Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

out of bounds heap read in r_reg_get_name_idx #2759

Closed
hannob opened this issue Jun 14, 2015 · 0 comments
Closed

out of bounds heap read in r_reg_get_name_idx #2759

hannob opened this issue Jun 14, 2015 · 0 comments
Labels
good first issue
Milestone
0.10.0

Comments

@hannob
Copy link

hannob commented Jun 14, 2015

This script will cause an out of bounds heap read in the function r_reg_get_name_idx:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-r_reg_get_name_idx

The file contains only the chars "arn".
Test with radare2 -q -i [script] /dev/null

Address Sanitizer stack trace:

==12866==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000168d4 at pc 0x7f7ea825f0c1 bp 0x7fff364a1210 sp 0x7fff364a1200
READ of size 1 at 0x6020000168d4 thread T0
    #0 0x7f7ea825f0c0 in r_reg_get_name_idx /f/radare2/radare2/libr/reg/reg.c:27
    #1 0x7f7eaa6180a0 in cmd_anal_reg /f/radare2/radare2/libr/core/cmd_anal.c:1136
    #2 0x7f7eaa6a0cc3 in cmd_anal /f/radare2/radare2/libr/core/cmd_anal.c:2442
    #3 0x7f7eaa6c60ee in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1590
    #4 0x7f7eaa62a0c8 in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1081
    #5 0x7f7eaa62b35b in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1938
    #6 0x7f7eaa62e0bc in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1989
    #7 0x7f7eaa62e2f4 in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2001
    #8 0x7f7eaa63155b in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #9 0x4054c2 in main /f/radare2/radare2/binr/radare2/radare2.c:729
    #10 0x7f7ea4babf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #11 0x40a25e (/mnt/ram/radare2/radare2+0x40a25e)

0x6020000168d4 is located 0 bytes to the right of 4-byte region [0x6020000168d0,0x6020000168d4)
allocated by thread T0 here:
    #0 0x7f7eaad4f6f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7f7ea4c0d789 in strdup (/lib64/libc.so.6+0x81789)

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/radare2/radare2/libr/reg/reg.c:27 r_reg_get_name_idx
Shadow bytes around the buggy address:
  0x0c047fffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffad10: fa fa fa fa fa fa 01 fa fa fa[04]fa fa fa 04 fa
  0x0c047fffad20: fa fa 04 fa fa fa fd fa fa fa fd fd fa fa 06 fa
  0x0c047fffad30: fa fa fd fa fa fa 05 fa fa fa fd fa fa fa 06 fa
  0x0c047fffad40: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 04 fa
  0x0c047fffad50: fa fa fd fa fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fffad60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==12866==ABORTING
@alvarofe alvarofe self-assigned this Jun 15, 2015
@XVilka XVilka added this to the 0.10.0 milestone Jun 15, 2015
alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 15, 2015
@alvarofe
Fix radareorg#2759
31cfebd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue
Projects
None yet
Milestone
0.10.0
Development

No branches or pull requests
3 participants
@XVilka @hannob @alvarofe