When attempting to load a file into the riscv_emulator, a buffer overflow occurs at main.c:56. The issue appears to be related to the fixed size of 0x10000 for "dram.mem" and the use of memcpy without a length check. Specifically, the entire content of the file is copied into the buffer without checking if it fits within the allocated memory. This results in the overflow and potential for memory corruption.
Steps to Reproduce:
Compile and run the riscv_emulator.
Attempt to load a file that exceeds the size of 0x10000 for "dram.mem".
Observe the buffer overflow at main.c:56.
r3tr0@machine:~/riscv_emulator$ perl -e 'print "A"x(1024*1024*1) . "B"x1000' > big_buffer
r3tr0@machine:~/riscv_emulator$ ./main big_buffer
=================================================================
==74470==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdbb4d7cd0 at pc 0x7f682363a2c3 bp 0x7ffdbb3cfc00 sp 0x7ffdbb3cf3a8
WRITE of size 1049576 at 0x7ffdbb4d7cd0 thread T0
#0 0x7f682363a2c2 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x55ca2aec3593 in read_file /home/r3tr0/riscv_emulator/main.c:56
#2 0x55ca2aec36e5 in main /home/r3tr0/riscv_emulator/main.c:70
#3 0x7f6823229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7f6823229e3f in __libc_start_main_impl ../csu/libc-start.c:392
#5 0x55ca2aec3364 in _start (/home/r3tr0/riscv_emulator/main+0x3364)
Address 0x7ffdbb4d7cd0 is located in stack of thread T0 at offset 1081440 in frame
#0 0x55ca2aec35b2 in main /home/r3tr0/riscv_emulator/main.c:60
This frame has 1 object(s):
[48, 1081440) 'cpu' (line 67) <== Memory access at offset 1081440 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x100037692f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100037692f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100037692f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100037692f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100037692f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100037692f90: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3
0x100037692fa0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x100037692fb0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
0x100037692fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100037692fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100037692fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==74470==ABORTING
r3tr0@machine:~/riscv_emulator$
When attempting to load a file into the riscv_emulator, a buffer overflow occurs at main.c:56. The issue appears to be related to the fixed size of 0x10000 for "dram.mem" and the use of memcpy without a length check. Specifically, the entire content of the file is copied into the buffer without checking if it fits within the allocated memory. This results in the overflow and potential for memory corruption.
Steps to Reproduce:
Compile and run the riscv_emulator. Attempt to load a file that exceeds the size of 0x10000 for "dram.mem". Observe the buffer overflow at main.c:56.