buffer overflow in dex_parse

[tianxiaogu]

Our fuzzing tool has found several over-flow in dex_fuzzer.

ASAN output.

./dex_fuzzer_out/crashes/id:000021,sig:06,src:000000+000105,op:splice,rep:64
INFO: Seed: 3969459256
INFO: Loaded 1 modules   (7156 inline 8-bit counters): 7156 [0x939430, 0x93b024), 
INFO: Loaded 1 PC tables (7156 PCs): 7156 [0x6c4028,0x6dff68), 
dex_fuzzer: Running 1 inputs 1 time(s) each.
Running: ./dex_fuzzer_out/crashes/id:000021,sig:06,src:000000+000105,op:splice,rep:64
=================================================================
==555==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00001291e at pc 0x000000585eb6 bp 0x7ffdafc28ab0 sp 0x7ffdafc28aa8
READ of size 2 at 0x62d00001291e thread T0
SCARINESS: 14 (2-byte-read-heap-buffer-overflow)
    #0 0x585eb5 in dex_parse /src/yara/libyara/modules/dex.c:876:7
    #1 0x586590 in dex__load /src/yara/libyara/modules/dex.c:1150:7
    #2 0x5429e8 in yr_modules_load /src/yara/libyara/modules.c:175:16
    #3 0x5a40f2 in yr_execute_code /src/yara/libyara/exec.c:951:18
    #4 0x54c95e in yr_scanner_scan_mem_blocks /src/yara/libyara/scanner.c:435:3
    #5 0x549233 in yr_rules_scan_mem_blocks /src/yara/libyara/rules.c:205:12
    #6 0x549492 in yr_rules_scan_mem /src/yara/libyara/rules.c:255:10
    #7 0x532188 in LLVMFuzzerTestOneInput /src/yara/tests/oss-fuzz/dex_fuzzer.cc:40:3
    #8 0x604878 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
    #9 0x5dad4a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
    #10 0x5e65c3 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
    #11 0x5da3cc in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #12 0x7fdd6ab6f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41ed78 in _start (/out/dex_fuzzer+0x41ed78)

0x62d00001291e is located 0 bytes to the right of 34078-byte region [0x62d00000a400,0x62d00001291e)
allocated by thread T0 here:
    #0 0x52dc88 in operator new[](unsigned long) /src/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:109
    #1 0x604627 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:557:23
    #2 0x5dad4a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
    #3 0x5e65c3 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
    #4 0x5da3cc in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #5 0x7fdd6ab6f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/yara/libyara/modules/dex.c:876:7 in dex_parse
Shadow bytes around the buggy address:
  0x0c5a7fffa4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a7fffa520: 00 00 00[06]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==555==ABORTING

These crashes were found by our customized AFL but the crashes can also be reproduced on fuzzers built based on libfuzzer. To reproduce these crashes, the simplest way is to build the corresponding docker image in https://github.com/google/oss-fuzz and using the following script.

#! /bin/bash

for C in $(find ./dex_fuzzer_out/crashes/ -name "id*")
do
    echo $C
    dex_fuzzer $C
done

dex_fuzzer-crashes.zip

We have encountered the following message of ASAN on some input. So take care in case that there is some bug of ASAN.

AddressSanitizer can not provide additional info.

[wxsBSD]

I can not reproduce this crash anymore, but I do get an assert() call failing on /Users/wxs/Desktop/dex_fuzzer_out/crashes/id:000033,sig:06,src:000001+000002,op:splice,rep:8 from your provided test cases. This is because on https://github.com/VirusTotal/yara/blob/master/libyara/modules/dex/dex.c#L666 the value of shorty_idx is -1 and when attempting to use that later on in https://github.com/VirusTotal/yara/blob/master/libyara/object.c#L497 causes the assert() to fail. I'll put up a PR soon which fixes this problem, so the module will at least continue to process things.

All of your provided test cases are now passing fine (the only issue I was able to find was the assert).