Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple nullptr reads in dwarf_process.c #2971

Closed
m4drat opened this issue Aug 22, 2022 · 0 comments · Fixed by #2977
Closed

Multiple nullptr reads in dwarf_process.c #2971

m4drat opened this issue Aug 22, 2022 · 0 comments · Fixed by #2977
Milestone
0.4.1

Comments

@m4drat
Copy link

m4drat commented Aug 22, 2022

Hi! We've been fuzzing your project and found the following errors in librz/analysis/dwarf_process.c

Work environment

OS: Ubuntu 20.04
File format: -
rizin version: 4b38597

Bug description

  1. Nullptr read in dwarf_process.c:1271:20, Crash file: crash-bbb0f10c5d022afa379a12bd43e3d51400b45669.zip

  2. Nullptr read in dwarf_process.c:1282:19, Crash file: crash-6124bc2a5882871f594be1a2cab2507f0b6a1e0e.zip

Steps to reproduce

  1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/rizin: sudo docker build -t oss-sydr-fuzz-rizin .

  2. Run docker container: sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-rizin /bin/bash

  3. Execute rizin with crashing input: /rizin-fuzzing/libfuzzer-asan/bin/rizin -qq crash-bbb0f10c5d022afa379a12bd43e3d51400b45669

  4. You will see the following output:

    WARNING: bin_file_strings: search interval size (0xff000000000020) exeeds bin.maxstrbuf (0xa00000), skipping it.
WARNING: bin_file_strings: search interval size (0xff000000000020) exeeds bin.maxstrbuf (0xa00000), skipping it.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2546470==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000a0 (pc 0x7f51c3dbb717 bp 0x7ffe82361730 sp 0x7ffe82360ee8 T0)
==2546470==The signal is caused by a READ memory access.
==2546470==Hint: address points to the zero page.
    #0 0x7f51c3dbb717  /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:96
    #1 0x4843d2 in strdup (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x4843d2)
    #2 0x1469cc5 in parse_function_args_and_vars /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/analysis/dwarf_process.c:1271:20
    #3 0x1469cc5 in parse_function /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/analysis/dwarf_process.c:1475:2
    #4 0x1469cc5 in parse_type_entry /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/analysis/dwarf_process.c:1585:3
    #5 0x1469cc5 in rz_analysis_dwarf_process_info /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/analysis/dwarf_process.c:1619:4
    #6 0xfc731d in rz_core_bin_apply_dwarf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cbin.c:669:3
    #7 0xfc6039 in rz_core_bin_apply_info /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cbin.c:281:3
    #8 0xfcc48d in rz_core_bin_apply_all_info /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cbin.c:334:2
    #9 0x10033b0 in core_file_do_load_for_io_plugin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:735:6
    #10 0x10033b0 in rz_core_bin_load /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:974:4
    #11 0x5b9af8 in rz_main_rizin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/main/rizin.c:1119:14
    #12 0x7f51c3c57082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x41da3d in _start (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x41da3d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:96
==2546470==ABORTING

  5. The second crash is similar
@XVilka XVilka added this to the 0.4.1 milestone Aug 22, 2022
wargio added a commit that referenced this issue Aug 22, 2022
@wargio
fix #2971 - null deref dwarf_process.c
c719384
@wargio wargio mentioned this issue Aug 22, 2022
Closed
5 tasks
wargio added a commit that referenced this issue Aug 22, 2022
@wargio
fix #2971 - null deref dwarf_process.c
47310d5
wargio added a commit that referenced this issue Aug 22, 2022
@wargio
fix #2971 - null deref dwarf_process.c
ec8cdd3
wargio added a commit that referenced this issue Aug 23, 2022
@wargio
fix #2971 - null deref dwarf_process.c
746d1cb
@wargio wargio mentioned this issue Aug 23, 2022
Merged
5 tasks
wargio added a commit that referenced this issue Aug 23, 2022
@wargio
fix #2971 - null deref dwarf_process.c
00127bb
wargio added a commit that referenced this issue Aug 23, 2022
@wargio
fix #2971 - null deref dwarf_process.c
627ef05
XVilka pushed a commit that referenced this issue Aug 24, 2022
@wargio @XVilka
fix #2971 - null deref dwarf_process.c
f674aec
XVilka pushed a commit that referenced this issue Aug 24, 2022
@wargio @XVilka
fix #2971 - null deref dwarf_process.c
f29f609
XVilka pushed a commit that referenced this issue Aug 24, 2022
@wargio @XVilka
fix #2971 - null deref dwarf_process.c
44083e5
imbillow pushed a commit that referenced this issue Aug 24, 2022
@wargio @imbillow
fix #2971 - null deref dwarf_process.c
1d15404
XVilka pushed a commit that referenced this issue Aug 30, 2022
@wargio @XVilka
fix #2971 - null deref dwarf_process.c
a79f980
XVilka pushed a commit that referenced this issue Aug 30, 2022
@wargio @XVilka
fix #2971 - null deref dwarf_process.c
f01837a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.4.1
Development

Successfully merging a pull request may close this issue.

Fix multiple vulnerabilities rizinorg/rizin
Fix multiple vulns rizinorg/rizin
2 participants
@XVilka @m4drat