Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer pe/pe.c #2455

Closed
ghost opened this issue Apr 28, 2015 · 9 comments
Closed

AddressSanitizer pe/pe.c #2455

ghost opened this issue Apr 28, 2015 · 9 comments
Labels
fuzzing

Comments

@ghost
Copy link

ghost commented Apr 28, 2015 

==1505==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000007784 at pc 0x7f1479a14eb9 bp 0x7fffc13e1450 sp 0x7fffc13e1440
READ of size 4 at 0x619000007784 thread T0
    #0 0x7f1479a14eb8 in Pe32_r_bin_pe_get_imports /home/revskills/radare2/libr/..//libr/bin/p/../format/pe/pe.c:1934
    #1 0x7f1479a0425a in imports /home/revskills/radare2/libr/..//libr/bin/p/bin_pe.c:206
    #2 0x7f147996cbb2 in r_bin_object_set_items /home/revskills/radare2/libr/bin/bin.c:419
    #3 0x7f1479970479 in r_bin_object_new /home/revskills/radare2/libr/bin/bin.c:943
    #4 0x7f1479971178 in r_bin_file_new_from_bytes /home/revskills/radare2/libr/bin/bin.c:1054
    #5 0x7f147996ea96 in r_bin_load_io_at_offset_as_sz /home/revskills/radare2/libr/bin/bin.c:643
    #6 0x7f147996eb91 in r_bin_load_io_at_offset_as /home/revskills/radare2/libr/bin/bin.c:665
    #7 0x7f147996dfc4 in r_bin_load_io /home/revskills/radare2/libr/bin/bin.c:545
    #8 0x7f147a75b13c in r_core_file_do_load_for_io_plugin /home/revskills/radare2/libr/core/file.c:344
    #9 0x7f147a75ba75 in r_core_bin_load /home/revskills/radare2/libr/core/file.c:476
    #10 0x4061fd in main /home/revskills/radare2/binr/radare2/radare2.c:573
    #11 0x7f14758ccec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #12 0x4030f8 (/home/revskills/radare2/binr/radare2/radare2+0x4030f8)

0x619000007784 is located 102871308832545 bytes insideASAN:SIGSEGV
==1505==AddressSanitizer

file from radare-regressions: imports_vterm.exe 18172efe93c749ff7d99090167c4d191
radare2 0.9.9-git 7749 @ linux-little-x86-64 git.0.9.8-1399-g5b4a4b7
commit: 5b4a4b7 build: 2015-04-28
@ghost
Copy link
Author

ghost commented Apr 28, 2015

Grouping results:

==3663==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000014e5c at pc 0x7fbecc890b1a bp 0x7fffb990d260 sp 0x7fffb990d250
READ of size 4 at 0x612000014e5c thread T0
    #0 0x7fbecc890b19 in Pe32_r_bin_pe_get_libs /home/revskills/radare2/libr/..//libr/bin/p/../format/pe/pe.c:2016
    #1 0x7fbecc87f940 in is_dot_net /home/revskills/radare2/libr/..//libr/bin/p/bin_pe.c:267
    #2 0x7fbecc880124 in info /home/revskills/radare2/libr/..//libr/bin/p/bin_pe.c:321
    #3 0x7fbecc7e7c2d in r_bin_object_set_items /home/revskills/radare2/libr/bin/bin.c:420
    #4 0x7fbecc7eb479 in r_bin_object_new /home/revskills/radare2/libr/bin/bin.c:943
    #5 0x7fbecc7ec178 in r_bin_file_new_from_bytes /home/revskills/radare2/libr/bin/bin.c:1054
    #6 0x7fbecc7e9a96 in r_bin_load_io_at_offset_as_sz /home/revskills/radare2/libr/bin/bin.c:643
    #7 0x7fbecc7e9b91 in r_bin_load_io_at_offset_as /home/revskills/radare2/libr/bin/bin.c:665
    #8 0x7fbecc7e8fc4 in r_bin_load_io /home/revskills/radare2/libr/bin/bin.c:545
    #9 0x7fbecd5d613c in r_core_file_do_load_for_io_plugin /home/revskills/radare2/libr/core/file.c:344
    #10 0x7fbecd5d6a75 in r_core_bin_load /home/revskills/radare2/libr/core/file.c:476
    #11 0x4061fd in main /home/revskills/radare2/binr/radare2/radare2.c:573
    #12 0x7fbec8747ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #13 0x4030f8 (/home/revskills/radare2/binr/radare2/radare2+0x4030f8)

0x612000014e5c is located 102390272550393 bytes insideASAN:SIGSEGV
==3663==AddressSanitizer

file from radare2-regressions: tinygui.exe 5866e5e76e0dad4c2cfd30b91e8321b1
radare2 0.9.9-git 7749 @ linux-little-x86-64 git.0.9.8-1399-g5b4a4b7
commit: 5b4a4b7 build: 2015-04-28

@ghost
Copy link
Author

ghost commented Apr 28, 2015 

==13972==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff354dac90 at pc 0x7f47f7861c77 bp 0x7fff354dab00 sp 0x7fff354da2a8
READ of size 135 at 0x7fff354dac90 thread T0
    #0 0x7f47f7861c76 in strncpy (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2ec76)
    #1 0x7f47f675959f in parse_symbol_table /home/revskills/radare2/libr/..//libr/bin/p/../format/pe/pe.c:417
    #2 0x7f47f6763912 in Pe32_r_bin_pe_get_exports /home/revskills/radare2/libr/..//libr/bin/p/../format/pe/pe.c:1780
    #3 0x7f47f675386f in symbols /home/revskills/radare2/libr/..//libr/bin/p/bin_pe.c:141
    #4 0x7f47f66bcd2f in r_bin_object_set_items /home/revskills/radare2/libr/bin/bin.c:422
    #5 0x7f47f66c0479 in r_bin_object_new /home/revskills/radare2/libr/bin/bin.c:943
    #6 0x7f47f66c1178 in r_bin_file_new_from_bytes /home/revskills/radare2/libr/bin/bin.c:1054
    #7 0x7f47f66bea96 in r_bin_load_io_at_offset_as_sz /home/revskills/radare2/libr/bin/bin.c:643
    #8 0x7f47f66beb91 in r_bin_load_io_at_offset_as /home/revskills/radare2/libr/bin/bin.c:665
    #9 0x7f47f66bdfc4 in r_bin_load_io /home/revskills/radare2/libr/bin/bin.c:545
    #10 0x7f47f74ab13c in r_core_file_do_load_for_io_plugin /home/revskills/radare2/libr/core/file.c:344
    #11 0x7f47f74aba75 in r_core_bin_load /home/revskills/radare2/libr/core/file.c:476
    #12 0x4061fd in main /home/revskills/radare2/binr/radare2/radare2.c:573
    #13 0x7f47f261cec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #14 0x4030f8 (/home/revskills/radare2/binr/radare2/radare2+0x4030f8)

0x7fff354dac90 is located 140725497736331 bytes insideASAN:SIGSEGV
==13972==AddressSanitizer

file: http://revskills.cz/r2/vista-glass.exe (feel free to use for regression tests)
radare2 0.9.9-git 7749 @ linux-little-x86-64 git.0.9.8-1399-g5b4a4b7
commit: 5b4a4b7 build: 2015-04-28

@jjdredd
Copy link
Contributor

jjdredd commented Apr 29, 2015

assigned to me

@alvarofe
Copy link
Contributor

@jjdredd also in the regression repository in bins/fuzzed there are some PE binaries => make format.others

@radare
Copy link
Collaborator

radare commented Apr 29, 2015

@jjdredd keep us updated about your progress

@radare radare closed this as completed in 79b4820 Apr 30, 2015
@radare
Copy link
Collaborator

radare commented Apr 30, 2015

The imports_vterm.exe is not fixed . @alvarofe do you want to take a look at it? i have fixed many other issues

@radare radare reopened this Apr 30, 2015
@jjdredd
Copy link
Contributor

jjdredd commented Apr 30, 2015

@radare what's the meaning of https://github.com/radare/radare2/blob/master/libr/bin/format/pe/pe.c#L528

@radare
Copy link
Collaborator

radare commented Apr 30, 2015

it means that some binaries contain an import size of 0, but this is not
real size of it because system parser takes the rest of the file as an
import table and load it. its just a hack to asume its 0xffff, and
therefor it must be reviewed carefully with some real exes

On 04/30/2015 03:34 PM, Judge_Dredd wrote:

@radare what's the meaning of https://github.com/radare/radare2/blob/master/libr/bin/format/pe/pe.c#L528

Reply to this email directly or view it on GitHub:
#2455 (comment)

@jjdredd
Copy link
Contributor

jjdredd commented Apr 30, 2015

ok, just thought it might be the source of the bug.

alvarofe added a commit to alvarofe/radare2 that referenced this issue Apr 30, 2015
@alvarofe
Fix radareorg#2455
cbf124b
@radare radare closed this as completed in d9b1b34 Apr 30, 2015
@ghost ghost mentioned this issue May 4, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jvoisin @radare @alvarofe @jjdredd