Out of bounds heap read in function r_core_syscmd_ls #2760

hannob · 2015-06-14T22:02:12Z

This script will cause an out of bounds heap read:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-r_core_syscmd_ls

Test with radare2 -q -i [script] /dev/null
It contians only the char "l".

Address Sanitizer stack trace:

==15916==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000168d2 at pc 0x7f750ae6beb8 bp 0x7fff18df7af0 sp 0x7fff18df7ae0
READ of size 1 at 0x6020000168d2 thread T0
    #0 0x7f750ae6beb7 in r_core_syscmd_ls /f/radare2/radare2/libr/core/syscmd.c:102
    #1 0x7f750ad0ee93 in cmd_ls /f/radare2/radare2/libr/core/cmd.c:382
    #2 0x7f750adf00ee in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1590
    #3 0x7f750ad540c8 in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1081
    #4 0x7f750ad5535b in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1938
    #5 0x7f750ad580bc in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1989
    #6 0x7f750ad582f4 in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2001
    #7 0x7f750ad5b55b in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #8 0x4054c2 in main /f/radare2/radare2/binr/radare2/radare2.c:729
    #9 0x7f75052d5f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #10 0x40a25e (/mnt/ram/radare2/radare2+0x40a25e)

0x6020000168d2 is located 0 bytes to the right of 2-byte region [0x6020000168d0,0x6020000168d2)
allocated by thread T0 here:
    #0 0x7f750b4796f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7f7505337789 in strdup (/lib64/libc.so.6+0x81789)

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/radare2/radare2/libr/core/syscmd.c:102 r_core_syscmd_ls
Shadow bytes around the buggy address:
  0x0c047fffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffad10: fa fa fa fa fa fa 01 fa fa fa[02]fa fa fa 02 fa
  0x0c047fffad20: fa fa 02 fa fa fa fd fa fa fa fd fd fa fa 06 fa
  0x0c047fffad30: fa fa fd fa fa fa 05 fa fa fa fd fa fa fa 06 fa
  0x0c047fffad40: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 04 fa
  0x0c047fffad50: fa fa fd fa fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fffad60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==15916==ABORTING

The text was updated successfully, but these errors were encountered:

alvarofe self-assigned this Jun 15, 2015

XVilka added bug good first issue labels Jun 15, 2015

XVilka added this to the 0.10.0 milestone Jun 15, 2015

alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 15, 2015

Fix radareorg#2760

a38d419

alvarofe closed this as completed in 1415016 Jun 16, 2015

radare unassigned alvarofe Sep 18, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Out of bounds heap read in function r_core_syscmd_ls #2760

Out of bounds heap read in function r_core_syscmd_ls #2760

hannob commented Jun 14, 2015

Out of bounds heap read in function r_core_syscmd_ls #2760

Out of bounds heap read in function r_core_syscmd_ls #2760

Comments

hannob commented Jun 14, 2015