Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer mach0/mach0.c #2465

Closed
ghost opened this issue Apr 29, 2015 · 10 comments
Closed

AddressSanitizer mach0/mach0.c #2465

ghost opened this issue Apr 29, 2015 · 10 comments

Comments

@ghost
Copy link

ghost commented Apr 29, 2015

==15186==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62000000df94 at pc 0x7f7e535641b7 bp 0x7fff020d68b0 sp 0x7fff020d6058
READ of size 17 at 0x62000000df94 thread T0
#0 0x7f7e535641b6 in strncpy (/lib64/libasan.so.1+0x2f1b6)
#1 0x7f7e52439593 in get_symbols /home/revskills/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:815
#2 0x7f7e5243e87d in get_main /home/revskills/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1403
#3 0x7f7e52431765 in binsym /home/revskills/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:501
#4 0x7f7e523bd87e in r_bin_object_set_items /home/revskills/dev/radare2/libr/bin/bin.c:417
#5 0x7f7e523c12c1 in r_bin_object_new /home/revskills/dev/radare2/libr/bin/bin.c:944
#6 0x7f7e523c1f6e in r_bin_file_new_from_bytes /home/revskills/dev/radare2/libr/bin/bin.c:1055
#7 0x7f7e523bf8e0 in r_bin_load_io_at_offset_as_sz /home/revskills/dev/radare2/libr/bin/bin.c:644
#8 0x7f7e523bf9db in r_bin_load_io_at_offset_as /home/revskills/dev/radare2/libr/bin/bin.c:666
#9 0x7f7e523bee0e in r_bin_load_io /home/revskills/dev/radare2/libr/bin/bin.c:546
#10 0x7f7e531adc5a in r_core_file_do_load_for_io_plugin /home/revskills/dev/radare2/libr/core/file.c:344
#11 0x7f7e531ae593 in r_core_bin_load /home/revskills/dev/radare2/libr/core/file.c:476
#12 0x406188 in main /home/revskills/dev/radare2/binr/radare2/radare2.c:573
#13 0x7f7e4e324fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
#14 0x4030d8 (/home/revskills/dev/radare2/binr/radare2/radare2+0x4030d8)

0x62000000df94 is located 86857035928666 bytes insideASAN:SIGSEGV
==15186==AddressSanitizer:

file: http://revskills.cz/r2/df1311e6df74710f8eb1466d76468722
radare2 0.9.9-git 7759 @ linux-little-x86-64 git.0.9.8-1404-g5b984e8
commit: 5b984e8 build: 2015-04-29
@ghost
Copy link
Author

ghost commented Apr 29, 2015

Grouping results:

==15188==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001ddf0 at pc 0x7fe3af9bb0d5 bp 0x7ffc57e513e0 sp 0x7ffc57e513d0
READ of size 1 at 0x62200001ddf0 thread T0
#0 0x7fe3af9bb0d4 in get_relocs /home/revskills/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1009
#1 0x7fe3af9af1be in relocs /home/revskills/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:215
#2 0x7fe3af93dc07 in r_bin_object_set_items /home/revskills/dev/radare2/libr/bin/bin.c:424
#3 0x7fe3af9412c1 in r_bin_object_new /home/revskills/dev/radare2/libr/bin/bin.c:944
#4 0x7fe3af941f6e in r_bin_file_new_from_bytes /home/revskills/dev/radare2/libr/bin/bin.c:1055
#5 0x7fe3af93f8e0 in r_bin_load_io_at_offset_as_sz /home/revskills/dev/radare2/libr/bin/bin.c:644
#6 0x7fe3af93f9db in r_bin_load_io_at_offset_as /home/revskills/dev/radare2/libr/bin/bin.c:666
#7 0x7fe3af93ee0e in r_bin_load_io /home/revskills/dev/radare2/libr/bin/bin.c:546
#8 0x7fe3b072dc5a in r_core_file_do_load_for_io_plugin /home/revskills/dev/radare2/libr/core/file.c:344
#9 0x7fe3b072e593 in r_core_bin_load /home/revskills/dev/radare2/libr/core/file.c:476
#10 0x406188 in main /home/revskills/dev/radare2/binr/radare2/radare2.c:573
#11 0x7fe3ab8a4fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
#12 0x4030d8 (/home/revskills/dev/radare2/binr/radare2/radare2+0x4030d8)

0x62200001ddf0 is located 86994474947254 bytes insideASAN:SIGSEGV
==15188==AddressSanitizer:

file: http://revskills.cz/r2/22c2eed6cb1ab51052a740ad070d78ac
radare2 0.9.9-git 7759 @ linux-little-x86-64 git.0.9.8-1404-g5b984e8
commit: 5b984e8 build: 2015-04-29

@ghost
Copy link
Author

ghost commented Apr 29, 2015

==15212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62000000df94 at pc 0x7fb72025b1b7 bp 0x7ffff9afcdf0 sp 0x7ffff9afc598
READ of size 196 at 0x62000000df94 thread T0
#0 0x7fb72025b1b6 in strncpy (/lib64/libasan.so.1+0x2f1b6)
#1 0x7fb71f1313cf in get_imports /home/revskills/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:890
#2 0x7fb71f125cac in imports /home/revskills/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:168
#3 0x7fb71f0b4a0f in r_bin_object_set_items /home/revskills/dev/radare2/libr/bin/bin.c:420
#4 0x7fb71f0b82c1 in r_bin_object_new /home/revskills/dev/radare2/libr/bin/bin.c:944
#5 0x7fb71f0b8f6e in r_bin_file_new_from_bytes /home/revskills/dev/radare2/libr/bin/bin.c:1055
#6 0x7fb71f0b68e0 in r_bin_load_io_at_offset_as_sz /home/revskills/dev/radare2/libr/bin/bin.c:644
#7 0x7fb71f0b69db in r_bin_load_io_at_offset_as /home/revskills/dev/radare2/libr/bin/bin.c:666
#8 0x7fb71f0b5e0e in r_bin_load_io /home/revskills/dev/radare2/libr/bin/bin.c:546
#9 0x7fb71fea4c5a in r_core_file_do_load_for_io_plugin /home/revskills/dev/radare2/libr/core/file.c:344
#10 0x7fb71fea5593 in r_core_bin_load /home/revskills/dev/radare2/libr/core/file.c:476
#11 0x406188 in main /home/revskills/dev/radare2/binr/radare2/radare2.c:573
#12 0x7fb71b01bfdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
#13 0x4030d8 (/home/revskills/dev/radare2/binr/radare2/radare2+0x4030d8)

0x62000000df94 is located 86857035928666 bytes insideASAN:SIGSEGV
==15212==AddressSanitizer:

file: http://revskills.cz/r2/9bdfe1a56d369d4e1c5a43a711c8ba83
radare2 0.9.9-git 7759 @ linux-little-x86-64 git.0.9.8-1404-g5b984e8
commit: 5b984e8 build: 2015-04-29

@alvarofe
Copy link
Contributor

I will try to fix it. @revskills is having fun with ASan jeje

@alvarofe
Copy link
Contributor

@revskills any good tool to fuzz mach files?

@ghost
Copy link
Author

ghost commented Apr 29, 2015

==4563==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001ddf0 at pc 0x7f48c394a7a4 bp 0x7ffcb4361c90 sp 0x7ffcb4361c80
READ of size 1 at 0x62200001ddf0 thread T0
#0 0x7f48c394a7a3 in read_uleb128 /home/revskills/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:915
#1 0x7f48c394b5b2 in get_relocs /home/revskills/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1043
#2 0x7f48c393f1be in relocs /home/revskills/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:215
#3 0x7f48c38cdc07 in r_bin_object_set_items /home/revskills/dev/radare2/libr/bin/bin.c:424
#4 0x7f48c38d12c1 in r_bin_object_new /home/revskills/dev/radare2/libr/bin/bin.c:944
#5 0x7f48c38d1f6e in r_bin_file_new_from_bytes /home/revskills/dev/radare2/libr/bin/bin.c:1055
#6 0x7f48c38cf8e0 in r_bin_load_io_at_offset_as_sz /home/revskills/dev/radare2/libr/bin/bin.c:644
#7 0x7f48c38cf9db in r_bin_load_io_at_offset_as /home/revskills/dev/radare2/libr/bin/bin.c:666
#8 0x7f48c38cee0e in r_bin_load_io /home/revskills/dev/radare2/libr/bin/bin.c:546
#9 0x7f48c46bdc5a in r_core_file_do_load_for_io_plugin /home/revskills/dev/radare2/libr/core/file.c:344
#10 0x7f48c46be593 in r_core_bin_load /home/revskills/dev/radare2/libr/core/file.c:476
#11 0x406188 in main /home/revskills/dev/radare2/binr/radare2/radare2.c:573
#12 0x7f48bf834fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
#13 0x4030d8 (/home/revskills/dev/radare2/binr/radare2/radare2+0x4030d8)

0x62200001ddf0 is located 86994474947254 bytes insideASAN:SIGSEGV
==4563==AddressSanitizer:

file: http://revskills.cz/r2/07617d86d131100a83374ee4e221788a
radare2 0.9.9-git 7759 @ linux-little-x86-64 git.0.9.8-1404-g5b984e8
commit: 5b984e8 build: 2015-04-29

@ghost
Copy link
Author

ghost commented Apr 29, 2015

==1293==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000065f8 at pc 0x7f9ab1b5a805 bp 0x7ffdd424d4c0 sp 0x7ffdd424d4b0
READ of size 1 at 0x6040000065f8 thread T0
#0 0x7f9ab1b5a804 in get_relocs_64 /home/revskills/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1091
#1 0x7f9ab1b4d8a2 in relocs /home/revskills/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:215
#2 0x7f9ab1acac07 in r_bin_object_set_items /home/revskills/dev/radare2/libr/bin/bin.c:424
#3 0x7f9ab1ace2c1 in r_bin_object_new /home/revskills/dev/radare2/libr/bin/bin.c:944
#4 0x7f9ab1acebfc in r_bin_file_object_new_from_xtr_data /home/revskills/dev/radare2/libr/bin/bin.c:1015
#5 0x7f9ab1acd1a3 in r_bin_files_populate_from_xtrlist /home/revskills/dev/radare2/libr/bin/bin.c:787
#6 0x7f9ab1acd372 in r_bin_file_xtr_load_bytes /home/revskills/dev/radare2/libr/bin/bin.c:803
#7 0x7f9ab1acc71c in r_bin_load_io_at_offset_as_sz /home/revskills/dev/radare2/libr/bin/bin.c:629
#8 0x7f9ab1acc9db in r_bin_load_io_at_offset_as /home/revskills/dev/radare2/libr/bin/bin.c:666
#9 0x7f9ab1acbe0e in r_bin_load_io /home/revskills/dev/radare2/libr/bin/bin.c:546
#10 0x7f9ab28bac5a in r_core_file_do_load_for_io_plugin /home/revskills/dev/radare2/libr/core/file.c:344
#11 0x7f9ab28bb593 in r_core_bin_load /home/revskills/dev/radare2/libr/core/file.c:476
#12 0x406188 in main /home/revskills/dev/radare2/binr/radare2/radare2.c:573
#13 0x7f9aada31fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
#14 0x4030d8 (/home/revskills/dev/radare2/binr/radare2/radare2+0x4030d8)

0x6040000065f8 is located 84932890548926 bytes insideASAN:SIGSEGV
==1293==AddressSanitizer

file: http://revskills.cz/r2/c8ca5e3c461f444bbc577044ddf83768
radare2 0.9.9-git 7759 @ linux-little-x86-64 git.0.9.8-1404-g5b984e8
commit: 5b984e8 build: 2015-04-29

@ghost
Copy link
Author

ghost commented Apr 29, 2015

==2421==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000006638 at pc 0x7f19cc5de95e bp 0x7fffe6452ad0 sp 0x7fffe6452ac0
READ of size 1 at 0x604000006638 thread T0
#0 0x7f19cc5de95d in read_sleb128 /home/revskills/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:927
#1 0x7f19cc5df53f in get_relocs_64 /home/revskills/dev/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1034
#2 0x7f19cc5d38a2 in relocs /home/revskills/dev/radare2/libr/..//libr/bin/p/bin_mach0.c:215
#3 0x7f19cc550c07 in r_bin_object_set_items /home/revskills/dev/radare2/libr/bin/bin.c:424
#4 0x7f19cc5542c1 in r_bin_object_new /home/revskills/dev/radare2/libr/bin/bin.c:944
#5 0x7f19cc554bfc in r_bin_file_object_new_from_xtr_data /home/revskills/dev/radare2/libr/bin/bin.c:1015
#6 0x7f19cc5531a3 in r_bin_files_populate_from_xtrlist /home/revskills/dev/radare2/libr/bin/bin.c:787
#7 0x7f19cc553372 in r_bin_file_xtr_load_bytes /home/revskills/dev/radare2/libr/bin/bin.c:803
#8 0x7f19cc55271c in r_bin_load_io_at_offset_as_sz /home/revskills/dev/radare2/libr/bin/bin.c:629
#9 0x7f19cc5529db in r_bin_load_io_at_offset_as /home/revskills/dev/radare2/libr/bin/bin.c:666
#10 0x7f19cc551e0e in r_bin_load_io /home/revskills/dev/radare2/libr/bin/bin.c:546
#11 0x7f19cd340c5a in r_core_file_do_load_for_io_plugin /home/revskills/dev/radare2/libr/core/file.c:344
#12 0x7f19cd341593 in r_core_bin_load /home/revskills/dev/radare2/libr/core/file.c:476
#13 0x406188 in main /home/revskills/dev/radare2/binr/radare2/radare2.c:573
#14 0x7f19c84b7fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
#15 0x4030d8 (/home/revskills/dev/radare2/binr/radare2/radare2+0x4030d8)

ASAN:SIGSEGV
==2421==AddressSanitizer

file: http://revskills.cz/r2/8c1fb4a546ad4a535f6bec6cc0e291e5
radare2 0.9.9-git 7759 @ linux-little-x86-64 git.0.9.8-1404-g5b984e8
commit: 5b984e8 build: 2015-04-29

@radare
Copy link
Collaborator

radare commented Apr 29, 2015

@alvarofe any update?

@radare radare closed this as completed in faf91d3 Apr 29, 2015
@alvarofe
Copy link
Contributor

alvarofe commented May 1, 2015

In my machine is still broken. I will work on it this weekend

alvarofe added a commit to alvarofe/radare2 that referenced this issue May 1, 2015
@alvarofe
Added checks in mach parser & fix radareorg#2465
d920e09
alvarofe added a commit to alvarofe/radare2 that referenced this issue May 1, 2015
@alvarofe
Added checks in mach parser & fix radareorg#2465
d0bf6c0
@radare
Copy link
Collaborator

radare commented May 1, 2015

Awesome!

On 01 May 2015, at 12:36, Álvaro Felipe Melchor notifications@github.com wrote:

In my machine is still broken. I will work on it this weekend


Reply to this email directly or view it on GitHub.

radare pushed a commit that referenced this issue May 4, 2015
@alvarofe @radare
Added checks in mach parser & fix #2465
3b04c54
This was referenced May 6, 2015
Closed
Closed
Closed
Closed
Closed
Closed
@ghost ghost mentioned this issue Oct 15, 2015
Closed
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@radare @alvarofe