Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap Buffer Overflow in memmove in librz/util/buf_bytes.c #2936

Closed
kobrineli opened this issue Aug 19, 2022 · 0 comments · Fixed by #2940
Closed

Heap Buffer Overflow in memmove in librz/util/buf_bytes.c #2936

kobrineli opened this issue Aug 19, 2022 · 0 comments · Fixed by #2940

Comments

@kobrineli
Copy link

Hi! We've been fuzzing your project and found following error in librz/util/buf_bytes.c.

Work environment

OS: Ubuntu 20.04
File format: ELF
rizin version: d4134cb

Bug description

In librz/util/buf_bytes.c in https://github.com/rizinorg/rizin/blob/dev/librz/util/buf_bytes.c#L79 memmove function is called with last argument equals to 4354, which leads to read heap buffer overflow.

Steps to reproduce

Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/rizin:

$ sudo docker build -t oss-sydr-fuzz-rizin .

Run docker container:

$ sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-rizin /bin/bash

Run sanitizer built target on input (we sent it to you by email):

$ /rizin-fuzzing/libfuzzer-asan/bin/rz-fuzz crash-sydr_319149ac751d0455177da9fa75bb10a9638d1bcf_int_overflow_5_signed

You will see the following output:

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3751510515
INFO: Loaded 1 modules   (903975 inline 8-bit counters): 903975 [0x4bb1fb0, 0x4c8ead7),
INFO: Loaded 1 PC tables (903975 PCs): 903975 [0x4c8ead8,0x5a59d48),
/rizin-fuzzing/libfuzzer-asan/bin/rz-fuzz: Running 1 inputs 1 time(s) each.
Running: /fuzz/sydr-fuzz-out/casr/cl4/crash-sydr_319149ac751d0455177da9fa75bb10a9638d1bcf_int_overflow_5_signed
=================================================================
==36==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001ad7d1 at pc 0x0000004d6012 bp 0x7ffda4aa2640 sp 0x7ffda4aa1e08
WRITE of size 4354 at 0x6020001ad7d1 thread T0
    #0 0x4d6011 in __asan_memmove /llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30:3
    #1 0x51df37 in buf_bytes_read /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/util/buf_bytes.c:79:2
    #2 0x51436b in buf_read /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/util/buf.c:61:28
    #3 0x51436b in rz_buf_read /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/util/buf.c:1114:16
    #4 0x510b0e in rz_buf_read_at /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/util/buf.c:1148:16
    #5 0x9141fc in load_buffer /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/bin/p/bin_symbols.c:284:7
    #6 0x798079 in rz_bin_object_new /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/bin/bobj.c:300:8
    #7 0xccf364 in rz_bin_file_new_from_buffer /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/bin/bfile.c:150:19
    #8 0x77e9df in rz_bin_open_buf /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/bin/bin.c:272:8
    #9 0x50cf95 in LLVMFuzzerTestOneInput /rizin-fuzzing/rizin/build-libfuzzer-asan/../binrz/rz-fuzz/rz-fuzz-libfuzzer.c:38:18
    #10 0x43c751 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #11 0x42666c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #12 0x42c3bb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #13 0x455952 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7f709cbd6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x420f8d in _start (/rizin-fuzzing/libfuzzer-asan/bin/rz-fuzz+0x420f8d)

0x6020001ad7d1 is located 0 bytes to the right of 1-byte region [0x6020001ad7d0,0x6020001ad7d1)
allocated by thread T0 here:
    #0 0x4d68d2 in __interceptor_calloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:138:3
    #1 0x9141a4 in load_buffer /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/bin/p/bin_symbols.c:280:15
    #2 0x798079 in rz_bin_object_new /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/bin/bobj.c:300:8
    #3 0xccf364 in rz_bin_file_new_from_buffer /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/bin/bfile.c:150:19
    #4 0x77e9df in rz_bin_open_buf /rizin-fuzzing/rizin/build-libfuzzer-asan/../librz/bin/bin.c:272:8
    #5 0x50cf95 in LLVMFuzzerTestOneInput /rizin-fuzzing/rizin/build-libfuzzer-asan/../binrz/rz-fuzz/rz-fuzz-libfuzzer.c:38:18
    #6 0x43c751 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #7 0x42666c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x42c3bb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #9 0x455952 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0x7f709cbd6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30:3 in __asan_memmove
Shadow bytes around the buggy address:
  0x0c048002daa0: fa fa 03 fa fa fa 04 fa fa fa 03 fa fa fa 04 fa
  0x0c048002dab0: fa fa 04 fa fa fa 04 fa fa fa 03 fa fa fa 04 fa
  0x0c048002dac0: fa fa 03 fa fa fa 04 fa fa fa 03 fa fa fa 04 fa
  0x0c048002dad0: fa fa 05 fa fa fa 04 fa fa fa 04 fa fa fa 03 fa
  0x0c048002dae0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 00 fa
=>0x0c048002daf0: fa fa 00 fa fa fa 00 03 fa fa[01]fa fa fa fa fa
  0x0c048002db00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048002db10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048002db20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048002db30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048002db40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36==ABORTING
@wargio wargio mentioned this issue Aug 19, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix 2935 and 2936 rizinorg/rizin
1 participant
@kobrineli