out of bounds heap read in cmd_flag #2797

hannob · 2015-06-18T11:08:38Z

This script causes an out of bounds heap read:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-cmd_flag

It contains the string "fR". Test: radare2 -q -i [script] /dev/null
Found with american fuzzy lop.

Address Sanitizer trace:

==7159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000016871 at pc 0x7f35c21507d0 bp 0x7fff1db3d3c0 sp 0x7fff1db3d390
READ of size 1 at 0x602000016871 thread T0
    #0 0x7f35c21507cf in index (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x347cf)
    #1 0x7f35c1aa4290 in cmd_flag /f/radare2/radare2/libr/core/cmd_flag.c:120
    #2 0x7f35c1ae5096 in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1590
    #3 0x7f35c1a4909c in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1081
    #4 0x7f35c1a4a182 in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1938
    #5 0x7f35c1a4d084 in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1989
    #6 0x7f35c1a4d2f4 in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2001
    #7 0x7f35c1a5028b in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #8 0x4054bc in main /f/radare2/radare2/binr/radare2/radare2.c:729
    #9 0x7f35bbfb3f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #10 0x40a4d3 (/mnt/ram/radare2/radare2+0x40a4d3)

0x602000016871 is located 0 bytes to the right of 1-byte region [0x602000016870,0x602000016871)
allocated by thread T0 here:
    #0 0x7f35c21736f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7f35bc015789 in strdup (/lib64/libc.so.6+0x81789)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 index
Shadow bytes around the buggy address:
  0x0c047fffacb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
  0x0c047fffad10: fa fa 01 fa fa fa 03 fa fa fa 03 fa fa fa 03 fa
  0x0c047fffad20: fa fa fd fa fa fa fd fd fa fa 06 fa fa fa fd fa
  0x0c047fffad30: fa fa 05 fa fa fa fd fa fa fa 06 fa fa fa fd fa
  0x0c047fffad40: fa fa 03 fa fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fffad50: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==7159==ABORTING

The text was updated successfully, but these errors were encountered:

alvarofe self-assigned this Jun 18, 2015

alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 20, 2015

Fix radareorg#2797

8fbccdb

alvarofe closed this as completed in 80fd03f Jun 20, 2015

radare unassigned alvarofe Sep 18, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

out of bounds heap read in cmd_flag #2797

out of bounds heap read in cmd_flag #2797

hannob commented Jun 18, 2015

out of bounds heap read in cmd_flag #2797

out of bounds heap read in cmd_flag #2797

Comments

hannob commented Jun 18, 2015