Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out of bounds call to strncpy() in function Elf64_r_bin_elf_get_libs() on malformed input #2665

Closed
hannob opened this issue Jun 1, 2015 · 5 comments
Closed

Out of bounds call to strncpy() in function Elf64_r_bin_elf_get_libs() on malformed input #2665

hannob opened this issue Jun 1, 2015 · 5 comments
Assignees
@alvarofe
Labels
New File-Format

Comments

@hannob
Copy link

hannob commented Jun 1, 2015

A malformed elf file can cause an out of bounds access in radare2. Here's the file:
https://crashes.fuzzing-project.org/radare2-oob-heap-read-Elf64_r_bin_elf_get_libs

To see this one needs to compile radare2 with address sanitizer (add -fsanitize=address to cflags). This issue was found with the help of the tool american fuzzy lop.

Here's the output from address sanitizer:

Warning: Cannot initialize section headers
Warning: Cannot initialize strings table
=================================================================
==13080==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000ba00 at pc 0x7f208de69be7 bp 0x7fff5165d770 sp 0x7fff5165cf18
READ of size 2 at 0x60400000ba00 thread T0
    #0 0x7f208de69be6 in __interceptor_strncpy (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x2ebe6)
    #1 0x7f208c8afb2e in strncpy /usr/include/bits/string3.h:120
    #2 0x7f208c8afb2e in Elf64_r_bin_elf_get_libs /f/radare2/radare2/libr/..//libr/bin/p/../format/elf/elf.c:1197
    #3 0x7f208c8829fb in libs /f/radare2/radare2/libr/..//libr/bin/p/bin_elf.c:380
    #4 0x7f208c7b85a5 in r_bin_object_set_items /f/radare2/radare2/libr/bin/bin.c:423
    #5 0x7f208c7b85a5 in r_bin_object_new /f/radare2/radare2/libr/bin/bin.c:945
    #6 0x7f208c7bea68 in r_bin_file_new_from_bytes /f/radare2/radare2/libr/bin/bin.c:1056
    #7 0x7f208c7bea68 in r_bin_load_io_at_offset_as_sz /f/radare2/radare2/libr/bin/bin.c:644
    #8 0x7f208c7c053a in r_bin_load_io_at_offset_as /f/radare2/radare2/libr/bin/bin.c:666
    #9 0x7f208c7c1865 in r_bin_load_io /f/radare2/radare2/libr/bin/bin.c:546
    #10 0x7f208d819aa0 in r_core_file_do_load_for_io_plugin /f/radare2/radare2/libr/core/file.c:350
    #11 0x7f208d819aa0 in r_core_bin_load /f/radare2/radare2/libr/core/file.c:487
    #12 0x4057fc in main /f/radare2/radare2/binr/radare2/radare2.c:579
    #13 0x7f2087afef9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #14 0x409dfe (/mnt/ram/radare2/radare2+0x409dfe)

0x60400000ba00 is located 0 bytes to the right of 48-byte region [0x60400000b9d0,0x60400000ba00)
allocated by thread T0 here:
    #0 0x7f208de92855 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x57855)
    #1 0x7f208c89be71 in Elf64_r_bin_elf_init_dynamic_section /f/radare2/radare2/libr/..//libr/bin/p/../format/elf/elf.c:294
    #2 0x7f208c89be71 in Elf64_r_bin_elf_init /f/radare2/radare2/libr/..//libr/bin/p/../format/elf/elf.c:338

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strncpy
Shadow bytes around the buggy address:
  0x0c087fff96f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9730: fa fa 00 00 00 00 00 07 fa fa 00 00 00 00 00 00
=>0x0c087fff9740:[fa]fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff9750: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff9760: fa fa 00 00 00 00 00 07 fa fa 00 00 00 00 00 07
  0x0c087fff9770: fa fa 00 00 00 00 00 07 fa fa fd fd fd fd fd fd
  0x0c087fff9780: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 07
  0x0c087fff9790: fa fa 00 00 00 00 00 07 fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==13080==ABORTING
@jjdredd
Copy link
Contributor

jjdredd commented Jun 1, 2015

use ```, luke

@C-H-A-I-R
Copy link

that download link does not wok

@alvarofe alvarofe self-assigned this Jun 1, 2015
@radare
Copy link
Collaborator

radare commented Jun 1, 2015

403

@hannob
Copy link
Author

hannob commented Jun 1, 2015

sorry, permission problem, fixed now.

@alvarofe
Copy link
Contributor

alvarofe commented Jun 1, 2015

Thanks. I will work on this :)

alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 1, 2015
@alvarofe
Fix radareorg#2665
cdbd0a5
@hannob hannob mentioned this issue Jun 3, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alvarofe alvarofe

Labels
New File-Format
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@XVilka @radare @hannob @alvarofe @jjdredd @C-H-A-I-R