search

mentebinaria / readpe

The PE file analysis toolkit
GNU General Public License v2.0
689 stars 130 forks source link

NULL pointer dereference in pe_imphash #126

Closed gy741 closed 6 years ago

gy741 commented 6 years ago

Hello.

I found a NULL pointer dereference in pev.

Please confirm.

Thanks.

Summary: NULL pointer dereference OS: CentOS 7 64bit Version: dbdcd2cf79d133e7b2ee02f7ffaae528c012c51a PoC Download: null_pe_imphash.zip

Steps to reproduce: 1.Download the .POC files. 2.Compile the source code with ASan. 3.Execute the following command : ./pehash -a $PoC

libpe/hashes.c:620
LL_FOREACH_SAFE(head, elt, tmp) \
        sprintf(imphash_string + strlen(imphash_string), "%s.%s,", elt->dll_name, elt->function_name); \
LL_DELETE(head, elt);   <--- crash

include/libpe/utlist.h:352
#define LL_DELETE(head,del)                                                                    \
    LL_DELETE2(head,del,next)

#define LL_DELETE2(head,del,next)                                                              \
do {                                                                                           \
  LDECLTYPE(head) _tmp;                                                                        \
  if ((head) == (del)) {                                                                       \
    (head)=(head)->next;                                                                       \
  } else {                                                                                     \
    _tmp = (head);                                                                             \
    while (_tmp->next && (_tmp->next != (del))) {                                              \
      _tmp = _tmp->next;                                                                       \
    }                                                                                          \
    if (_tmp->next) {                                                                          \
      _tmp->next = (del)->next;                                                                \
    }                                                                                          \
  }                                                                                            \
} while (0)
=================================================================
==15039==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7fabbc3058ea bp 0x7ffc629a27d0 sp 0x7ffc629a20a0 T0)
==15039==The signal is caused by a READ memory access.
==15039==Hint: address points to the zero page.
    #0 0x7fabbc3058e9 in pe_imphash /home/karas/pev/lib/libpe/hashes.c:620:3
    #1 0x50dfb0 in main /home/karas/pev/src/pehash.c:261:13
    #2 0x7fabbacac1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
    #3 0x419b69 in _start (/home/karas/pev/run/home/karas/pev/run/bin/pehash+0x419b69)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/karas/pev/lib/libpe/hashes.c:620:3 in pe_imphash
==15039==ABORTING

========== [Acknowledgement] This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]

merces commented 6 years ago

https://github.com/merces/libpe/commit/cda5c76c2b0cb06f6df84dd6697436f216ed7464 fixed this. Thank you!