Open
Description
Description
A global-buffer-overflow bug was discovered in function MemcmpInterceptorCommon(void*, int ()(void const, void const*, unsigned long), void const*, void const*, unsigned long)
Version
Version v1.4 (Lastest commit)
Environment
Ubuntu 18.04, 64bit
Reproduce
Command
git clone the Lastest Version firstly.
make
./bin2fex ./poc
POC file at the bottom of this report.
ASAN Report
=================================================================
==17071==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004f4d68 at pc 0x000000433a7c bp 0x7ffc7157f5a0 sp 0x7ffc7157ed48
READ of size 9 at 0x0000004f4d68 thread T0
#0 0x433a7b in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/sunxi-fexc+0x433a7b)
#1 0x433e8a in bcmp (/AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/sunxi-fexc+0x433e8a)
#2 0x4d7084 in find_full_match /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/script_fex.c:56:7
#3 0x4d7084 in decompile_single_mode /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/script_fex.c:78:6
#4 0x4d7084 in script_generate_fex /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/script_fex.c:102:16
#5 0x4cb2c1 in script_generate /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/fexc.c:179:9
#6 0x4cb2c1 in main /AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/fexc.c:332:6
#7 0x7f791fc4c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x41d3ed in _start (/AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/sunxi-fexc+0x41d3ed)
0x0000004f4d68 is located 56 bytes to the left of global variable '<string literal>' defined in 'script_fex.c:69:31' (0x4f4da0) of size 9
'<string literal>' is ascii string 'dram_tpr'
0x0000004f4d68 is located 0 bytes to the right of global variable '<string literal>' defined in 'script_fex.c:69:20' (0x4f4d60) of size 8
'<string literal>' is ascii string 'dram_zq'
SUMMARY: AddressSanitizer: global-buffer-overflow (/AFLplusplus/my_test/sunxi-tools-master/valid/sunxi-tools-master/sunxi-fexc+0x433a7b) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
0x000080096950: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
0x000080096960: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080096970: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 05 f9 f9
0x000080096980: f9 f9 f9 f9 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
0x000080096990: 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800969a0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00[f9]f9 f9
0x0000800969b0: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9
0x0000800969c0: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 00 04 f9
0x0000800969d0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 05 f9 f9
0x0000800969e0: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 07 f9 f9
0x0000800969f0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 07 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==17071==ABORTING
POC
id_000000,sig_11,src_000000,time_784,op_havoc,rep_4.zip
Any issue plz contact with me:
[email protected]
OR:
twitter: @Asteriska8
Metadata
Assignees
Labels
No labels
Activity