Double free in Pe64_bin_pe_parse_resource()

niebardzo commented 4 years ago

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu 18.04 x64
File format of the file you reverse (mandatory)	PE
Architecture/bits of the file (mandatory)	x64
r2 -v full output, not truncated (mandatory)	radare2 4.3.0-git 23710 @ linux-x86-64 git.4.2.1-7-g8850bc6aa commit: 8850bc6aaf858c6f189bddb0c44d7043676e8e32 build: 2020-02-04__18:07:04

Expected behavior

Disassembly of file or error message.

Actual behavior

Double free in ASAN build.

Steps to reproduce the behavior

Download https://github.com/niebardzo/Store-PoCs/raw/master/r2_free_Pe64_bin_pe_parse_resource
Run: r2 -A r2_free_Pe64_bin_pe_parse_resource

Additional Logs, screenshots, source-code, configuration dump, ...

Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
Warning: parsing resource directory
=================================================================
==31065==ERROR: AddressSanitizer: attempting double-free on 0x6020000628d0 in thread T0:
    #0 0x55d6ca5b1ffd in free (/usr/local/bin/radare2+0x94ffd)
    #1 0x7fda6f9fe924 in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2588:4
    #2 0x7fda6f9fd454 in Pe64_bin_pe_parse_resource /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2740:4
    #3 0x7fda6fa1b01e in bin_pe_init /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2812:2
    #4 0x7fda6fa1c03c in Pe64_r_bin_pe_new_buf /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:3886:7
    #5 0x7fda6f9e8a48 in load_buffer /root/work/radare2/libr/../libr/bin/p/bin_pe.inc:22:36
    #6 0x7fda6f6b1e71 in r_bin_object_new /root/work/radare2/libr/bin/bobj.c:153:8
    #7 0x7fda6f6a517a in r_bin_file_new_from_buffer /root/work/radare2/libr/bin/bfile.c:505:19
    #8 0x7fda6f680579 in r_bin_open_buf /root/work/radare2/libr/bin/bin.c:283:8
    #9 0x7fda6f67fc0e in r_bin_open_io /root/work/radare2/libr/bin/bin.c:343:13
    #10 0x7fda702295ef in r_core_file_do_load_for_io_plugin /root/work/radare2/libr/core/cfile.c:430:7
    #11 0x7fda702295ef in r_core_bin_load /root/work/radare2/libr/core/cfile.c:641:4
    #12 0x7fda6da04455 in r_main_radare2 /root/work/radare2/libr/main/radare2.c:1040:14
    #13 0x7fda6d7be1e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
    #14 0x55d6ca53a37d in _start (/usr/local/bin/radare2+0x1d37d)

0x6020000628d0 is located 0 bytes inside of 1-byte region [0x6020000628d0,0x6020000628d1)
freed by thread T0 here:
    #0 0x55d6ca5b1ffd in free (/usr/local/bin/radare2+0x94ffd)
    #1 0x7fda6f9fee89 in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2581:5
    #2 0x7fda6f9fef1d in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2583:4
    #3 0x7fda6f9fd454 in Pe64_bin_pe_parse_resource /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2740:4
    #4 0x7fda6fa1b01e in bin_pe_init /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2812:2
    #5 0x7fda6fa1c03c in Pe64_r_bin_pe_new_buf /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:3886:7

previously allocated by thread T0 here:
    #0 0x55d6ca5b23f2 in calloc (/usr/local/bin/radare2+0x953f2)
    #1 0x7fda6f9fe59f in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2557:24
    #2 0x7fda6f9fd454 in Pe64_bin_pe_parse_resource /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2740:4
    #3 0x7fda6fa1b01e in bin_pe_init /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2812:2
    #4 0x7fda6fa1c03c in Pe64_r_bin_pe_new_buf /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:3886:7

SUMMARY: AddressSanitizer: double-free (/usr/local/bin/radare2+0x94ffd) in free
==31065==ABORTING

radare commented 4 years ago

Open a pr in the bins repo with that binary in the fuzzed directory. So we can use it in the pr that fixes this issue

On 4 Feb 2020, at 19:43, Niebardzo notifications@github.com wrote:

Work environment

Questions Answers OS/arch/bits (mandatory) Ubuntu 18.04 x64 File format of the file you reverse (mandatory) PE Architecture/bits of the file (mandatory) x64 r2 -v full output, not truncated (mandatory) radare2 4.3.0-git 23710 @ linux-x86-64 git.4.2.1-7-g8850bc6aa commit: 8850bc6 build: 2020-02-04__18:07:04 Expected behavior

Disassembly of file or error message.

Actual behavior

Double free in ASAN build.

Steps to reproduce the behavior

Download https://github.com/niebardzo/Store-PoCs/raw/master/r2_free_Pe64_bin_pe_parse_resource Run: r2 -A r2_free_Pe64_bin_pe_parse_resource Additional Logs, screenshots, source-code, configuration dump, ...

Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory Warning: parsing resource directory

==31065==ERROR: AddressSanitizer: attempting double-free on 0x6020000628d0 in thread T0:

0 0x55d6ca5b1ffd in free (/usr/local/bin/radare2+0x94ffd)
#1 0x7fda6f9fe924 in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2588:4
#2 0x7fda6f9fd454 in Pe64_bin_pe_parse_resource /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2740:4
#3 0x7fda6fa1b01e in bin_pe_init /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2812:2
#4 0x7fda6fa1c03c in Pe64_r_bin_pe_new_buf /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:3886:7
#5 0x7fda6f9e8a48 in load_buffer /root/work/radare2/libr/../libr/bin/p/bin_pe.inc:22:36
#6 0x7fda6f6b1e71 in r_bin_object_new /root/work/radare2/libr/bin/bobj.c:153:8
#7 0x7fda6f6a517a in r_bin_file_new_from_buffer /root/work/radare2/libr/bin/bfile.c:505:19
#8 0x7fda6f680579 in r_bin_open_buf /root/work/radare2/libr/bin/bin.c:283:8
#9 0x7fda6f67fc0e in r_bin_open_io /root/work/radare2/libr/bin/bin.c:343:13
#10 0x7fda702295ef in r_core_file_do_load_for_io_plugin /root/work/radare2/libr/core/cfile.c:430:7
#11 0x7fda702295ef in r_core_bin_load /root/work/radare2/libr/core/cfile.c:641:4
#12 0x7fda6da04455 in r_main_radare2 /root/work/radare2/libr/main/radare2.c:1040:14
#13 0x7fda6d7be1e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
#14 0x55d6ca53a37d in _start (/usr/local/bin/radare2+0x1d37d)
0x6020000628d0 is located 0 bytes inside of 1-byte region [0x6020000628d0,0x6020000628d1) freed by thread T0 here:

0 0x55d6ca5b1ffd in free (/usr/local/bin/radare2+0x94ffd)
#1 0x7fda6f9fee89 in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2581:5
#2 0x7fda6f9fef1d in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2583:4
#3 0x7fda6f9fd454 in Pe64_bin_pe_parse_resource /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2740:4
#4 0x7fda6fa1b01e in bin_pe_init /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2812:2
#5 0x7fda6fa1c03c in Pe64_r_bin_pe_new_buf /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:3886:7
previously allocated by thread T0 here:

0 0x55d6ca5b23f2 in calloc (/usr/local/bin/radare2+0x953f2)
#1 0x7fda6f9fe59f in _parse_resource_directory /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2557:24
#2 0x7fda6f9fd454 in Pe64_bin_pe_parse_resource /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2740:4
#3 0x7fda6fa1b01e in bin_pe_init /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:2812:2
#4 0x7fda6fa1c03c in Pe64_r_bin_pe_new_buf /root/work/radare2/libr/../libr/bin/p/../format/pe/pe.c:3886:7
SUMMARY: AddressSanitizer: double-free (/usr/local/bin/radare2+0x94ffd) in free ==31065==ABORTING — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

niebardzo commented 4 years ago

Hello Team,

the following pr was created: https://github.com/radareorg/radare2-testbins/pull/5

pelijah commented 4 years ago

Was the issue fixed by 9e3d175638cb0c2b02822489dd7205ee917150fd?

radare commented 4 years ago

Yes

On 15 Feb 2020, at 23:06, Paul I. notifications@github.com wrote:

Was the issue fixed by 9e3d175?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

pelijah commented 4 years ago

So maybe it should be closed.

radareorg / radare2

Double free in Pe64_bin_pe_parse_resource() #15927