Out of bounds read caused by script in r_print_fill #2737

hannob · 2015-06-09T12:49:07Z

An invalid script can cause an out of bounds read (heap) in radare2. Input file:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-r_print_fill
(Just two bytes: "p=")

Test: radare2 -i [input] /dev/null

This was found with american fuzzy lop. Here's the address sanitizer output:

==13582==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009ec0 at pc 0x7fd5f0430d28 bp 0x7fff66f9d120 sp 0x7fff66f9d110
READ of size 1 at 0x611000009ec0 thread T0
    #0 0x7fd5f0430d27 in r_print_fill /f/radare2/radare2/libr/util/print.c:1008
    #1 0x7fd5f560d08a in cmd_print /f/radare2/radare2/libr/core/cmd_print.c:1566
    #2 0x7fd5f566ffde in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1589
    #3 0x7fd5f55d13f1 in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1080
    #4 0x7fd5f55d239c in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1937
    #5 0x7fd5f55d51ac in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1988
    #6 0x7fd5f55d542c in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2000
    #7 0x7fd5f55d8116 in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #8 0x4055fa in main /f/radare2/radare2/binr/radare2/radare2.c:730
    #9 0x7fd5efb5ff9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #10 0x409fbe (/mnt/ram/radare2/radare2+0x409fbe)

0x611000009ec0 is located 0 bytes to the right of 256-byte region [0x611000009dc0,0x611000009ec0)
allocated by thread T0 here:
    #0 0x7fd5f5cfc6f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7fd5f55868e0 in r_core_init /f/radare2/radare2/libr/core/core.c:850

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/radare2/radare2/libr/util/print.c:1008 r_print_fill
Shadow bytes around the buggy address:
  0x0c227fff9380: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff93a0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c227fff93b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff93c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff93d0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c227fff93e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff93f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==13582==ABORTING

The text was updated successfully, but these errors were encountered:

alvarofe · 2015-06-09T13:39:48Z

Thanks for reporting :)

alvarofe self-assigned this Jun 9, 2015

alvarofe added the fuzzing label Jun 9, 2015

alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 14, 2015

Fix radareorg#2737

343d8cc

alvarofe closed this as completed in e58c46c Jun 14, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Out of bounds read caused by script in r_print_fill #2737

Out of bounds read caused by script in r_print_fill #2737

hannob commented Jun 9, 2015

alvarofe commented Jun 9, 2015

Out of bounds read caused by script in r_print_fill #2737

Out of bounds read caused by script in r_print_fill #2737

Comments

hannob commented Jun 9, 2015

alvarofe commented Jun 9, 2015