search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.35k stars 2.97k forks source link

-P </dev/urandom should be restricted (crash every rnd time) #594

Closed zonkzonk closed 10 years ago

zonkzonk commented 10 years ago

Following incorrect parsing of input in -P lets either ld or libc crash. I suggest limit the size of input to -P. 

#/bin/sh
sysctl kernel.core_uses_pid=0
ulimit -c 50000
cp /bin/cp /tmp && cd /tmp
until test -f core
do
  echo 'af;q'|r2 -D  -P</dev/urandom /tmp/cp
  sleep 2
done

Note: only apply on test machines!1

Example crash:

gdb -q r2  core 
Reading symbols from /usr/local/bin/radare2...done.

warning: core file may not match specified executable file.
[New LWP 1877]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff76ffe000
Core was generated by `r2 -D -P /tmp/cp'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f81564abeaa in __strchr_sse2 () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007f81564abeaa in __strchr_sse2 () from /usr/lib/libc.so.6
#1  0x00007f8159f70dce in cmd_interpret (data=0x6068e0 <r>, input=0x1b4c311 "ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
    at cmd.c:452
#2  0x00007f815853bf19 in r_cmd_call (cmd=0x1949d70, input=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
    at cmd.c:172
#3  0x00007f8159f73a79 in r_core_cmd_subst_i (core=0x6068e0 <r>, cmd=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
    at cmd.c:1341
#4  0x00007f8159f72292 in r_core_cmd_subst (core=0x6068e0 <r>, cmd=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)
    at cmd.c:909
#5  0x00007f8159f7447a in r_core_cmd (core=0x6068e0 <r>, cstr=0x1920010 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>, log=1)
    at cmd.c:1524
#6  0x00007f8159f4ec1d in r_core_prompt_exec (r=0x6068e0 <r>) at core.c:710
#7  0x00000000004046ae in main (argc=4, argv=0x7fff76f22c08, envp=0x7fff76f22c30) at radare2.c:593
(gdb)

[ 8573.478096] r2[1877]: segfault at 0 ip 00007f81564abeaa sp 00007fff76f22148 error 4 in libc-2.18.so[7f815642c000+1a0000]

r2 -v radare2 0.9.7git @ linux-little-x86-64 git.0.9.6-457-gc56bb2c commit: c56bb2cd29ac9644a0db91492395db1e53f0327f build: 2014-02-03

greetings z.

radare commented 10 years ago

Please print the only cmd line that makes it fail, dev/random is not a reliable testcase

On 03 Feb 2014, at 15:31, zonkzonk notifications@github.com wrote:

Following incorrect parsing of input in -P lets either ld or libc crash. I suggest limit the size of input to -P.

/bin/sh

sysctl kernel.core_uses_pid=0 ulimit -c 50000 cp /bin/cp /tmp && cd /tmp until test -f core do echo 'af;q'|r2 -D -P</dev/urandom /tmp/cp sleep 2 done Note: only apply on test machines!1

Example crash:

gdb -q r2 core Reading symbols from /usr/local/bin/radare2...done.

warning: core file may not match specified executable file. [New LWP 1877]

warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1".

warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff76ffe000 Core was generated by `r2 -D -P /tmp/cp'. Program terminated with signal 11, Segmentation fault.

0 0x00007f81564abeaa in __strchr_sse2 () from /usr/lib/libc.so.6

(gdb) bt

0 0x00007f81564abeaa in __strchr_sse2 () from /usr/lib/libc.so.6

1 0x00007f8159f70dce in cmd_interpret (data=0x6068e0 , input=0x1b4c311 "ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)

at cmd.c:452

2 0x00007f815853bf19 in r_cmd_call (cmd=0x1949d70, input=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)

at cmd.c:172

3 0x00007f8159f73a79 in r_core_cmd_subst_i (core=0x6068e0 , cmd=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)

at cmd.c:1341

4 0x00007f8159f72292 in r_core_cmd_subst (core=0x6068e0 , cmd=0x1b4c310 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>)

at cmd.c:909

5 0x00007f8159f7447a in r_core_cmd (core=0x6068e0 , cstr=0x1920010 ".ɩ\217\226+j67JFZɟӚ[\017\071ZYu1\230=H", <incomplete sequence \342>, log=1)

at cmd.c:1524

6 0x00007f8159f4ec1d in r_core_prompt_exec (r=0x6068e0 ) at core.c:710

7 0x00000000004046ae in main (argc=4, argv=0x7fff76f22c08, envp=0x7fff76f22c30) at radare2.c:593

(gdb) [ 8573.478096] r2[1877]: segfault at 0 ip 00007f81564abeaa sp 00007fff76f22148 error 4 in libc-2.18.so[7f815642c000+1a0000]

r2 -v radare2 0.9.7git @ linux-little-x86-64 git.0.9.6-457-gc56bb2c commit: c56bb2c build: 2014-02-03

greetings z.

— Reply to this email directly or view it on GitHub.

zonkzonk commented 10 years ago

a commandline option should refuse input from /dev/urandom and/or unexpected input.

radare commented 10 years ago

Wat

On 03 Feb 2014, at 16:55, zonkzonk notifications@github.com wrote:

a commandline option should refuse input from /dev/urandom and/or unexpected input.

— Reply to this email directly or view it on GitHub.

deeso commented 10 years ago

@zonkzonk r2 is meant to consume, parse, and interpret data, so why would consuming a character buffer or a byte stream be a bug in radare?

zonkzonk commented 10 years ago

here is other example:

sysctl: permission denied on key 'kernel.core_uses_pid'
 -- Rename a function using the 'afr newname @ offset' command
[0x00403609]> ?????9?NFV"?V -- To debug a program you can do dbg://${path-to-program} or use -d ${path..}
Slurping file '??w?W?:?T???bG?&hI??M????_U/??????)`'
cannot open file
|ERROR| Invalid command '?ik?=W???'
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
parse: Missing backtick in expression.?S?XP?s%?9e?-7?g?H?N?J?h
|ERROR| Invalid command '.L/??7`?eI}????&pt??'??>?S?XP?s%?9e?-7?g?H?N?J?h'
[0x00403609]> .?'?SH?]??8?_o(B>??7??H%??V
|ERROR| Invalid command '?'?SH?]??8?_o('
m: line 9:  5101 Broken pipe             echo 'af;q'
      5102 Segmentation fault      (core dumped) | r2 -D -P /tmp/cp < /dev/urandom

@deeso maybe that is more a philosphical question, when consume, parse, and interpret data, so why would consuming a character buffer or a byte stream result in a core dump ?

radare commented 10 years ago

that ".?'?SH?]??8?_o(B>??7??H%??V” line is not segfaulting here. can you please provide a proper test case in shellscript form or so?

On 03 Feb 2014, at 17:50, zonkzonk notifications@github.com wrote:

.?'?SH?]??8?_o(B>??7??H%??V

zonkzonk commented 10 years ago

raw file removed, see uuencoded below

#!/bin/sh

sysctl kernel.core_uses_pid=0
ulimit -c 50000
cp /bin/cp /tmp && cd /tmp

while :; 
do
 sleep 0.2
 cat </dev/urandom|head >/dev/stdout | tee -a /tmp/buf 2>&1
 echo 'af;q'|r2 -D  -P</tmp/buf /tmp/cp
if test -f core
then 
  mv -v /tmp/buf /tmp/buf.core
  exit 0
else
  rm -v /tmp/buf
fi
done

uuencoded version:

,uuencode buf.upload buf.upload.uu
begin 644 buf.upload.uu
MZ`EG9W_LWS<W(!7"%J'>\,=E[L`FD2JEW6&H'S54"#`K>96_S8!<6^#H&WE"
M'!+IQ+S3Q)K?NPOPF@LEUE,UC4FT[DGV'6/&!E'XXMED[&3BQ'D.^&@F5ZM5
MQPRL<!A:V+;'&#ZL)M)P/BH<JC$&\=C6DS]E9H^F_!)V$UBR-AL;R]D#YF_$
MZ]SZ0AQ;U+N]_IZA^'R2X@XHPDNY0X)A?I+>VLI95KF1/WUM#=`Z`8W.7<B_
M<%?5:_*<:A8D9&:%\[TPF@I)1CU0*1:#$^.RHFK9U*`/_I]%3WK?/9(]Q'W:
MF^9T9_T]N]OZU)A];_?(E=0J(&=JK97B^7BB-92"$J%_;EXL[ZH""2\%;9;O
MQ^`@=2Z$9Q`8YVE8LN(1^L[$,:H?I^<G,H=YZ](GK1OQ<AKY@(R$NMP$<B=N
M#,)A[&[<_6(+TW/34;UGK7B*#.T08C3<8W"E(77H[JQAM^QD<(]<'\A@7UOM
MJ^C3"CI^+ZFA,@\KI4W2,G4]53WX._.U7"AO,N+@<XA<$PXO.O[$5XKD;;G7
MF-Y-->DL/FADONZ4JU`\5DCY//0^U$,TA2+O=K=I`Y268`+'JA9SO]EU'UEA
M=ESDRKDJP&FF>2`O-D44V!\`EROP:_'TVNXK()3/E23G3P?XF(MGO^-P8.[<
M3^&!;B)B?86EL;6&I#&A``GIVG94`?S6JRLK-\.(<%*$Q/"?`GV*5]%KI*0?
MQ+.NQ.O2:G9\_F7FRH[G!7X9.N^ZSWL.X_3"=(LG.K9%,O@,%9^IKV.S%GW8
M\R_MD^8;.#LNN?G*L3;202Y2(T`6%,BD6&%*N$"3&!KS7U_D9AD?<V[>)Y0.
M[(HJ(KK7*_1"N%D*.I3CY7QC0:2&O37&N!,\^'SJ?K)<5]FU8G72\='_Q'J1
MO$)O9%`[.H8V3!B]UHB2VK<:\B+Y7OJ,82MTBU[)'@!OBI=M'28^M`\MY&-F
M8^&?-K%7,]D`KV$]+7+,V\Y<<9,&GDI>3KP!]U+W+R4.*X.23@PF,L,EOI3E
MZM6&1DHWQW:F:@DUT4FQZ(N4(/-.IMRO3>F5:XE8\%X_'54ZX4U[7T[D%'O0
M'[)/3HB]4R#*#F/=X+!L%LJI98?U]M]8>@'\)K5?"N_7K;H0J/WN?B"D4@&3
M]VVC9[+5%TAQU&UH#7_NE2IE;B]L-R26];]@9J^X#"GM0[6+]'"C\L9".YQ8
M<4<9`>Y'I-\U1866T@3-?A&]["4.<N]TWK#:-F+4V_?!2.!B)X^OSV68Q4>7
MR#M!,:'*HQ%.+!5=DJU(2?H5VP`T?UE^1X)!?J]6:Y"(G>QPG5R,@VZ@6:B(
MK6-7>WY)*D*<KH%HQ0++;>GGY$S=UE%JFOC_Z?E$^\J!$X-]E@!Z[`R\=0*B
M2(C++SR$7\+]TP#),QJL*H:7A<E7]URQ76$OVAW_I3&,;N2K&\QW%7]&N6#:
MM=0+:\;\,IE_959/'%![8\)?MQQ-ICM'YDJ!`PQ6&DY[%LDH,(:%CP\\F1"<
MHE!+K<%[NUH[&,SSN(&@UA4<;<W3^D-9B1,IT*')S-)0)-.9NW@C^ZKG>X=.
M%$&4>$3BOBR5^LF,TSOL@T"KBIZ.**]K"1H\_7D?*T"<R@1'+ASJ>P**M?YU
M,B?:DVLXU_3":N\%N'IT/LI=%A`SM4[A$J/PF/8CF)64LYU;XXWE')_&DM,A
M^%7TY.[SA$RC%E"O,'EZ'N8FDYGC"AC3$=\[E,2ZU3O.R#6@"5)"*=<N9(RQ
MP">A,N5(1>_CG9<U#K))RZJL7ZWE&E[S#1.&V6`W,F]-N(]M(>C$>LBDN+%<
M,Z-@J<0*]6]_%16J*2OE"C_1WI+3NTE)Z2K+[Z0F7"K^7^L]D;QT:(CZ='5N
M*?["C[L)ID2_D`./9H)J2G%6OV_J=70$1_>M'`NK\U<R/+GYF.IS=K4,=0";
M5V!3I5Y2JHRGF!&PX>3HT42@NXZ*;?^3TUC6GK\E8@E'W0T:X7\MI>:EKSAL
M7L,N#Y%4>3<&O(NAP'PQ9]H?VOE2*![GE;$;+.Y9:)#%)^X5.ACJ\O#:6YLF
MGX"PL*;9AT_=OSNRBI'[^6HSNKUYV)5*8(&Z2?OY!+VLJ7\$CNJ=$3X&Y"`3
MUXIW4CK2`S[:V`+F#AETG^\4,H"LK^^GA5!\<2/]`L/Y^\D5,*_D`R$HWI]"
MXJ1F$@$SEE]R:6G0817Q)188SALV:[=F'_-2F"7\#3I;D.1DZA/:1;Q87Y,+
M-WAI;3BHOX)7"9`\7-\"]28>MU6VL&?`9`/1*@)&ANMTC79!2LK]:\U(H\K;
MK6:7=8C8C9,U:<F2XHB9\NIGX"`C/5B;3_#LU0FH;@'UA>X1N^^-TPK/JTB[
MGH+Q&/SA@F[+YW.H006[E-71B([>7_U(JE7<_6D*RA300E`O^%3!6W\E3>F2
MJ,X.4,Q""V@A,%07P27-K4V3U%N6[D0SO,#Z"6^4GE*&WM[:*@,XR8<VD&A+
M91D.J,W_T-P1&K:IX7+/.;VNK*QES!#X7>,,^;,(;YX-+7_B(Y*B]%D-9*@H
MC-LJ&0TYKD4:\GV<OW_4@6+]`!,T^VR@=0F>V!K$-4U<S\<YVV)02#%`.'#G
M]62D3R(PIS]>B--9.X,OE>R`Z+%_&A&!4@>&<(?R7TPVT^0^&=8X>`\H-ILJ
M?.HBLAK.N.=(<AA=7"@CZHX+J8,.\*<]1!?!3>J&&?]%HW^9%\!D\)>199#>
M)=7N<@Z-)``GVHK(1Q56WT<[4<QU*KB*TH;(O7`7(HGN''.4&,5[12F@?2$"
MW,H+44BA(LYJM&O_!,:8I*U*<C:%Y8C-'EYT0\J>5<?"W7+8QV(,/EI#]S8-
MH1:*0<X_^*V_L#"]<(Q#1NE//"\HSUD&7,0'%SJX8_5T;]8Z<X6Q=+>W,4J8
M&#Y2E*HPYHR!?=R\3(.R?PW>7N]M;@BA!73<@Z[:^A57:9>Y4TJL.^P;FFY.
%>PUT2@H`
`
end

@deeso my comment was somehow misleading, but there is a difference between file to analyse and project files which I think should not differ that much.

radare commented 10 years ago

Still not reproducible, can you reduce the problem to just a single statement to make it crash? Test with latest git again plz.

zonkzonk commented 10 years ago

Who flagged this as invalid ?

Well yes, just save the uuencoded payload as /tmp/buf, then, 

 echo 'af;q'|r2 -D  -P</tmp/buf /tmp/cp

I don't know why you let me repeat this statement. :/ If you need help with uudecode, tell me.

radare commented 10 years ago

Oh, that was cool. Running lldb with that rarun2 script allowed me to get the affected line which was just a missing nullptr check.

$ cat crash.rarun2
program=/usr/bin/r2
arg1=-
stdin=/tmp/buf

$ lldb -- rarun2 crash.rarun2
(lldb) up
(lldb) list
zonkzonk commented 10 years ago

nice :) also, didn't know about lldb.