Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap out-of-bounds read in pe_section.c #2957

Closed
m4drat opened this issue Aug 22, 2022 · 2 comments · Fixed by #2977
Closed

Heap out-of-bounds read in pe_section.c #2957

m4drat opened this issue Aug 22, 2022 · 2 comments · Fixed by #2977
Milestone
0.4.1

Comments

@m4drat
Copy link

m4drat commented Aug 22, 2022

Hi! We've been fuzzing your project and found the following error in librz/bin/format/pe/pe_section.c

Work environment

OS: Ubuntu 20.04
File format: -
rizin version: 4b38597

Bug description

Heap out-of-bounds read of size 40 in librz/bin/format/pe/pe_section.c:273:14

Steps to reproduce

  1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/rizin: sudo docker build -t oss-sydr-fuzz-rizin .

  2. Run docker container: sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-rizin /bin/bash

  3. Execute rizin with crashing input (we sent all crashing inputs to you by email):
    /rizin-fuzzing/libfuzzer-asan/bin/rizin -qq crash-2f2e90b8bff13dd49cbc2ead0d32f9aa4cc3a817

  4. You will see the following output:

=================================================================
==2481265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100012da30 at pc 0x00000044d8d7 bp 0x7ffe81dd3e90 sp 0x7ffe81dd3648
READ of size 40 at 0x61100012da30 thread T0
    #0 0x44d8d6 in StrtolFixAndCheck(void*, char const*, char**, char*, int) (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x44d8d6)
    #1 0x484db2 in strtol (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x484db2)
    #2 0xd06263 in atoi /usr/include/stdlib.h:363:16
    #3 0xd06263 in Pe64_rz_bin_pe_get_sections /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/pe/pe_section.c:273:14
    #4 0xcb1419 in bin_pe_init /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/pe/pe.c:62:18
    #5 0xcb1419 in Pe64_rz_bin_pe_new_buf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/pe/pe.c:126:7
    #6 0xb5a485 in load_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/p/bin_pe.inc:25:37
    #7 0xae7004 in rz_bin_object_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:300:8
    #8 0xad7d31 in rz_bin_file_new_from_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bfile.c:150:19
    #9 0xadf3c7 in rz_bin_open_buf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:272:8
    #10 0xadec27 in rz_bin_open_io /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:330:18
    #11 0x1003353 in core_file_do_load_for_io_plugin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:727:23
    #12 0x1003353 in rz_core_bin_load /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:974:4
    #13 0x5b9af8 in rz_main_rizin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/main/rizin.c:1119:14
    #14 0x7f9199e6e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x41da3d in _start (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x41da3d)

0x61100012da30 is located 0 bytes to the right of 240-byte region [0x61100012d940,0x61100012da30)
allocated by thread T0 here:
    #0 0x498c9d in malloc (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498c9d)
    #1 0xd06e9d in Pe64_bin_pe_init_sections /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/pe/pe_section.c:346:30

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x44d8d6) in StrtolFixAndCheck(void*, char const*, char**, char*, int)
Shadow bytes around the buggy address:
  0x0c228001daf0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001db00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228001db10: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c228001db20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c228001db30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c228001db40: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c228001db50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001db60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001db70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001db80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228001db90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2481265==ABORTING
@wargio
Copy link
Member

wargio commented Aug 22, 2022

attach the bin here so we can reproduce this.

@m4drat
Copy link
Author

m4drat commented Aug 22, 2022

Crashing input: crash-2f2e90b8bff13dd49cbc2ead0d32f9aa4cc3a817.zip

wargio added a commit that referenced this issue Aug 22, 2022
@wargio
fix #2957 - oob read in pe_section.c
3fd45eb
This was referenced Aug 22, 2022
Closed
Merged
wargio added a commit that referenced this issue Aug 23, 2022
@wargio
fix #2957 - oob read in pe_section.c
4d95f47
imbillow pushed a commit that referenced this issue Aug 24, 2022
@wargio @imbillow
fix #2957 - oob read in pe_section.c
6756174
wargio added a commit that referenced this issue Sep 4, 2022
@wargio
fix #2957 - oob read in pe_section.c
4f85d88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.4.1
Development

Successfully merging a pull request may close this issue.

Fix multiple vulnerabilities rizinorg/rizin
Fix multiple vulns rizinorg/rizin
3 participants
@XVilka @wargio @m4drat