)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x0)
ERROR: Copy not implemented for type 7b
../librz/bin/format/pyc/marshal.c:202:18: runtime error: signed integer overflow: 1162871039 * 15 cannot be represented in type 'int'
=================================================================
==2965413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa62f4647ff at pc 0x7fa63e73190d bp 0x7fffe4547ef0 sp 0x7fffe4547ee0
WRITE of size 1 at 0x7fa62f4647ff thread T0
#0 0x7fa63e73190c in get_long_object ../librz/bin/format/pyc/marshal.c:219
#1 0x7fa63e73190c in get_object ../librz/bin/format/pyc/marshal.c:1099
#2 0x7fa63e7332e5 in get_code_object ../librz/bin/format/pyc/marshal.c:948
#3 0x7fa63e7305a3 in get_object ../librz/bin/format/pyc/marshal.c:1054
#4 0x7fa63e7342a6 in get_sections_symbols_from_code_objects ../librz/bin/format/pyc/marshal.c:1204
#5 0x7fa63e439e26 in symbols ../librz/bin/p/bin_pyc.c:126
#6 0x7fa63e30551b in rz_bin_object_set_items ../librz/bin/bobj.c:419
#7 0x7fa63e30a21d in rz_bin_object_new ../librz/bin/bobj.c:282
#8 0x7fa63e2e5ca4 in rz_bin_file_new_from_buffer ../librz/bin/bfile.c:277
#9 0x7fa63e2f2675 in rz_bin_open_buf ../librz/bin/bin.c:283
#10 0x7fa63e2f3f72 in rz_bin_open_io ../librz/bin/bin.c:341
#11 0x7fa63c5fe1a3 in core_file_do_load_for_io_plugin ../librz/core/cfile.c:727
#12 0x7fa63c5fe1a3 in rz_core_bin_load ../librz/core/cfile.c:974
#13 0x7fa645326b1d in rz_main_rizin ../librz/main/rizin.c:1147
#14 0x7fa64482928f (/usr/lib/libc.so.6+0x2928f)
#15 0x7fa644829349 in __libc_start_main (/usr/lib/libc.so.6+0x29349)
#16 0x55c82ec2f964 in _start (/usr/local/bin/rizin+0x2964)
0x7fa62f4647ff is located 1 bytes to the left of 65799105-byte region [0x7fa62f464800,0x7fa633324bc1)
allocated by thread T0 here:
#0 0x7fa6460bfa89 in __interceptor_malloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fa63e72e907 in get_long_object ../librz/bin/format/pyc/marshal.c:205
#2 0x7fa63e72e907 in get_object ../librz/bin/format/pyc/marshal.c:1099
#3 0x7fa63e7332e5 in get_code_object ../librz/bin/format/pyc/marshal.c:948
#4 0x7fa63e7305a3 in get_object ../librz/bin/format/pyc/marshal.c:1054
#5 0x7fa63e7342a6 in get_sections_symbols_from_code_objects ../librz/bin/format/pyc/marshal.c:1204
#6 0x7fa63e439e26 in symbols ../librz/bin/p/bin_pyc.c:126
#7 0x7fa63e30551b in rz_bin_object_set_items ../librz/bin/bobj.c:419
#8 0x7fa63e30a21d in rz_bin_object_new ../librz/bin/bobj.c:282
#9 0x7fa63e2e5ca4 in rz_bin_file_new_from_buffer ../librz/bin/bfile.c:277
#10 0x7fa63e2f2675 in rz_bin_open_buf ../librz/bin/bin.c:283
#11 0x7fa63e2f3f72 in rz_bin_open_io ../librz/bin/bin.c:341
#12 0x7fa63c5fe1a3 in core_file_do_load_for_io_plugin ../librz/core/cfile.c:727
#13 0x7fa63c5fe1a3 in rz_core_bin_load ../librz/core/cfile.c:974
#14 0x7fa645326b1d in rz_main_rizin ../librz/main/rizin.c:1147
#15 0x7fa64482928f (/usr/lib/libc.so.6+0x2928f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../librz/bin/format/pyc/marshal.c:219 in get_long_object
Shadow bytes around the buggy address:
0x0ff545e848a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff545e848b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff545e848c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff545e848d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff545e848e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff545e848f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0ff545e84900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff545e84910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff545e84920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff545e84930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff545e84940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2965413==ABORTING
The text was updated successfully, but these errors were encountered:
Crash
In Rizin of the current version, an integer overflow is found in get_long_object(). It further leads to a heap buffer overflow. The attacker can launch the DoS attack with a malformed binary.
Work environment
rizin -vfull output, not truncated (mandatory)Expected behavior
run normally
Actual behavior
crash
Steps to reproduce the behavior
Open the attached file (after unzip) with Rizin.
Additional Logs, screenshots, source code, configuration dump, ...
input.zip
ERROR: Undefined type in free_object (0) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x14) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x2) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x40) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x40) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x0) ERROR: Copy not implemented for type 7b ../librz/bin/format/pyc/marshal.c:202:18: runtime error: signed integer overflow: 1162871039 * 15 cannot be represented in type 'int' ================================================================= ==2965413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa62f4647ff at pc 0x7fa63e73190d bp 0x7fffe4547ef0 sp 0x7fffe4547ee0 WRITE of size 1 at 0x7fa62f4647ff thread T0 #0 0x7fa63e73190c in get_long_object ../librz/bin/format/pyc/marshal.c:219 #1 0x7fa63e73190c in get_object ../librz/bin/format/pyc/marshal.c:1099 #2 0x7fa63e7332e5 in get_code_object ../librz/bin/format/pyc/marshal.c:948 #3 0x7fa63e7305a3 in get_object ../librz/bin/format/pyc/marshal.c:1054 #4 0x7fa63e7342a6 in get_sections_symbols_from_code_objects ../librz/bin/format/pyc/marshal.c:1204 #5 0x7fa63e439e26 in symbols ../librz/bin/p/bin_pyc.c:126 #6 0x7fa63e30551b in rz_bin_object_set_items ../librz/bin/bobj.c:419 #7 0x7fa63e30a21d in rz_bin_object_new ../librz/bin/bobj.c:282 #8 0x7fa63e2e5ca4 in rz_bin_file_new_from_buffer ../librz/bin/bfile.c:277 #9 0x7fa63e2f2675 in rz_bin_open_buf ../librz/bin/bin.c:283 #10 0x7fa63e2f3f72 in rz_bin_open_io ../librz/bin/bin.c:341 #11 0x7fa63c5fe1a3 in core_file_do_load_for_io_plugin ../librz/core/cfile.c:727 #12 0x7fa63c5fe1a3 in rz_core_bin_load ../librz/core/cfile.c:974 #13 0x7fa645326b1d in rz_main_rizin ../librz/main/rizin.c:1147 #14 0x7fa64482928f (/usr/lib/libc.so.6+0x2928f) #15 0x7fa644829349 in __libc_start_main (/usr/lib/libc.so.6+0x29349) #16 0x55c82ec2f964 in _start (/usr/local/bin/rizin+0x2964) 0x7fa62f4647ff is located 1 bytes to the left of 65799105-byte region [0x7fa62f464800,0x7fa633324bc1) allocated by thread T0 here: #0 0x7fa6460bfa89 in __interceptor_malloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x7fa63e72e907 in get_long_object ../librz/bin/format/pyc/marshal.c:205 #2 0x7fa63e72e907 in get_object ../librz/bin/format/pyc/marshal.c:1099 #3 0x7fa63e7332e5 in get_code_object ../librz/bin/format/pyc/marshal.c:948 #4 0x7fa63e7305a3 in get_object ../librz/bin/format/pyc/marshal.c:1054 #5 0x7fa63e7342a6 in get_sections_symbols_from_code_objects ../librz/bin/format/pyc/marshal.c:1204 #6 0x7fa63e439e26 in symbols ../librz/bin/p/bin_pyc.c:126 #7 0x7fa63e30551b in rz_bin_object_set_items ../librz/bin/bobj.c:419 #8 0x7fa63e30a21d in rz_bin_object_new ../librz/bin/bobj.c:282 #9 0x7fa63e2e5ca4 in rz_bin_file_new_from_buffer ../librz/bin/bfile.c:277 #10 0x7fa63e2f2675 in rz_bin_open_buf ../librz/bin/bin.c:283 #11 0x7fa63e2f3f72 in rz_bin_open_io ../librz/bin/bin.c:341 #12 0x7fa63c5fe1a3 in core_file_do_load_for_io_plugin ../librz/core/cfile.c:727 #13 0x7fa63c5fe1a3 in rz_core_bin_load ../librz/core/cfile.c:974 #14 0x7fa645326b1d in rz_main_rizin ../librz/main/rizin.c:1147 #15 0x7fa64482928f (/usr/lib/libc.so.6+0x2928f) SUMMARY: AddressSanitizer: heap-buffer-overflow ../librz/bin/format/pyc/marshal.c:219 in get_long_object Shadow bytes around the buggy address: 0x0ff545e848a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff545e848b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff545e848c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff545e848d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff545e848e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ff545e848f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0ff545e84900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff545e84910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff545e84920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff545e84930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff545e84940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2965413==ABORTINGThe text was updated successfully, but these errors were encountered: