Double free in Pe64_bin_pe_parse_resource() #15927
Comments
|
Open a pr in the bins repo with that binary in the fuzzed directory. So we can use it in the pr that fixes this issue
… On 4 Feb 2020, at 19:43, Niebardzo ***@***.***> wrote:
Work environment
Questions Answers
OS/arch/bits (mandatory) Ubuntu 18.04 x64
File format of the file you reverse (mandatory) PE
Architecture/bits of the file (mandatory) x64
r2 -v full output, not truncated (mandatory) radare2 4.3.0-git 23710 @ linux-x86-64 git.4.2.1-7-g8850bc6aa commit: 8850bc6 build: 2020-02-04__18:07:04
Expected behavior
Disassembly of file or error message.
Actual behavior
Double free in ASAN build.
Steps to reproduce the behavior
Download https://github.com/niebardzo/Store-PoCs/raw/master/r2_free_Pe64_bin_pe_parse_resource
Run: r2 -A r2_free_Pe64_bin_pe_parse_resource
Additional Logs, screenshots, source-code, configuration dump, ...
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
=================================================================
==31065==ERROR: AddressSanitizer: attempting double-free on 0x6020000628d0 in thread T0:
#0 0x55d6ca5b1ffd in free (/usr/local/bin/radare2+0x94ffd)
#1 0x7fda6f9fe924 in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2588:4
#2 0x7fda6f9fd454 in Pe64_bin_pe_parse_resource /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2740:4
#3 0x7fda6fa1b01e in bin_pe_init /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2812:2
#4 0x7fda6fa1c03c in Pe64_r_bin_pe_new_buf /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:3886:7
#5 0x7fda6f9e8a48 in load_buffer /root/work/radare2/libr/../libr/bin/p/bin_pe.inc:22:36
#6 0x7fda6f6b1e71 in r_bin_object_new /root/work/radare2/libr/bin/bobj.c:153:8
#7 0x7fda6f6a517a in r_bin_file_new_from_buffer /root/work/radare2/libr/bin/bfile.c:505:19
#8 0x7fda6f680579 in r_bin_open_buf /root/work/radare2/libr/bin/bin.c:283:8
#9 0x7fda6f67fc0e in r_bin_open_io /root/work/radare2/libr/bin/bin.c:343:13
#10 0x7fda702295ef in r_core_file_do_load_for_io_plugin /root/work/radare2/libr/core/cfile.c:430:7
#11 0x7fda702295ef in r_core_bin_load /root/work/radare2/libr/core/cfile.c:641:4
#12 0x7fda6da04455 in r_main_radare2 /root/work/radare2/libr/main/radare2.c:1040:14
#13 0x7fda6d7be1e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
#14 0x55d6ca53a37d in _start (/usr/local/bin/radare2+0x1d37d)
0x6020000628d0 is located 0 bytes inside of 1-byte region [0x6020000628d0,0x6020000628d1)
freed by thread T0 here:
#0 0x55d6ca5b1ffd in free (/usr/local/bin/radare2+0x94ffd)
#1 0x7fda6f9fee89 in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2581:5
#2 0x7fda6f9fef1d in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2583:4
#3 0x7fda6f9fd454 in Pe64_bin_pe_parse_resource /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2740:4
#4 0x7fda6fa1b01e in bin_pe_init /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2812:2
#5 0x7fda6fa1c03c in Pe64_r_bin_pe_new_buf /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:3886:7
previously allocated by thread T0 here:
#0 0x55d6ca5b23f2 in calloc (/usr/local/bin/radare2+0x953f2)
#1 0x7fda6f9fe59f in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2557:24
#2 0x7fda6f9fd454 in Pe64_bin_pe_parse_resource /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2740:4
#3 0x7fda6fa1b01e in bin_pe_init /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2812:2
#4 0x7fda6fa1c03c in Pe64_r_bin_pe_new_buf /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:3886:7
SUMMARY: AddressSanitizer: double-free (/usr/local/bin/radare2+0x94ffd) in free
==31065==ABORTING
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Hello Team, the following pr was created: |
|
Was the issue fixed by 9e3d175? |
|
So maybe it should be closed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Work environment
Expected behavior
Disassembly of file or error message.
Actual behavior
Double free in ASAN build.
Steps to reproduce the behavior
Additional Logs, screenshots, source-code, configuration dump, ...
The text was updated successfully, but these errors were encountered: