Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow on address 0x60200002b9b8 #6909

Closed
mtowalski opened this issue Mar 5, 2017 · 1 comment
Closed

AddressSanitizer: heap-buffer-overflow on address 0x60200002b9b8 #6909

mtowalski opened this issue Mar 5, 2017 · 1 comment
Labels
fuzzing

Comments

@mtowalski
Copy link

mtowalski commented Mar 5, 2017
edited
Loading

Repro file available here :
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/heap-buffer-overflow-fc3-220-6d2-poc
Similar:
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/heap-buffer-overflow-fc3-183-0a6-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/heap-buffer-overflow-fc3-0b5-0a6-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/SEGV-d8f-f76-98a-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/SEGV-d26-f76-98a-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/SEGV-b7b-c17-f10-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/SEGV-989-98a-f0e-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/SEGV-8f6-98a-f0e-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/SEGV-a94-0b5-0a6-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/SEGV-a94-220-6d2-poc

OS: Ubuntu 16.04.1 LTS x64
r2_version : master

CMD : radare2 -Acq i [FILE]

ASAN log:

==68886==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200002b9b8 at pc 0x7eff65d49729 bp 0x7ffd7310c550 sp 0x7ffd7310c548
READ of size 8 at 0x60200002b9b8 thread T0
    #0 0x7eff65d49728 in r_x509_parse_name /home/test/tmp/radare2/libr/util/r_x509.c:118
    #1 0x7eff65d42a32 in r_pkcs7_parse_issuerandserialnumber /home/test/tmp/radare2/libr/util/r_pkcs7.c:143
    #2 0x7eff65d42da8 in r_pkcs7_parse_signerinfo /home/test/tmp/radare2/libr/util/r_pkcs7.c:174
    #3 0x7eff65d44103 in r_pkcs7_parse_signerinfos /home/test/tmp/radare2/libr/util/r_pkcs7.c:227
    #4 0x7eff65d44b1b in r_pkcs7_parse_signeddata /home/test/tmp/radare2/libr/util/r_pkcs7.c:272
    #5 0x7eff65d44fea in r_pkcs7_parse_cms /home/test/tmp/radare2/libr/util/r_pkcs7.c:303
    #6 0x7eff6ad53b02 in bin_pe_get_certificate /home/test/tmp/radare2/libr/..//libr/bin/p/../format/pe/pe.c:1922
    #7 0x7eff6ad469bc in bin_pe_init /home/test/tmp/radare2/libr/..//libr/bin/p/../format/pe/pe.c:1962
    #8 0x7eff6ad46d79 in Pe32_r_bin_pe_new_buf /home/test/tmp/radare2/libr/..//libr/bin/p/../format/pe/pe.c:2979
    #9 0x7eff6ad2885e in load_bytes /home/test/tmp/radare2/libr/..//libr/bin/p/bin_pe.c:32
    #10 0x7eff6ab89f82 in r_bin_object_new /home/test/tmp/radare2/libr/bin/bin.c:1203
    #11 0x7eff6ab8845d in r_bin_file_new_from_bytes /home/test/tmp/radare2/libr/bin/bin.c:1428
    #12 0x7eff6ab879fa in r_bin_load_io_at_offset_as_sz /home/test/tmp/radare2/libr/bin/bin.c:974
    #13 0x7eff6ab84da7 in r_bin_load_io_at_offset_as /home/test/tmp/radare2/libr/bin/bin.c:988
    #14 0x7eff6ab84b51 in r_bin_load_io /home/test/tmp/radare2/libr/bin/bin.c:831
    #15 0x7eff6bd86c0b in r_core_file_do_load_for_io_plugin /home/test/tmp/radare2/libr/core/file.c:429
    #16 0x7eff6bd83e07 in r_core_bin_load /home/test/tmp/radare2/libr/core/file.c:552
    #17 0x560cc8d3c408 in main /home/test/tmp/radare2/binr/radare2/radare2.c:898
    #18 0x7eff64cb982f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #19 0x560cc8c67f38 in _start ??:?

0x60200002b9b8 is located 0 bytes to the right of 8-byte region [0x60200002b9b0,0x60200002b9b8)
allocated by thread T0 here:
    #0 0x560cc8d08220 in calloc ??:?
    #1 0x7eff65d54598 in r_asn1_create_object /home/test/tmp/radare2/libr/util/r_asn1.c:416
    #2 0x7eff65d54716 in r_asn1_create_object /home/test/tmp/radare2/libr/util/r_asn1.c:423
    #3 0x7eff65d54716 in r_asn1_create_object /home/test/tmp/radare2/libr/util/r_asn1.c:423
    #4 0x7eff65d54716 in r_asn1_create_object /home/test/tmp/radare2/libr/util/r_asn1.c:423
    #5 0x7eff65d54716 in r_asn1_create_object /home/test/tmp/radare2/libr/util/r_asn1.c:423
    #6 0x7eff65d54716 in r_asn1_create_object /home/test/tmp/radare2/libr/util/r_asn1.c:423
    #7 0x7eff65d54716 in r_asn1_create_object /home/test/tmp/radare2/libr/util/r_asn1.c:423
    #8 0x7eff65d54716 in r_asn1_create_object /home/test/tmp/radare2/libr/util/r_asn1.c:423
    #9 0x7eff65d54716 in r_asn1_create_object /home/test/tmp/radare2/libr/util/r_asn1.c:423
    #10 0x7eff65d44c20 in r_pkcs7_parse_cms /home/test/tmp/radare2/libr/util/r_pkcs7.c:297
    #11 0x7eff6ad53b02 in bin_pe_get_certificate /home/test/tmp/radare2/libr/..//libr/bin/p/../format/pe/pe.c:1922
    #12 0x7eff6ad469bc in bin_pe_init /home/test/tmp/radare2/libr/..//libr/bin/p/../format/pe/pe.c:1962
    #13 0x7eff6ad46d79 in Pe32_r_bin_pe_new_buf /home/test/tmp/radare2/libr/..//libr/bin/p/../format/pe/pe.c:2979
    #14 0x7eff6ad2885e in load_bytes /home/test/tmp/radare2/libr/..//libr/bin/p/bin_pe.c:32
    #15 0x7eff6ab89f82 in r_bin_object_new /home/test/tmp/radare2/libr/bin/bin.c:1203
    #16 0x7eff6ab8845d in r_bin_file_new_from_bytes /home/test/tmp/radare2/libr/bin/bin.c:1428
    #17 0x7eff6ab879fa in r_bin_load_io_at_offset_as_sz /home/test/tmp/radare2/libr/bin/bin.c:974
    #18 0x7eff6ab84da7 in r_bin_load_io_at_offset_as /home/test/tmp/radare2/libr/bin/bin.c:988
    #19 0x7eff6ab84b51 in r_bin_load_io /home/test/tmp/radare2/libr/bin/bin.c:831
    #20 0x7eff6bd86c0b in r_core_file_do_load_for_io_plugin /home/test/tmp/radare2/libr/core/file.c:429
    #21 0x7eff6bd83e07 in r_core_bin_load /home/test/tmp/radare2/libr/core/file.c:552
    #22 0x560cc8d3c408 in main /home/test/tmp/radare2/binr/radare2/radare2.c:898
    #23 0x7eff64cb982f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow (//home/test/tmp/radare2/libr/util/libr_util.so+0x1a0728)
Shadow bytes around the buggy address:
  0x0c047fffd6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffd6f0: fa fa 00 03 fa fa 03 fa fa fa 00 fa fa fa 00 05
  0x0c047fffd700: fa fa 00 03 fa fa 03 fa fa fa 00 03 fa fa 03 fa
  0x0c047fffd710: fa fa 03 fa fa fa 00 fa fa fa 00 00 fa fa 00 fa
  0x0c047fffd720: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 00
=>0x0c047fffd730: fa fa 00 00 fa fa 00[fa]fa fa 00 fa fa fa 00 00
  0x0c047fffd740: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 00
  0x0c047fffd750: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fffd760: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fffd770: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 00
  0x0c047fffd780: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==68886==ABORTING`
@Maijin Maijin added the fuzzing label Mar 5, 2017
@alvarofe
Copy link
Contributor

alvarofe commented Mar 5, 2017

@wargio more

@wargio wargio mentioned this issue Mar 6, 2017
Merged
@Maijin Maijin closed this as completed Mar 8, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Maijin @alvarofe @mtowalski