Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap out of bounds read in r_bin_get_binplugin_by_buffer (bin_omf.c) #14225

Closed
pventuzelo opened this issue Jun 5, 2019 · 2 comments
Closed

Comments

@pventuzelo
Copy link

pventuzelo commented Jun 5, 2019

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu 18.04 x64
File format of the file you reverse (mandatory) OMF
Architecture/bits of the file (mandatory) N/A
r2 -v full output, not truncated (mandatory) radare2 3.6.0-git 21939 @ linux-x86-64 git.3.5.1-159-g24dfc45c3 commit: 24dfc45 build: 2019-06-05__16:54:39

Expected behavior

Disassembly of file or error message.

Actual behavior

Heap out of bounds read in ASAN build.

Steps to reproduce the behavior

Additional Logs, screenshots, source-code, configuration dump, ...

ASAN report:

==5267==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000061f91 at pc 0x7f5fb26cb0a0 bp 0x7ffdf6ea3290 sp 0x7ffdf6ea3288
READ of size 1 at 0x602000061f91 thread T0
    #0 0x7f5fb26cb09f in check_buffer XYZ/radare2/libr/..//libr/bin/p/bin_omf.c:32:18
    #1 0x7f5fb22215f9 in r_bin_get_binplugin_by_buffer XYZ/radare2/libr/bin/bin.c:441:8
    #2 0x7f5fb224ed3a in get_plugin_from_buffer XYZ/radare2/libr/bin/bfile.c:362:11
    #3 0x7f5fb224ed3a in r_bin_file_new_from_buffer XYZ/radare2/libr/bin/bfile.c:420
    #4 0x7f5fb221ee7f in r_bin_open_io XYZ/radare2/libr/bin/bin.c:380:8
    #5 0x7f5fb362d233 in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/cfile.c:399:7
    #6 0x7f5fb362d233 in r_core_bin_load XYZ/radare2/libr/core/cfile.c:553
    #7 0x7f5fb76c759e in r_main_radare2 XYZ/radare2/libr/main/radare2.c:1137:15
    #8 0x7f5fb6e7bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x55ca9ab47f69 in _start (XYZ/radare2/binr/radare2/radare2+0x1cf69)

0x602000061f91 is located 0 bytes to the right of 1-byte region [0x602000061f90,0x602000061f91)
allocated by thread T0 here:
    #0 0x55ca9abfd5e0 in malloc (XYZ/radare2/binr/radare2/radare2+0xd25e0)
    #1 0x7f5fb604c8f7 in get_whole_buf XYZ/radare2/libr/util/buf.c:66:17
    #2 0x7f5fb604c8f7 in r_buf_data XYZ/radare2/libr/util/buf.c:192

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/radare2/libr/..//libr/bin/p/bin_omf.c:32:18 in check_buffer
Shadow bytes around the buggy address:
  0x0c04800043a0: fa fa 00 01 fa fa 00 00 fa fa 00 01 fa fa 06 fa
  0x0c04800043b0: fa fa 04 fa fa fa 05 fa fa fa fd fa fa fa 06 fa
  0x0c04800043c0: fa fa 04 fa fa fa fd fa fa fa 02 fa fa fa fd fd
  0x0c04800043d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800043e0: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa 00 00
=>0x0c04800043f0: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480004400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480004410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480004420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480004430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480004440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5267==ABORTING
@radare
Copy link
Collaborator

radare commented Jun 5, 2019

fixed in #14227. waiting for travis to merge. sorry for the delay i was offline packing bags :)

@pventuzelo
Copy link
Author

Perfect, don't worry you are actually really fast ;)

@radare radare closed this as completed Jun 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants