heap-buffer-overflow in m68k_read_disassembler_16/32 function (arch/M68K/M68KDisassembler.c)

[traceprobe]

I am forwarding this issue from radare2, which makes use of Capstone as an engine. (radareorg/radare2#9918).

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu x86 64
File format of the file you reverse (mandatory)	ELF
Architecture/bits of the file (mandatory)	x86/32
r2 -v full output, not truncated (mandatory)	radare2 2.6.0-git 17938 @ linux-x86-64 git.2.5.0-80-g0767f40 commit: 0767f408539c80faf378978990a04ddb62a5a275 build: 2018-04-17__10:33:03

Expected behavior

Disassembling ELF32 without vulnerability

Actual behavior

heap-buffer-overflow

Steps to reproduce the behavior

• download attached POC
• checkout commit 0767f408539c80faf378978990a04ddb62a5a275
• compile radare2 with ASAN: ASAN='address' sys/asan.sh
• run: ./bin/radare2 -A $POC

Vulnerable code

// arch/M68K/M68KDisassembler.c
159 static unsigned int m68k_read_disassembler_16(const m68k_info *info, const uint64_t addr)
160 {
161 const uint16_t v0 = info->code[addr + 0]; //Vulnerable
162 const uint16_t v1 = info->code[addr + 1]; //Vulnerable
163 return (v0 << 8) | v1;
164 }
165
166 static unsigned int m68k_read_disassembler_32(const m68k_info *info, const uint64_t addr)
167 {
168 const uint32_t v0 = info->code[addr + 0];
169 const uint32_t v1 = info->code[addr + 1];
170 const uint32_t v2 = info->code[addr + 2]; //Vulnerable
171 const uint32_t v3 = info->code[addr + 3]; //Vulnerable
172 return (v0 << 24) | (v1 << 16) | (v2 << 8) | v3;
173 }

Additional Logs, screenshots, source-code, configuration dump, ...

==31696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000040380 at pc 0x7fc206655205 bp 0x7ffc47178820 sp 0x7ffc47178810
READ of size 1 at 0x611000040380 thread T0
#0 0x7fc206655204 in m68k_read_disassembler_16 arch/M68K/M68KDisassembler.c:162
#1 0x7fc206655795 in m68k_read_safe_16 arch/M68K/M68KDisassembler.c:194
#2 0x7fc206655a1b in peek_imm_16 arch/M68K/M68KDisassembler.c:302
#3 0x7fc206664f58 in m68k_disassemble arch/M68K/M68KDisassembler.c:4033
#4 0x7fc206665462 in M68K_getInstruction arch/M68K/M68KDisassembler.c:4074
#5 0x7fc2065743aa in cs_disasm /home/test/radare2/shlr/capstone/cs.c:683
#6 0x7fc206414e01 in analop /home/test/radare2/libr/..//libr/anal/p/anal_m68k_cs.c:115
#7 0x7fc20649790e in r_anal_op /home/test/radare2/libr/anal/op.c:104
#8 0x7fc2085f899e in r_core_anal_search_xrefs /home/test/radare2/libr/core/canal.c:2825
#9 0x7fc2084bcf42 in r_core_anal_refs /home/test/radare2/libr/core/cmd_anal.c:5938
#10 0x7fc2084bf8bb in cmd_anal_all /home/test/radare2/libr/core/cmd_anal.c:6323
#11 0x7fc2084c178a in cmd_anal /home/test/radare2/libr/core/cmd_anal.c:6667
#12 0x7fc2085ddc6e in r_cmd_call /home/test/radare2/libr/core/cmd_api.c:233
#13 0x7fc208542f3e in r_core_cmd_subst_i /home/test/radare2/libr/core/cmd.c:2686
#14 0x7fc20853c3f0 in r_core_cmd_subst /home/test/radare2/libr/core/cmd.c:1733
#15 0x7fc2085480a0 in r_core_cmd /home/test/radare2/libr/core/cmd.c:3368
#16 0x7fc208548e63 in r_core_cmd0 /home/test/radare2/libr/core/cmd.c:3535
#17 0x557d39a09076 in main /home/test/radare2/binr/radare2/radare2.c:1286
#18 0x7fc20289282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#19 0x557d39a02d38 in _start (/home/test/radare2/binr/radare2/radare2+0x6d38)

radare2_poc.zip

[traceprobe]

seems like "M68KDisassembler" is not included in capstone