Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

access invail memory lead to crash #4

Closed
jinyu00 opened this issue Jul 17, 2018 · 0 comments
Closed

access invail memory lead to crash #4

jinyu00 opened this issue Jul 17, 2018 · 0 comments

Comments

@jinyu00
Copy link

jinyu00 commented Jul 17, 2018

When load the poc file with gdb . I got that It call jitana::axml_parser::parse_start_namespace function . and it access memroy using rax's value

 mov    dword ptr [rax], edx

but rax=0xfffffffffffffff8 , this could lead crash


Program received signal SIGSEGV, Segmentation fault.
0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145
145		: first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { }
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────────
*RAX  0xfffffffffffffff8
*RBX  0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
*RCX  0x7fffffffd9c0 ◂— 0xd0000001e
*RDX  0xd
*RDI  0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
*RSI  0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
*R8   0x6bc250 ◂— 0x0
 R9   0x0
*R10  0x6bee40 ◂— 0x74c00080003
*R11  0x246
*R12  0x7fffffffd9c0 ◂— 0xd0000001e
*R13  0x1
 R14  0x0
*R15  0x1
*RBP  0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ...
*RSP  0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
*RIP  0x480234 ◂— mov    dword ptr [rax], edx
───────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────────────────────
 ► 0x480234    mov    dword ptr [rax], edx
   0x480236    mov    rax, qword ptr [rbp - 0x18]
   0x48023a    mov    rdi, rax
   0x48023d    call   0x47d668
 
   0x480242    mov    edx, dword ptr [rax]
   0x480244    mov    rax, qword ptr [rbp - 8]
   0x480248    mov    dword ptr [rax + 4], edx
   0x48024b    nop    
   0x48024c    leave  
   0x48024d    ret    
 
   0x48024e    push   rbp
───────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────────────────
   140 
   141       template<class _U1, class _U2, class = typename
   142 	       enable_if<__and_<is_convertible<_U1, _T1>,
   143 				is_convertible<_U2, _T2>>::value>::type>
   144 	constexpr pair(_U1&& __x, _U2&& __y)
 ► 145 	: first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { }
   146 
   147       template<class _U1, class _U2, class = typename
   148 	       enable_if<__and_<is_convertible<_U1, _T1>,
   149 				is_convertible<_U2, _T2>>::value>::type>
   150 	constexpr pair(pair<_U1, _U2>&& __p)
───────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
01:0008│      0x7fffffffd8c8 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
02:0010│      0x7fffffffd8d0 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
03:0018│      0x7fffffffd8d8 ◂— 0xfffffffffffffff8
04:0020│ rbp  0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ...
05:0028│      0x7fffffffd8e8 —▸ 0x4802ab ◂— nop    
06:0030│      0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e
07:0038│      0x7fffffffd8f8 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */
─────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────────
 ► f 0           480234
   f 1           4802ab
   f 2           47efa7
   f 3           47d6d5
   f 4           47c184 jitana::axml_parser::parse_start_namespace()+156
   f 5           47b9a9 jitana::axml_parser::parse()+519
   f 6           47abd7
   f 7           45cefc
   f 8           45d6a6 main+1753
   f 9     7ffff6de4830 __libc_start_main+240
Program received signal SIGSEGV (fault address -0x8)
pwndbg> bt
#0  0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145
#1  0x00000000004802ab in __gnu_cxx::new_allocator<std::pair<unsigned int, unsigned int> >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (this=0x6bbff8, __p=0xfffffffffffffff8) at /usr/include/c++/5/ext/new_allocator.h:120
#2  0x000000000047efa7 in std::allocator_traits<std::allocator<std::pair<unsigned int, unsigned int> > >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (__a=..., __p=0xfffffffffffffff8) at /usr/include/c++/5/bits/alloc_traits.h:530
#3  0x000000000047d6d5 in std::vector<std::pair<unsigned int, unsigned int>, std::allocator<std::pair<unsigned int, unsigned int> > >::emplace_back<unsigned int&, unsigned int&> (this=0x6bbff8) at /usr/include/c++/5/bits/vector.tcc:96
#4  0x000000000047c184 in jitana::axml_parser::parse_start_namespace (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:380
#5  0x000000000047b9a9 in jitana::axml_parser::parse (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:275
#6  0x000000000047abd7 in jitana::read_axml (stream=..., pt=...) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:1881
#7  0x000000000045cefc in process_file (input_filename="poc", output_filename="") at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:130
#8  0x000000000045d6a6 in main (argc=2, argv=0x7fffffffe508) at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:188
#9  0x00007ffff6de4830 in __libc_start_main (main=0x45cfcd <main(int, char**)>, argc=2, argv=0x7fffffffe508, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4f8) at ../csu/libc-start.c:291
#10 0x000000000045c839 in _start ()
pwndbg> 

The binary and poc

https://gitee.com/hac425/fuzz_data/blob/master/axmldec_bin_poc.zip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants