| عنوان | https://github.com/rizinorg/rizin rizin/rz-bin 309f57434dfa17954f02cdcbb3a2ac4108651767 Buffer Overflow |
|---|
| الوصف | **Work environment**
OS/arch/bits (mandatory) Ubuntu 20.04.6 LTS
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86/64
rizin -v full output, not truncated (mandatory) rizin 0.8.0 @ linux-x86-64
commit: 309f574
**Expected behavior**
Not segment fault
**Actual behavior**
Segment fault (with heap-buffer-overflow)
**Steps to reproduce the behavior**
run cmd `rz-bin -z -N":<dH" $poc`
./rizin/bins/bin/rz-bin -z -N":<dH" /tmp/poc
==2793982==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000183011 at pc 0x7f7c47eaa928 bp 0x7f7c3f8fea40 sp 0x7f7c3f8fea30
WRITE of size 1 at 0x602000183011 thread T1
#0 0x7f7c47eaa927 in rz_utf8_encode ../librz/util/utf8.c:539
#1 0x7f7c47e77158 in process_one_string ../librz/util/str_search.c:269
#2 0x7f7c47e78d5b in rz_scan_strings_raw ../librz/util/str_search.c:523
#3 0x7f7c43e9510f in string_scan_range ../librz/bin/bfile_string.c:103
#4 0x7f7c43e95364 in search_string_thread_runner ../librz/bin/bfile_string.c:130
#5 0x7f7c47e9495a in thread_main_function ../librz/util/thread.c:21
#6 0x7f7c48411608 in start_thread /build/glibc-FcRMwW/glibc-2.31/nptl/pthread_create.c:477
#7 0x7f7c4855b352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)
0x602000183011 is located 0 bytes to the right of 1-byte region [0x602000183010,0x602000183011)
allocated by thread T1 here:
#0 0x7f7c487ffa06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x7f7c47e7827d in rz_scan_strings_raw ../librz/util/str_search.c:403
#2 0x7f7c43e9510f in string_scan_range ../librz/bin/bfile_string.c:103
#3 0x7f7c43e95364 in search_string_thread_runner ../librz/bin/bfile_string.c:130
#4 0x7f7c47e9495a in thread_main_function ../librz/util/thread.c:21
#5 0x7f7c48411608 in start_thread /build/glibc-FcRMwW/glibc-2.31/nptl/pthread_create.c:477
Thread T1 created by T0 here:
#0 0x7f7c4872c815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x7f7c47e94e3a in rz_th_new ../librz/util/thread.c:211
#2 0x7f7c43e958c9 in create_string_search_thread ../librz/bin/bfile_string.c:202
#3 0x7f7c43e9792b in rz_bin_file_strings ../librz/bin/bfile_string.c:482
#4 0x7f7c43eaecc9 in rz_bin_set_and_process_strings ../librz/bin/bobj_process_string.c:26
#5 0x7f7c43eaacfe in rz_bin_object_process_plugin_data ../librz/bin/bobj_process.c:156
#6 0x7f7c43ea6f6e in rz_bin_object_new ../librz/bin/bobj.c:529
#7 0x7f7c43e91667 in rz_bin_file_new_from_buffer ../librz/bin/bfile.c:139
#8 0x7f7c43e9a4c3 in rz_bin_open_buf ../librz/bin/bin.c:294
#9 0x7f7c43e9ab52 in rz_bin_open_io ../librz/bin/bin.c:352
#10 0x7f7c43e99878 in rz_bin_open ../librz/bin/bin.c:233
#11 0x7f7c48665613 in rz_main_rz_bin ../librz/main/rz-bin.c:1204
#12 0x55800161b1b4 in main ../binrz/rz-bin/rz-bin.c:8
#13 0x7f7c48460082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../librz/util/utf8.c:539 in rz_utf8_encode
Shadow bytes around the buggy address:
0x0c04800285b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04800285c0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04800285d0: fa fa 00 00 fa fa 00 01 fa fa 00 01 fa fa 00 00
0x0c04800285e0: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa fa fa
0x0c04800285f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0480028600: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480028610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480028620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480028630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480028640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480028650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2793982==ABORTING |
|---|
| المصدر | ⚠️ https://github.com/rizinorg/rizin/issues/4910 |
|---|
| المستخدم | wenjusun (UID 80422) |
|---|
| ارسال | 17/02/2025 02:15 AM (1 سنة منذ) |
|---|
| الاعتدال | 28/02/2025 06:06 PM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 298011 [rizinorg rizin حتى 0.8.0 /librz/util/utf8.c rz_utf8_encode تلف الذاكرة] |
|---|
| النقاط | 20 |
|---|