Heap out of bounds read in _inst__lds()

[fumfel]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu 16.04 x86/64
File format of the file you reverse (mandatory)	Generic (binary file)
Architecture/bits of the file (mandatory)	AVR
r2 -v full output, not truncated (mandatory)	radare2 2.6.0-git 17962 @ linux-x86-64 git.2.5.0-91-g880dfca commit: 880dfca build: 2018-04-19__10:19:56

Expected behavior

Display dissaslembly of file or error message.

Actual behavior

Heap out of bounds read in ASAN build.

Steps to reproduce the behavior

• Download: https://github.com/radare/radare2-regressions/pull/1280
• Run r2 -A r2_hoobr__inst__lds

Additional Logs, screenshots, source-code, configuration dump, ...

ASAN log:

==8348==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000016a81 at pc 0x7f507d7fbd15 bp 0x7ffef9fe4510 sp 0x7ffef9fe4500
READ of size 1 at 0x611000016a81 thread T0
    #0 0x7f507d7fbd14 in _inst__lds XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:916
    #1 0x7f507d7f6c05 in avr_op_analyze XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:1561
    #2 0x7f507d803943 in avr_op XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:1639
    #3 0x7f507da3a565 in r_anal_op XYZ/radare2/libr/anal/op.c:104
    #4 0x7f50801f8739 in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:2825
    #5 0x7f507ff515e3 in r_core_anal_refs XYZ/radare2/libr/core/cmd_anal.c:5944
    #6 0x7f5080034032 in cmd_anal_all XYZ/radare2/libr/core/cmd_anal.c:6329
    #7 0x7f5080034032 in cmd_anal XYZ/radare2/libr/core/cmd_anal.c:6673
    #8 0x7f50801c36c9 in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:233
    #9 0x7f50800b124f in r_core_cmd_subst_i XYZ/radare2/libr/core/cmd.c:2686
    #10 0x7f507ff7589c in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1733
    #11 0x7f507ff77307 in r_core_cmd XYZ/radare2/libr/core/cmd.c:3368
    #12 0x5643e1acb066 in main XYZ/radare2/binr/radare2/radare2.c:1286
    #13 0x7f50798ad82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x5643e1acf788 in _start (/usr/local/bin/radare2+0x10788)

0x611000016a81 is located 1 bytes to the right of 256-byte region [0x611000016980,0x611000016a80)
allocated by thread T0 here:
    #0 0x7f508073d602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f50801f81c8 in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:2788

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:916 _inst__lds
Shadow bytes around the buggy address:
  0x0c227fffad00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fffad10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fffad20: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c227fffad30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fffad40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fffad50:[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fffad60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffad70: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c227fffad80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fffad90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c227fffada0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==8348==ABORTING

[radare]

fixed

…

On 19 Apr 2018, at 14:52, Kamil Frankowicz ***@***.***> wrote: Work environment Questions Answers OS/arch/bits (mandatory) Ubuntu 16.04 x86/64 File format of the file you reverse (mandatory) Generic (binary file) Architecture/bits of the file (mandatory) AVR r2 -v full output, not truncated (mandatory) radare2 2.6.0-git 17962 @ linux-x86-64 git.2.5.0-91-g880dfca commit: 880dfca <880dfca> build: 2018-04-19__10:19:56 Expected behavior Display dissaslembly of file or error message. Actual behavior Heap out of bounds read in ASAN build. Steps to reproduce the behavior Download: radare/radare2-regressions#1280 <https://github.com/radare/radare2-regressions/pull/1280> Run r2 -A r2_hoobr__inst__lds Additional Logs, screenshots, source-code, configuration dump, ... ASAN log: ==8348==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000016a81 at pc 0x7f507d7fbd15 bp 0x7ffef9fe4510 sp 0x7ffef9fe4500 READ of size 1 at 0x611000016a81 thread T0 #0 0x7f507d7fbd14 in _inst__lds XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:916 #1 0x7f507d7f6c05 in avr_op_analyze XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:1561 #2 0x7f507d803943 in avr_op XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:1639 #3 0x7f507da3a565 in r_anal_op XYZ/radare2/libr/anal/op.c:104 #4 0x7f50801f8739 in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:2825 #5 0x7f507ff515e3 in r_core_anal_refs XYZ/radare2/libr/core/cmd_anal.c:5944 #6 0x7f5080034032 in cmd_anal_all XYZ/radare2/libr/core/cmd_anal.c:6329 #7 0x7f5080034032 in cmd_anal XYZ/radare2/libr/core/cmd_anal.c:6673 #8 0x7f50801c36c9 in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:233 #9 0x7f50800b124f in r_core_cmd_subst_i XYZ/radare2/libr/core/cmd.c:2686 #10 0x7f507ff7589c in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1733 #11 0x7f507ff77307 in r_core_cmd XYZ/radare2/libr/core/cmd.c:3368 #12 0x5643e1acb066 in main XYZ/radare2/binr/radare2/radare2.c:1286 #13 0x7f50798ad82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x5643e1acf788 in _start (/usr/local/bin/radare2+0x10788) 0x611000016a81 is located 1 bytes to the right of 256-byte region [0x611000016980,0x611000016a80) allocated by thread T0 here: #0 0x7f508073d602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7f50801f81c8 in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:2788 SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/radare2/libr/..//libr/anal/p/anal_avr.c:916 _inst__lds Shadow bytes around the buggy address: 0x0c227fffad00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fffad10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fffad20: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c227fffad30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fffad40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fffad50:[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fffad60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fffad70: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c227fffad80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fffad90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c227fffada0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==8348==ABORTING — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#9928>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lvvTN2Btbyd7rgIXbn0AvCk7iVYTks5tqIh0gaJpZM4Tbu3d>.

[attritionorg]

Can you link to the fixing commit please?

[radare]

041e53c

…

On 21 Apr 2018, at 18:29, Jericho ***@***.***> wrote: Can you link to the fixing commit please? — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.