Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple heap out-of-bounds reads in dwarf.c #2973

Closed
m4drat opened this issue Aug 22, 2022 · 0 comments · Fixed by #2977
Closed

Multiple heap out-of-bounds reads in dwarf.c #2973

m4drat opened this issue Aug 22, 2022 · 0 comments · Fixed by #2977
Milestone
0.4.1

Comments

@m4drat
Copy link

m4drat commented Aug 22, 2022

Hi! We've been fuzzing your project and found the following errors in librz/bin/dwarf.c

Work environment

OS: Ubuntu 20.04
File format: -
rizin version: 4b38597

Bug description

  1. Heap out-of-bounds read of size 1 in dwarf.c:1429:21, Crash file: crash-af0f9161650d483f35c336f39cefe7f1a15fa707.zip

  2. Heap out-of-bounds read of size 1 in dwarf.c:1492:22, Crash file: crash-c85e499c5b2d9000200e7e24709bbc52d6e2558a.zip

  3. Heap out-of-bounds read of size 1 in dwarf.c:1538:28, Crash file: crash-aad532103fc79a73d5b694cfb167bfcb.zip

Steps to reproduce

  1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/rizin: sudo docker build -t oss-sydr-fuzz-rizin .

  2. Run docker container: sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-rizin /bin/bash

  3. Execute rizin with crashing input: /rizin-fuzzing/libfuzzer-asan/bin/rizin -qq crash-af0f9161650d483f35c336f39cefe7f1a15fa707

  4. You will see the following output:

    WARNING: bin_file_strings: search interval size (0x2000004000) exeeds bin.maxstrbuf (0xa00000), skipping it.
WARNING: bin_file_strings: search interval size (0x2000004000) exeeds bin.maxstrbuf (0xa00000), skipping it.
=================================================================
==2553219==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700000d1f0 at pc 0x0000013f2713 bp 0x7ffd53dc02b0 sp 0x7ffd53dc02a8
READ of size 1 at 0x61700000d1f0 thread T0
    #0 0x13f2712 in fill_block_data /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/dwarf.c:1429:21
    #1 0x13f2712 in parse_attr_value /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/dwarf.c:1545:9
    #2 0x13f2712 in parse_die /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/dwarf.c:1731:10
    #3 0x13f2712 in parse_comp_unit /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/dwarf.c:1822:9
    #4 0x13f2712 in parse_info_raw /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/dwarf.c:1955:9
    #5 0x13f2712 in rz_bin_dwarf_parse_info /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/dwarf.c:2087:9
    #6 0xfc7221 in rz_core_bin_apply_dwarf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cbin.c:662:35
    #7 0xfc6039 in rz_core_bin_apply_info /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cbin.c:281:3
    #8 0xfcc48d in rz_core_bin_apply_all_info /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cbin.c:334:2
    #9 0x10033b0 in core_file_do_load_for_io_plugin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:735:6
    #10 0x10033b0 in rz_core_bin_load /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:974:4
    #11 0x5b9af8 in rz_main_rizin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/main/rizin.c:1119:14
    #12 0x7f966112a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x41da3d in _start (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x41da3d)

0x61700000d1f0 is located 0 bytes to the right of 752-byte region [0x61700000cf00,0x61700000d1f0)
allocated by thread T0 here:
    #0 0x498e12 in calloc (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498e12)
    #1 0x13e9874 in get_section_bytes /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/dwarf.c:2063:13
    #2 0x13e9874 in rz_bin_dwarf_parse_info /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/dwarf.c:2083:13
    #3 0xfc7221 in rz_core_bin_apply_dwarf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cbin.c:662:35
    #4 0xfc6039 in rz_core_bin_apply_info /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cbin.c:281:3

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/dwarf.c:1429:21 in fill_block_data
Shadow bytes around the buggy address:
0x0c2e7fff99e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff9a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff9a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff9a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
0x0c2e7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
Shadow gap:              cc
==2553219==ABORTING

  5. The remaining crashes are similar
wargio added a commit that referenced this issue Aug 22, 2022
@wargio
fix #2958 #2960 #2973 - oob read in dwarf.c
8910847
This was referenced Aug 22, 2022
Closed
Merged
wargio added a commit that referenced this issue Aug 23, 2022
@wargio
fix #2958 #2960 #2973 - oob read in dwarf.c
3a14c99
imbillow pushed a commit that referenced this issue Aug 24, 2022
@wargio @imbillow
fix #2958 #2960 #2973 - oob read in dwarf.c
1e6730c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.4.1
Development

Successfully merging a pull request may close this issue.

Fix multiple vulnerabilities rizinorg/rizin
Fix multiple vulns rizinorg/rizin
2 participants
@XVilka @m4drat