Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault when undefining a function and showing a graph #16225

Closed
ITAYC0HEN opened this issue Mar 16, 2020 · 4 comments
Closed

Segfault when undefining a function and showing a graph #16225

ITAYC0HEN opened this issue Mar 16, 2020 · 4 comments
Assignees
@thestr4ng3r
Labels
crash
Milestone
4.4.0 - pangolin

Comments

@ITAYC0HEN
Copy link
Contributor

Work environment

Questions Answers
OS/arch/bits (mandatory) Arch64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86
r2 -v full output, not truncated (mandatory) radare2 4.4.0-git 24956 @ linux-x86-64 git.4.3.1-50-g0b5e78e92 commit: 0b5e78e build: 2020-03-16__08:43:57

Expected behavior

Radare2 should not crash and display the graph as it should.

Actual behavior

Radare2 crashes after undefining a function and then trying to show the graph of the previous function. Originally this crash found by using Cutter but it's easily reproducible in r2.

Beware: the binary is a malware for Linux

Steps to reproduce the behavior

1 . Open the attached binary and perform full-analysis (using aaa)
2. Execute this reproducible oneliner:
af- 0x0808eb5b; v @ 0x0808eb0a

Additional Logs, screenshots, source-code, configuration dump, ...

Stack trace:

[0x08048120]> af- 0x0808eb5b; v @ 0x0808eb0a

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff63b299c in r_anal_function_realsize (fcn=0x5555581f8180) at function.c:290
290                             r_list_foreach (f->bbs, iter, bb) {
(gdb) bt
#0  0x00007ffff63b299c in r_anal_function_realsize (fcn=0x5555581f8180) at function.c:290
#1  0x00007ffff6d8e920 in __fcn_print_default (core=0x7ffff5c06010, fcn=0x5555581f8180, quiet=false) at canal.c:2700
#2  0x00007ffff6d8ea3b in fcn_list_default (core=0x7ffff5c06010, fcns=0x55555bc86170, quiet=false) at canal.c:2718
#3  0x00007ffff6d9119a in r_core_anal_fcn_list (core=0x7ffff5c06010, input=0x0, rad=0x7ffff6e0d595 "o") at canal.c:3325
#4  0x00007ffff6cbd294 in cmd_anal_fcn (core=0x7ffff5c06010, input=0x55555acd9af1 "fl") at cmd_anal.c:3290
#5  0x00007ffff6cd60f8 in cmd_anal (data=0x7ffff5c06010, input=0x55555acd9af1 "fl") at cmd_anal.c:9914
#6  0x00007ffff6d82719 in r_cmd_call (cmd=0x5555555c0c50, input=0x55555acd9af0 "afl") at cmd_api.c:248
#7  0x00007ffff6d2aeaf in r_core_cmd_subst_i (core=0x7ffff5c06010, cmd=0x55555acd9af0 "afl", colon=0x0, tmpseek=0x7fffffffd66a) at cmd.c:3762
#8  0x00007ffff6d26f94 in r_core_cmd_subst (core=0x7ffff5c06010, cmd=0x55555acd9af0 "afl") at cmd.c:2681
#9  0x00007ffff6d2d8f0 in run_cmd_depth (core=0x7ffff5c06010, cmd=0x5555585e2370 "afl") at cmd.c:6135
#10 0x00007ffff6d2dc9a in r_core_cmd (core=0x7ffff5c06010, cstr=0x5555580377d0 "afl", log=0) at cmd.c:6215
...
...

Files:
Beware! a linux malware. Use with caution.
Password: infected
51f4aaf8705039ffa594e32848f224fe959c0b4f9f1ee8018564c4b82af7f6fe.zip
@radare radare added this to the 4.4.0 - pangolin milestone Mar 16, 2020
@radare
Copy link
Collaborator

radare commented Mar 16, 2020

asan:

[0x0808eb0a]> af- 0x0808eb5b; v @ 0x0808eb0a
=================================================================
==56463==ERROR: AddressSanitizer: heap-use-after-free on address 0x611001b88410 at pc 0x00010a24f7ca bp 0x7ffeed9dc300 sp 0x7ffeed9dc2f8
READ of size 8 at 0x611001b88410 thread T0

    #0 0x10a24f7c9 in r_anal_function_realsize function.c:290
^[[32;29;29M^[[35;29;29M    #1 0x1035987bc in __fcn_print_default canal.c:2700
    #2 0x103599664 in fcn_list_default canal.c:2718
    #3 0x1035985a9 in r_core_anal_fcn_list canal.c:3325
    #4 0x10316b31e in cmd_anal_fcn cmd_anal.c:3290
    #5 0x102fc33c7 in cmd_anal cmd_anal.c:9914
    #6 0x1035618f1 in r_cmd_call cmd_api.c:248
    #7 0x1030d9042 in r_core_cmd_subst_i cmd.c:3762
    #8 0x102f866d4 in r_core_cmd_subst cmd.c:2681
    #9 0x102f82e03 in run_cmd_depth cmd.c:6135
    #10 0x102f6094d in r_core_cmd cmd.c:6215
    #11 0x102f71dfb in r_core_cmd_str cmd.c:6452
    #12 0x1037a6758 in __handle_cmd_str_cache panels.c:1263
    #13 0x1037a35d6 in __print_default_cb panels.c:4120
    #14 0x1037bb5a7 in __default_panel_print panels.c:1221
    #15 0x1037b57ce in __panel_print panels.c:1024
    #16 0x1037af53d in __panels_refresh panels.c:5011
    #17 0x1037ac25f in __panels_layout_refresh panels.c:1461
    #18 0x10377e415 in __panels_process panels.c:6691
    #19 0x10377c16a in r_core_visual_panels_root panels.c:6381
    #20 0x10309fbe3 in cmd_panels cmd.c:1899
    #21 0x1035618f1 in r_cmd_call cmd_api.c:248
    #22 0x1030d77d8 in r_core_cmd_subst_i cmd.c:3708
    #23 0x102f866d4 in r_core_cmd_subst cmd.c:2681
    #24 0x102f870ba in r_core_cmd_subst cmd.c:2713
    #25 0x102f82e03 in run_cmd_depth cmd.c:6135
    #26 0x102f6094d in r_core_cmd cmd.c:6215
    #27 0x102ef0674 in r_core_prompt_exec core.c:3046
    #28 0x102eef9d4 in r_core_prompt_loop core.c:2897
    #29 0x105abbc32 in r_main_radare2 radare2.c:1350
    #30 0x102213462 in main (r2:x86_64+0x100001462)
    #31 0x7fff6d35a7fc in start (libdyld.dylib:x86_64+0x1a7fc)

0x611001b88410 is located 144 bytes inside of 216-byte region [0x611001b88380,0x611001b88458)
freed by thread T0 here:
    #0 0x10b91694d in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x6194d)
    #1 0x10a2484fa in r_anal_function_free function.c:102
    #2 0x10279d558 in r_list_delete list.c:106
    #3 0x10279d832 in r_list_delete_data list.c:95
    #4 0x10a24b46e in r_anal_function_delete function.c:156
    #5 0x10a08fe02 in r_anal_fcn_del_locs fcn.c:1336
    #6 0x1035b849e in r_core_anal_undefine canal.c:4493
    #7 0x10316349a in cmd_anal_fcn cmd_anal.c:2943
    #8 0x102fc33c7 in cmd_anal cmd_anal.c:9914
    #9 0x1035618f1 in r_cmd_call cmd_api.c:248
    #10 0x1030d9042 in r_core_cmd_subst_i cmd.c:3762
    #11 0x102f866d4 in r_core_cmd_subst cmd.c:2681
    #12 0x102f82e03 in run_cmd_depth cmd.c:6135
    #13 0x102f6094d in r_core_cmd cmd.c:6215
    #14 0x102ef0674 in r_core_prompt_exec core.c:3046
    #15 0x102eef9d4 in r_core_prompt_loop core.c:2897
    #16 0x105abbc32 in r_main_radare2 radare2.c:1350
    #17 0x102213462 in main (r2:x86_64+0x100001462)
    #18 0x7fff6d35a7fc in start (libdyld.dylib:x86_64+0x1a7fc)

previously allocated by thread T0 here:
    #0 0x10b916cd7 in wrap_calloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x61cd7)
    #1 0x10a246b0d in r_anal_function_new function.c:56
    #2 0x103582507 in __core_anal_fcn canal.c:757
    #3 0x10358183f in r_core_anal_fcn canal.c:1999
    #4 0x1035dd39a in r_anal_analyze_fcn_refs canal.c:680
    #5 0x1035861fa in __core_anal_fcn canal.c:883
    #6 0x10358183f in r_core_anal_fcn canal.c:1999
    #7 0x1031749e4 in cmd_anal_fcn cmd_anal.c:3829
    #8 0x102fc33c7 in cmd_anal cmd_anal.c:9914
    #9 0x1035618f1 in r_cmd_call cmd_api.c:248
    #10 0x1030d9042 in r_core_cmd_subst_i cmd.c:3762
    #11 0x102f866d4 in r_core_cmd_subst cmd.c:2681
    #12 0x102f82e03 in run_cmd_depth cmd.c:6135
    #13 0x102f6094d in r_core_cmd cmd.c:6215
    #14 0x102ef0674 in r_core_prompt_exec core.c:3046
    #15 0x102eef9d4 in r_core_prompt_loop core.c:2897
    #16 0x105abbc32 in r_main_radare2 radare2.c:1350
    #17 0x102213462 in main (r2:x86_64+0x100001462)
    #18 0x7fff6d35a7fc in start (libdyld.dylib:x86_64+0x1a7fc)

SUMMARY: AddressSanitizer: heap-use-after-free function.c:290 in r_anal_function_realsize
Shadow bytes around the buggy address:
  0x1c2200371030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x1c2200371040: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2200371050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200371060: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x1c2200371070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c2200371080: fd fd[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x1c2200371090: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c22003710a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c22003710b0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x1c22003710c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c22003710d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==56463==ABORTING
Abort trap: 6

@radare
Copy link
Collaborator

radare commented Mar 16, 2020

oneliner to reproduce:

$ r2 -qcq -c 'aac;s 0x0808eb5b;afr;afr;af-$$; v @ 0x0808eb0a'  51f4aaf8705039ffa594e32848f224fe959c0b4f9f1ee8018564c4b82af7f6fe

@radare
Copy link
Collaborator

radare commented Mar 16, 2020

nvm. its because of the fcn_locs crap. will submit a pr removing this thing that imho its unused

@radare
Copy link
Collaborator

radare commented Mar 16, 2020

fixed in #16229

radare added a commit that referenced this issue Mar 17, 2020
@radare
Fix #16225 - Remove the unused fcn_locs causing an UAF ##anal
24d4826
@radare radare closed this as completed in 2edd5c1 Mar 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thestr4ng3r thestr4ng3r

Labels
crash
Projects
None yet
Milestone
4.4.0 - pangolin
Development

No branches or pull requests
3 participants
@radare @thestr4ng3r @ITAYC0HEN