Headline

CVE-2022-36039: Multiple heap out-of-bounds writes in dex.c · Issue #2969 · rizinorg/rizin

Rizin is a UNIX-like reverse engineering framework and command-line toolset. Versions 0.4.0 and prior are vulnerable to out-of-bounds write when parsing DEX files. A user opening a malicious DEX file could be affected by this vulnerability, allowing an attacker to execute code on the user’s machine. A patch is available on the dev branch of the repository.

2 years ago

CVE

Open in Source

#vulnerability #mac #ubuntu #git #docker

Hi! We’ve been fuzzing your project and found the following errors in librz/bin/format/dex/dex.c

Work environment

OS: Ubuntu 20.04
File format: -
rizin version: 4b38597

Bug description

Heap out-of-bounds write of size 1 in dex.c:89:13, Crash file:
crash-b28a51055078fc0271ab6fb59956f709.zip
Heap out-of-bounds write of size 1 in dex.c:905:35, Crash file: crash-dedb83bc9e05fc8c518e1fe7cb917a1fe77849be.zip

Steps to reproduce

Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/rizin: sudo docker build -t oss-sydr-fuzz-rizin .
Run docker container: sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-rizin /bin/bash
Execute rizin with crashing input (1): /rizin-fuzzing/libfuzzer-asan/bin/rizin -qq crash-b28a51055078fc0271ab6fb59956f709

You will see the following output:

=================================================================
==2537255==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001ae98f at pc 0x000000b9ce28 bp 0x7ffd1f577e70 sp 0x7ffd1f577e68
WRITE of size 1 at 0x6020001ae98f thread T0
    #0 0xb9ce27 in dex_string_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:89:13
    #1 0xb9ce27 in dex_parse /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:545:23
    #2 0xb9ce27 in rz_bin_dex_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:703:7
    #3 0xb09545 in load_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/p/bin_dex.c:42:18
    #4 0xae7004 in rz_bin_object_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:300:8
    #5 0xad7d31 in rz_bin_file_new_from_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bfile.c:150:19
    #6 0xadf3c7 in rz_bin_open_buf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:272:8
    #7 0xadec27 in rz_bin_open_io /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:330:18
    #8 0x1003353 in core_file_do_load_for_io_plugin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:727:23
    #9 0x1003353 in rz_core_bin_load /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:974:4
    #10 0x5b9af8 in rz_main_rizin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/main/rizin.c:1119:14
    #11 0x7f151165f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41da3d in _start (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x41da3d)

0x6020001ae98f is located 1 bytes to the left of 1-byte region [0x6020001ae990,0x6020001ae991)
allocated by thread T0 here:
    #0 0x498c9d in malloc (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498c9d)
    #1 0xb9805e in dex_string_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:84:9
    #2 0xb9805e in dex_parse /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:545:23
    #3 0xb9805e in rz_bin_dex_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:703:7
    #4 0xb09545 in load_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/p/bin_dex.c:42:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:89:13 in dex_string_new
Shadow bytes around the buggy address:
0x0c048002dce0: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa
0x0c048002dcf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c048002dd00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00
0x0c048002dd10: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
0x0c048002dd20: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
=>0x0c048002dd30: fa[fa]01 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048002dd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048002dd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048002dd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048002dd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048002dd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
Shadow gap:              cc
==2537255==ABORTING

Execute rizin with crashing input (2): /rizin-fuzzing/libfuzzer-asan/bin/rizin -qq crash-dedb83bc9e05fc8c518e1fe7cb917a1fe77849be

You will see the following output:

=================================================================
==2537994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001aedcf at pc 0x000000ba19c6 bp 0x7ffde55982e0 sp 0x7ffde55982d8
WRITE of size 1 at 0x6020001aedcf thread T0
    #0 0xba19c5 in dex_resolve_library /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:905:35
    #1 0xba19c5 in rz_bin_dex_symbols /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:1326:20
    #2 0xae7bf4 in rz_bin_object_set_items /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:455:16
    #3 0xae706b in rz_bin_object_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:319:2
    #4 0xad7d31 in rz_bin_file_new_from_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bfile.c:150:19
    #5 0xadf3c7 in rz_bin_open_buf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:272:8
    #6 0xadec27 in rz_bin_open_io /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:330:18
    #7 0x1003353 in core_file_do_load_for_io_plugin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:727:23
    #8 0x1003353 in rz_core_bin_load /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:974:4
    #9 0x5b9af8 in rz_main_rizin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/main/rizin.c:1119:14
    #10 0x7f471e6ef082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x41da3d in _start (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x41da3d)

0x6020001aedcf is located 1 bytes to the left of 1-byte region [0x6020001aedd0,0x6020001aedd1)
allocated by thread T0 here:
    #0 0x484594 in strdup (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x484594)
    #1 0xba1747 in dex_resolve_library /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:903:20
    #2 0xba1747 in rz_bin_dex_symbols /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:1326:20

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/dex/dex.c:905:35 in dex_resolve_library
Shadow bytes around the buggy address:
0x0c048002dd60: fa fa 00 06 fa fa 00 06 fa fa fd fa fa fa 07 fa
0x0c048002dd70: fa fa 01 fa fa fa fd fa fa fa fd fa fa fa 06 fa
0x0c048002dd80: fa fa 01 fa fa fa 00 fa fa fa 02 fa fa fa 01 fa
0x0c048002dd90: fa fa 00 fa fa fa 07 fa fa fa 01 fa fa fa 00 fa
0x0c048002dda0: fa fa 07 fa fa fa 01 fa fa fa 00 fa fa fa 07 fa
=>0x0c048002ddb0: fa fa 06 fa fa fa 02 fa fa[fa]01 fa fa fa fa fa
0x0c048002ddc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048002ddd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048002dde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048002ddf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048002de00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
Shadow gap:              cc
==2537994==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago