Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nullptr write in bin_dyldcache.c #2959

Closed
m4drat opened this issue Aug 22, 2022 · 2 comments · Fixed by #2977
Closed

nullptr write in bin_dyldcache.c #2959

m4drat opened this issue Aug 22, 2022 · 2 comments · Fixed by #2977
Milestone
0.4.1

Comments

@m4drat
Copy link

m4drat commented Aug 22, 2022

Hi! We've been fuzzing your project and found the following error in librz/bin/p/bin_dyldcache.c

Work environment

OS: Ubuntu 20.04
File format: -
rizin version: 4b38597

Bug description

Nullptr write in librz/bin/p/bin_dyldcache.c:50:14

Steps to reproduce

  1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/rizin: sudo docker build -t oss-sydr-fuzz-rizin .

  2. Run docker container: sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-rizin /bin/bash

  3. Execute rizin with crashing input (we sent all crashing inputs to you by email):
    /rizin-fuzzing/libfuzzer-asan/bin/rizin -qq crash-bd01541ca2960a0824fd15dd4f82b752

  4. You will see the following output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2484481==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000300 (pc 0x000000b0e994 bp 0x7fffbbcd4670 sp 0x7fffbbcd4580 T0)
==2484481==The signal is caused by a WRITE memory access.
==2484481==Hint: address points to the zero page.
    #0 0xb0e994 in bin_to_mach0 /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/p/bin_dyldcache.c:50:14
    #1 0xb0e371 in symbols_from_bin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/p/bin_dyldcache.c:134:32
    #2 0xb0f908 in symbols /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/p/bin_dyldcache.c:343:3
    #3 0xae7bf4 in rz_bin_object_set_items /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:455:16
    #4 0xae706b in rz_bin_object_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:319:2
    #5 0xad7d31 in rz_bin_file_new_from_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bfile.c:150:19
    #6 0xadf3c7 in rz_bin_open_buf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:272:8
    #7 0xadec27 in rz_bin_open_io /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:330:18
    #8 0x1003353 in core_file_do_load_for_io_plugin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:727:23
    #9 0x1003353 in rz_core_bin_load /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:974:4
    #10 0x5b9af8 in rz_main_rizin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/main/rizin.c:1119:14
    #11 0x7f27f4e00082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41da3d in _start (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x41da3d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/p/bin_dyldcache.c:50:14 in bin_to_mach0
==2484481==ABORTING
@wargio
Copy link
Member

wargio commented Aug 22, 2022

attach the bin here so we can reproduce this.

@XVilka XVilka added the CVE label Aug 22, 2022
@m4drat
Copy link
Author

m4drat commented Aug 22, 2022

Crashing input: crash-bd01541ca2960a0824fd15dd4f82b752.zip

@XVilka XVilka added this to the 0.4.1 milestone Aug 22, 2022
wargio added a commit that referenced this issue Aug 22, 2022
@wargio
fix #2959 - oob write in bin_dyldcache.c
cd08a8a
This was referenced Aug 22, 2022
Closed
Merged
@ret2libc ret2libc removed the CVE label Aug 23, 2022
wargio added a commit that referenced this issue Aug 23, 2022
@wargio
fix #2959 - oob write in bin_dyldcache.c
8952d10
@XVilka XVilka closed this as completed in 72f1e4a Aug 24, 2022
XVilka pushed a commit that referenced this issue Aug 24, 2022
@wargio @XVilka
fix #2959 - oob write in bin_dyldcache.c
8003db7
XVilka pushed a commit that referenced this issue Aug 24, 2022
@wargio @XVilka
fix #2959 - oob write in bin_dyldcache.c
b6d09a0
imbillow pushed a commit that referenced this issue Aug 24, 2022
@wargio @imbillow
fix #2959 - oob write in bin_dyldcache.c
ab0f439
XVilka pushed a commit that referenced this issue Aug 30, 2022
@wargio @XVilka
fix #2959 - oob write in bin_dyldcache.c
48f7fdf
XVilka pushed a commit that referenced this issue Aug 30, 2022
@wargio @XVilka
fix #2959 - oob write in bin_dyldcache.c
5a22745
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.4.1
Development

Successfully merging a pull request may close this issue.

Fix multiple vulnerabilities rizinorg/rizin
Fix multiple vulns rizinorg/rizin
4 participants
@XVilka @wargio @ret2libc @m4drat