Script causes out of bounds read (heap) in function cmd_zign #2736

hannob · 2015-06-09T12:41:36Z

This input file will cause an out of bounds heap access in the script handling of radare2:
https://crashes.fuzzing-project.org/radare2-script-oob-heap-read-cmd_zign
It just consists of two bytes ("za").

Test: radare2 -i [input] /dev/null

This was found with american fuzzy lop. Address Sanitizer Stack trace:

==16858==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000016a14 at pc 0x7f6fb69a77d0 bp 0x7fff9e0cf350 sp 0x7fff9e0cf320
READ of size 1 at 0x602000016a14 thread T0
    #0 0x7f6fb69a77cf in index (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x347cf)
    #1 0x7f6fb6271efd in cmd_zign /f/radare2/radare2/libr/core/cmd_zign.c:87
    #2 0x7f6fb633dfde in r_core_cmd_subst_i /f/radare2/radare2/libr/core/cmd.c:1589
    #3 0x7f6fb629f3f1 in r_core_cmd_subst /f/radare2/radare2/libr/core/cmd.c:1080
    #4 0x7f6fb62a039c in r_core_cmd /f/radare2/radare2/libr/core/cmd.c:1937
    #5 0x7f6fb62a31ac in r_core_cmd_lines /f/radare2/radare2/libr/core/cmd.c:1988
    #6 0x7f6fb62a342c in r_core_cmd_file /f/radare2/radare2/libr/core/cmd.c:2000
    #7 0x7f6fb62a6116 in r_core_run_script /f/radare2/radare2/libr/core/cmd.c:373
    #8 0x4055fa in main /f/radare2/radare2/binr/radare2/radare2.c:730
    #9 0x7f6fb082df9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #10 0x409fbe (/mnt/ram/radare2/radare2+0x409fbe)

0x602000016a14 is located 1 bytes to the right of 3-byte region [0x602000016a10,0x602000016a13)
allocated by thread T0 here:
    #0 0x7f6fb69ca6f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7f6fb088f789 in strdup (/lib64/libc.so.6+0x81789)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 index
Shadow bytes around the buggy address:
  0x0c047fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffad30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa
=>0x0c047fffad40: fa fa[03]fa fa fa 03 fa fa fa 03 fa fa fa fd fa
  0x0c047fffad50: fa fa fd fd fa fa 06 fa fa fa fd fa fa fa 05 fa
  0x0c047fffad60: fa fa fd fa fa fa 06 fa fa fa fd fa fa fa 03 fa
  0x0c047fffad70: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fa
  0x0c047fffad80: fa fa 04 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffad90: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==16858==ABORTING

The text was updated successfully, but these errors were encountered:

alvarofe self-assigned this Jun 9, 2015

alvarofe added the fuzzing label Jun 9, 2015

alvarofe added a commit to alvarofe/radare2 that referenced this issue Jun 14, 2015

Fix radareorg#2736

9db3cdb

alvarofe closed this as completed in 3f9b84a Jun 14, 2015

radare unassigned alvarofe Sep 18, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Script causes out of bounds read (heap) in function cmd_zign #2736

Script causes out of bounds read (heap) in function cmd_zign #2736

hannob commented Jun 9, 2015

Script causes out of bounds read (heap) in function cmd_zign #2736

Script causes out of bounds read (heap) in function cmd_zign #2736

Comments

hannob commented Jun 9, 2015