Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

out of bounds heap read in cmd_type #2795

Closed
hannob opened this issue Jun 18, 2015 · 0 comments
Closed

out of bounds heap read in cmd_type #2795

hannob opened this issue Jun 18, 2015 · 0 comments

Comments

@hannob
Copy link

hannob commented Jun 18, 2015

This script will cause an out of bounds heap read in the function cmd_type:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-cmd_type

It consists of the string "ts". Test: radare2 -q -i [script] /dev/null

Address Sanitizer output:

=================================================================
==32000==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000016871 at pc 0x7f28064957d0 bp 0x7fff76ca84a0 sp 0x7fff76ca8470
READ of size 1 at 0x602000016871 thread T0
    #0 0x7f28064957cf in index (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x347cf)
    #1 0x7f2805de0924 in cmd_type /f/radare2/radare2/libr/core/cmd_type.c:49
    #2 0x7f2805e2a096 in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1590
    #3 0x7f2805d8e09c in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1081
    #4 0x7f2805d8f182 in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1938
    #5 0x7f2805d92084 in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1989
    #6 0x7f2805d922f4 in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2001
    #7 0x7f2805d9528b in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #8 0x4054bc in main /f/radare2/radare2/binr/radare2/radare2.c:729
    #9 0x7f28002f8f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #10 0x40a4d3 (/mnt/ram/radare2/radare2+0x40a4d3)

0x602000016871 is located 0 bytes to the right of 1-byte region [0x602000016870,0x602000016871)
allocated by thread T0 here:
    #0 0x7f28064b86f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7f280035a789 in strdup (/lib64/libc.so.6+0x81789)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 index
Shadow bytes around the buggy address:
  0x0c047fffacb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
  0x0c047fffad10: fa fa 01 fa fa fa 03 fa fa fa 03 fa fa fa 03 fa
  0x0c047fffad20: fa fa fd fa fa fa fd fd fa fa 06 fa fa fa fd fa
  0x0c047fffad30: fa fa 05 fa fa fa fd fa fa fa 06 fa fa fa fd fa
  0x0c047fffad40: fa fa 03 fa fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fffad50: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==32000==ABORTING
@hannob hannob changed the title out of bounds read in cmd_type out of bounds heap read in cmd_type Jun 18, 2015
@alvarofe alvarofe self-assigned this Jun 18, 2015
alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 20, 2015
@alvarofe
Fix radareorg#2795
d75a197
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hannob @alvarofe