Skip to content

a global-buffer-overflow bug was discovered in bin2fex #185

Description

@Asteriska001

Description

A global-buffer-overflow bug was discovered in function MemcmpInterceptorCommon(void*, int ()(void const, void const*, unsigned long), void const*, void const*, unsigned long)

Version

Version v1.4 (Lastest commit)

Environment

Ubuntu 18.04, 64bit

Reproduce

Command

git clone the Lastest Version firstly.
make
./bin2fex  ./poc

POC file at the bottom of this report.

ASAN Report

=================================================================
==17071==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004f4d68 at pc 0x000000433a7c bp 0x7ffc7157f5a0 sp 0x7ffc7157ed48
READ of size 9 at 0x0000004f4d68 thread T0
    #0 0x433a7b in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/sunxi-fexc+0x433a7b)
    #1 0x433e8a in bcmp (/AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/sunxi-fexc+0x433e8a)
    #2 0x4d7084 in find_full_match /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/script_fex.c:56:7
    #3 0x4d7084 in decompile_single_mode /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/script_fex.c:78:6
    #4 0x4d7084 in script_generate_fex /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/script_fex.c:102:16
    #5 0x4cb2c1 in script_generate /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/fexc.c:179:9
    #6 0x4cb2c1 in main /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/fexc.c:332:6
    #7 0x7f791fc4c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41d3ed in _start (/AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/sunxi-fexc+0x41d3ed)

0x0000004f4d68 is located 56 bytes to the left of global variable '<string literal>' defined in 'script_fex.c:69:31' (0x4f4da0) of size 9
  '<string literal>' is ascii string 'dram_tpr'
0x0000004f4d68 is located 0 bytes to the right of global variable '<string literal>' defined in 'script_fex.c:69:20' (0x4f4d60) of size 8
  '<string literal>' is ascii string 'dram_zq'
SUMMARY: AddressSanitizer: global-buffer-overflow (/AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/sunxi-fexc+0x433a7b) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
  0x000080096950: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x000080096960: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080096970: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 05 f9 f9
  0x000080096980: f9 f9 f9 f9 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
  0x000080096990: 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800969a0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00[f9]f9 f9
  0x0000800969b0: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9
  0x0000800969c0: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 00 04 f9
  0x0000800969d0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 05 f9 f9
  0x0000800969e0: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 07 f9 f9
  0x0000800969f0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 07 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==17071==ABORTING

POC

id_000000,sig_11,src_000000,time_784,op_havoc,rep_4.zip

Any issue plz contact with me:
asteriska001@gmail.com
OR:
twitter: @Asteriska8

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions