Submeter #502345: https://github.com/rizinorg/rizin rizin/rz-bin 309f57434dfa17954f02cdcbb3a2ac4108651767 Buffer Overflowinformação

Títulohttps://github.com/rizinorg/rizin rizin/rz-bin 309f57434dfa17954f02cdcbb3a2ac4108651767 Buffer Overflow
Descrição**Work environment** OS/arch/bits (mandatory) Ubuntu 20.04.6 LTS File format of the file you reverse (mandatory) ELF Architecture/bits of the file (mandatory) x86/64 rizin -v full output, not truncated (mandatory) rizin 0.8.0 @ linux-x86-64 commit: 309f574 **Expected behavior** Not segment fault **Actual behavior** Segment fault (with heap-buffer-overflow) **Steps to reproduce the behavior** run cmd `rz-bin -z -N":<dH" $poc` ./rizin/bins/bin/rz-bin -z -N":<dH" /tmp/poc ==2793982==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000183011 at pc 0x7f7c47eaa928 bp 0x7f7c3f8fea40 sp 0x7f7c3f8fea30 WRITE of size 1 at 0x602000183011 thread T1 #0 0x7f7c47eaa927 in rz_utf8_encode ../librz/util/utf8.c:539 #1 0x7f7c47e77158 in process_one_string ../librz/util/str_search.c:269 #2 0x7f7c47e78d5b in rz_scan_strings_raw ../librz/util/str_search.c:523 #3 0x7f7c43e9510f in string_scan_range ../librz/bin/bfile_string.c:103 #4 0x7f7c43e95364 in search_string_thread_runner ../librz/bin/bfile_string.c:130 #5 0x7f7c47e9495a in thread_main_function ../librz/util/thread.c:21 #6 0x7f7c48411608 in start_thread /build/glibc-FcRMwW/glibc-2.31/nptl/pthread_create.c:477 #7 0x7f7c4855b352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) 0x602000183011 is located 0 bytes to the right of 1-byte region [0x602000183010,0x602000183011) allocated by thread T1 here: #0 0x7f7c487ffa06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 #1 0x7f7c47e7827d in rz_scan_strings_raw ../librz/util/str_search.c:403 #2 0x7f7c43e9510f in string_scan_range ../librz/bin/bfile_string.c:103 #3 0x7f7c43e95364 in search_string_thread_runner ../librz/bin/bfile_string.c:130 #4 0x7f7c47e9495a in thread_main_function ../librz/util/thread.c:21 #5 0x7f7c48411608 in start_thread /build/glibc-FcRMwW/glibc-2.31/nptl/pthread_create.c:477 Thread T1 created by T0 here: #0 0x7f7c4872c815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x7f7c47e94e3a in rz_th_new ../librz/util/thread.c:211 #2 0x7f7c43e958c9 in create_string_search_thread ../librz/bin/bfile_string.c:202 #3 0x7f7c43e9792b in rz_bin_file_strings ../librz/bin/bfile_string.c:482 #4 0x7f7c43eaecc9 in rz_bin_set_and_process_strings ../librz/bin/bobj_process_string.c:26 #5 0x7f7c43eaacfe in rz_bin_object_process_plugin_data ../librz/bin/bobj_process.c:156 #6 0x7f7c43ea6f6e in rz_bin_object_new ../librz/bin/bobj.c:529 #7 0x7f7c43e91667 in rz_bin_file_new_from_buffer ../librz/bin/bfile.c:139 #8 0x7f7c43e9a4c3 in rz_bin_open_buf ../librz/bin/bin.c:294 #9 0x7f7c43e9ab52 in rz_bin_open_io ../librz/bin/bin.c:352 #10 0x7f7c43e99878 in rz_bin_open ../librz/bin/bin.c:233 #11 0x7f7c48665613 in rz_main_rz_bin ../librz/main/rz-bin.c:1204 #12 0x55800161b1b4 in main ../binrz/rz-bin/rz-bin.c:8 #13 0x7f7c48460082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow ../librz/util/utf8.c:539 in rz_utf8_encode Shadow bytes around the buggy address: 0x0c04800285b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800285c0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa 0x0c04800285d0: fa fa 00 00 fa fa 00 01 fa fa 00 01 fa fa 00 00 0x0c04800285e0: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa fa fa 0x0c04800285f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0480028600: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480028610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480028620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480028630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480028640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480028650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2793982==ABORTING
Fonte⚠️ https://github.com/rizinorg/rizin/issues/4910
Utilizador
 wenjusun (UID 80422)
Submissão17/02/2025 02h15 (há 1 Ano)
Moderação28/02/2025 18h06 (12 days later)
EstadoAceite
Entrada VulDB298011 [rizinorg rizin até 0.8.0 /librz/util/utf8.c rz_utf8_encode Excesso de tampão]
Pontos20

VoltarVisão GeralPróximo

Might our Artificial Intelligence support you?

Check our Alexa App!