Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When load the poc file with gdb . I got that It call jitana::axml_parser::parse_start_namespace function . and it access memroy using rax's value
jitana::axml_parser::parse_start_namespace
mov dword ptr [rax], edx
but rax=0xfffffffffffffff8 , this could lead crash
rax=0xfffffffffffffff8
Program received signal SIGSEGV, Segmentation fault. 0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145 145 : first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { } LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ─────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────── *RAX 0xfffffffffffffff8 *RBX 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ *RCX 0x7fffffffd9c0 ◂— 0xd0000001e *RDX 0xd *RDI 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ *RSI 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ *R8 0x6bc250 ◂— 0x0 R9 0x0 *R10 0x6bee40 ◂— 0x74c00080003 *R11 0x246 *R12 0x7fffffffd9c0 ◂— 0xd0000001e *R13 0x1 R14 0x0 *R15 0x1 *RBP 0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ... *RSP 0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e *RIP 0x480234 ◂— mov dword ptr [rax], edx ───────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────── ► 0x480234 mov dword ptr [rax], edx 0x480236 mov rax, qword ptr [rbp - 0x18] 0x48023a mov rdi, rax 0x48023d call 0x47d668 0x480242 mov edx, dword ptr [rax] 0x480244 mov rax, qword ptr [rbp - 8] 0x480248 mov dword ptr [rax + 4], edx 0x48024b nop 0x48024c leave 0x48024d ret 0x48024e push rbp ───────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────── 140 141 template<class _U1, class _U2, class = typename 142 enable_if<__and_<is_convertible<_U1, _T1>, 143 is_convertible<_U2, _T2>>::value>::type> 144 constexpr pair(_U1&& __x, _U2&& __y) ► 145 : first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { } 146 147 template<class _U1, class _U2, class = typename 148 enable_if<__and_<is_convertible<_U1, _T1>, 149 is_convertible<_U2, _T2>>::value>::type> 150 constexpr pair(pair<_U1, _U2>&& __p) ───────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e 01:0008│ 0x7fffffffd8c8 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e 02:0010│ 0x7fffffffd8d0 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ 03:0018│ 0x7fffffffd8d8 ◂— 0xfffffffffffffff8 04:0020│ rbp 0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ... 05:0028│ 0x7fffffffd8e8 —▸ 0x4802ab ◂— nop 06:0030│ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e 07:0038│ 0x7fffffffd8f8 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ ─────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────── ► f 0 480234 f 1 4802ab f 2 47efa7 f 3 47d6d5 f 4 47c184 jitana::axml_parser::parse_start_namespace()+156 f 5 47b9a9 jitana::axml_parser::parse()+519 f 6 47abd7 f 7 45cefc f 8 45d6a6 main+1753 f 9 7ffff6de4830 __libc_start_main+240 Program received signal SIGSEGV (fault address -0x8) pwndbg> bt #0 0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145 #1 0x00000000004802ab in __gnu_cxx::new_allocator<std::pair<unsigned int, unsigned int> >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (this=0x6bbff8, __p=0xfffffffffffffff8) at /usr/include/c++/5/ext/new_allocator.h:120 #2 0x000000000047efa7 in std::allocator_traits<std::allocator<std::pair<unsigned int, unsigned int> > >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (__a=..., __p=0xfffffffffffffff8) at /usr/include/c++/5/bits/alloc_traits.h:530 #3 0x000000000047d6d5 in std::vector<std::pair<unsigned int, unsigned int>, std::allocator<std::pair<unsigned int, unsigned int> > >::emplace_back<unsigned int&, unsigned int&> (this=0x6bbff8) at /usr/include/c++/5/bits/vector.tcc:96 #4 0x000000000047c184 in jitana::axml_parser::parse_start_namespace (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:380 #5 0x000000000047b9a9 in jitana::axml_parser::parse (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:275 #6 0x000000000047abd7 in jitana::read_axml (stream=..., pt=...) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:1881 #7 0x000000000045cefc in process_file (input_filename="poc", output_filename="") at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:130 #8 0x000000000045d6a6 in main (argc=2, argv=0x7fffffffe508) at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:188 #9 0x00007ffff6de4830 in __libc_start_main (main=0x45cfcd <main(int, char**)>, argc=2, argv=0x7fffffffe508, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4f8) at ../csu/libc-start.c:291 #10 0x000000000045c839 in _start () pwndbg>
The binary and poc
https://gitee.com/hac425/fuzz_data/blob/master/axmldec_bin_poc.zip
The text was updated successfully, but these errors were encountered:
No branches or pull requests
When load the poc file with gdb . I got that It call
jitana::axml_parser::parse_start_namespacefunction . and it access memroy using rax's valuebut
rax=0xfffffffffffffff8, this could lead crashThe binary and poc
The text was updated successfully, but these errors were encountered: