Skip to content

An integer overflow is found in get_long_object() #2738

Closed
@PeiweiHu

Description

@PeiweiHu

Crash

In Rizin of the current version, an integer overflow is found in get_long_object(). It further leads to a heap buffer overflow. The attacker can launch the DoS attack with a malformed binary.

Work environment

Questions Answers
OS/arch/bits (mandatory) Linux 5.18.6-arch1-1
File format of the file you reverse (mandatory) malformed
Architecture/bits of the file (mandatory) malformed
rizin -v full output, not truncated (mandatory) rizin 0.5.0 @ linux-x86-64 commit: 74e499a, build: 2022-06-25__09:14:00

Expected behavior

run normally

Actual behavior

crash

Steps to reproduce the behavior

Open the attached file (after unzip) with Rizin.

Additional Logs, screenshots, source code, configuration dump, ...

input.zip

ERROR: Undefined type in free_object (0)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x14)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x2)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x40)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x40)
ERROR: Undefined type in get_object (0x0)
ERROR: Undefined type in get_object (0x0)
ERROR: Copy not implemented for type 7b
../librz/bin/format/pyc/marshal.c:202:18: runtime error: signed integer overflow: 1162871039 * 15 cannot be represented in type 'int'
=================================================================
==2965413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa62f4647ff at pc 0x7fa63e73190d bp 0x7fffe4547ef0 sp 0x7fffe4547ee0
WRITE of size 1 at 0x7fa62f4647ff thread T0
    #0 0x7fa63e73190c in get_long_object ../librz/bin/format/pyc/marshal.c:219
    #1 0x7fa63e73190c in get_object ../librz/bin/format/pyc/marshal.c:1099
    #2 0x7fa63e7332e5 in get_code_object ../librz/bin/format/pyc/marshal.c:948
    #3 0x7fa63e7305a3 in get_object ../librz/bin/format/pyc/marshal.c:1054
    #4 0x7fa63e7342a6 in get_sections_symbols_from_code_objects ../librz/bin/format/pyc/marshal.c:1204
    #5 0x7fa63e439e26 in symbols ../librz/bin/p/bin_pyc.c:126
    #6 0x7fa63e30551b in rz_bin_object_set_items ../librz/bin/bobj.c:419
    #7 0x7fa63e30a21d in rz_bin_object_new ../librz/bin/bobj.c:282
    #8 0x7fa63e2e5ca4 in rz_bin_file_new_from_buffer ../librz/bin/bfile.c:277
    #9 0x7fa63e2f2675 in rz_bin_open_buf ../librz/bin/bin.c:283
    #10 0x7fa63e2f3f72 in rz_bin_open_io ../librz/bin/bin.c:341
    #11 0x7fa63c5fe1a3 in core_file_do_load_for_io_plugin ../librz/core/cfile.c:727
    #12 0x7fa63c5fe1a3 in rz_core_bin_load ../librz/core/cfile.c:974
    #13 0x7fa645326b1d in rz_main_rizin ../librz/main/rizin.c:1147
    #14 0x7fa64482928f  (/usr/lib/libc.so.6+0x2928f)
    #15 0x7fa644829349 in __libc_start_main (/usr/lib/libc.so.6+0x29349)
    #16 0x55c82ec2f964 in _start (/usr/local/bin/rizin+0x2964)

0x7fa62f4647ff is located 1 bytes to the left of 65799105-byte region [0x7fa62f464800,0x7fa633324bc1)
allocated by thread T0 here:
    #0 0x7fa6460bfa89 in __interceptor_malloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fa63e72e907 in get_long_object ../librz/bin/format/pyc/marshal.c:205
    #2 0x7fa63e72e907 in get_object ../librz/bin/format/pyc/marshal.c:1099
    #3 0x7fa63e7332e5 in get_code_object ../librz/bin/format/pyc/marshal.c:948
    #4 0x7fa63e7305a3 in get_object ../librz/bin/format/pyc/marshal.c:1054
    #5 0x7fa63e7342a6 in get_sections_symbols_from_code_objects ../librz/bin/format/pyc/marshal.c:1204
    #6 0x7fa63e439e26 in symbols ../librz/bin/p/bin_pyc.c:126
    #7 0x7fa63e30551b in rz_bin_object_set_items ../librz/bin/bobj.c:419
    #8 0x7fa63e30a21d in rz_bin_object_new ../librz/bin/bobj.c:282
    #9 0x7fa63e2e5ca4 in rz_bin_file_new_from_buffer ../librz/bin/bfile.c:277
    #10 0x7fa63e2f2675 in rz_bin_open_buf ../librz/bin/bin.c:283
    #11 0x7fa63e2f3f72 in rz_bin_open_io ../librz/bin/bin.c:341
    #12 0x7fa63c5fe1a3 in core_file_do_load_for_io_plugin ../librz/core/cfile.c:727
    #13 0x7fa63c5fe1a3 in rz_core_bin_load ../librz/core/cfile.c:974
    #14 0x7fa645326b1d in rz_main_rizin ../librz/main/rizin.c:1147
    #15 0x7fa64482928f  (/usr/lib/libc.so.6+0x2928f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../librz/bin/format/pyc/marshal.c:219 in get_long_object
Shadow bytes around the buggy address:
  0x0ff545e848a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff545e848b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff545e848c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff545e848d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff545e848e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff545e848f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0ff545e84900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff545e84910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff545e84920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff545e84930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff545e84940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2965413==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions