Closed jinyu00 closed 6 years ago
When load the poc file with gdb . I got that It call jitana::axml_parser::parse_start_namespace function . and it access memroy using rax's value
jitana::axml_parser::parse_start_namespace
mov dword ptr [rax], edx
but rax=0xfffffffffffffff8 , this could lead crash
rax=0xfffffffffffffff8
Program received signal SIGSEGV, Segmentation fault. 0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145 145 : first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { } LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ─────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────── *RAX 0xfffffffffffffff8 *RBX 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ *RCX 0x7fffffffd9c0 ◂— 0xd0000001e *RDX 0xd *RDI 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ *RSI 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ *R8 0x6bc250 ◂— 0x0 R9 0x0 *R10 0x6bee40 ◂— 0x74c00080003 *R11 0x246 *R12 0x7fffffffd9c0 ◂— 0xd0000001e *R13 0x1 R14 0x0 *R15 0x1 *RBP 0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ... *RSP 0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e *RIP 0x480234 ◂— mov dword ptr [rax], edx ───────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────── ► 0x480234 mov dword ptr [rax], edx 0x480236 mov rax, qword ptr [rbp - 0x18] 0x48023a mov rdi, rax 0x48023d call 0x47d668 0x480242 mov edx, dword ptr [rax] 0x480244 mov rax, qword ptr [rbp - 8] 0x480248 mov dword ptr [rax + 4], edx 0x48024b nop 0x48024c leave 0x48024d ret 0x48024e push rbp ───────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────── 140 141 template<class _U1, class _U2, class = typename 142 enable_if<__and_<is_convertible<_U1, _T1>, 143 is_convertible<_U2, _T2>>::value>::type> 144 constexpr pair(_U1&& __x, _U2&& __y) ► 145 : first(std::forward<_U1>(__x)), second(std::forward<_U2>(__y)) { } 146 147 template<class _U1, class _U2, class = typename 148 enable_if<__and_<is_convertible<_U1, _T1>, 149 is_convertible<_U2, _T2>>::value>::type> 150 constexpr pair(pair<_U1, _U2>&& __p) ───────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffd8c0 —▸ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e 01:0008│ 0x7fffffffd8c8 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e 02:0010│ 0x7fffffffd8d0 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ 03:0018│ 0x7fffffffd8d8 ◂— 0xfffffffffffffff8 04:0020│ rbp 0x7fffffffd8e0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffd9a0 —▸ 0x7fffffffd9d0 ◂— ... 05:0028│ 0x7fffffffd8e8 —▸ 0x4802ab ◂— nop 06:0030│ 0x7fffffffd8f0 —▸ 0x7fffffffd9c0 ◂— 0xd0000001e 07:0038│ 0x7fffffffd8f8 —▸ 0x7fffffffd9c4 ◂— 0x262880000000000d /* '\r' */ ─────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────── ► f 0 480234 f 1 4802ab f 2 47efa7 f 3 47d6d5 f 4 47c184 jitana::axml_parser::parse_start_namespace()+156 f 5 47b9a9 jitana::axml_parser::parse()+519 f 6 47abd7 f 7 45cefc f 8 45d6a6 main+1753 f 9 7ffff6de4830 __libc_start_main+240 Program received signal SIGSEGV (fault address -0x8) pwndbg> bt #0 0x0000000000480234 in std::pair<unsigned int, unsigned int>::pair<unsigned int&, unsigned int&, void> (this=0xfffffffffffffff8, __x=@0x7fffffffd9c4: 13, __y=@0x7fffffffd9c0: 30) at /usr/include/c++/5/bits/stl_pair.h:145 #1 0x00000000004802ab in __gnu_cxx::new_allocator<std::pair<unsigned int, unsigned int> >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (this=0x6bbff8, __p=0xfffffffffffffff8) at /usr/include/c++/5/ext/new_allocator.h:120 #2 0x000000000047efa7 in std::allocator_traits<std::allocator<std::pair<unsigned int, unsigned int> > >::construct<std::pair<unsigned int, unsigned int>, unsigned int&, unsigned int&> (__a=..., __p=0xfffffffffffffff8) at /usr/include/c++/5/bits/alloc_traits.h:530 #3 0x000000000047d6d5 in std::vector<std::pair<unsigned int, unsigned int>, std::allocator<std::pair<unsigned int, unsigned int> > >::emplace_back<unsigned int&, unsigned int&> (this=0x6bbff8) at /usr/include/c++/5/bits/vector.tcc:96 #4 0x000000000047c184 in jitana::axml_parser::parse_start_namespace (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:380 #5 0x000000000047b9a9 in jitana::axml_parser::parse (this=0x7fffffffdc40) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:275 #6 0x000000000047abd7 in jitana::read_axml (stream=..., pt=...) at /home/haclh/vmdk/fuzz_workplace/axmldec/lib/jitana/util/axml_parser.cpp:1881 #7 0x000000000045cefc in process_file (input_filename="poc", output_filename="") at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:130 #8 0x000000000045d6a6 in main (argc=2, argv=0x7fffffffe508) at /home/haclh/vmdk/fuzz_workplace/axmldec/main.cpp:188 #9 0x00007ffff6de4830 in __libc_start_main (main=0x45cfcd <main(int, char**)>, argc=2, argv=0x7fffffffe508, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4f8) at ../csu/libc-start.c:291 #10 0x000000000045c839 in _start () pwndbg>
The binary and poc
https://gitee.com/hac425/fuzz_data/blob/master/axmldec_bin_poc.zip
When load the poc file with gdb . I got that It call
jitana::axml_parser::parse_start_namespacefunction . and it access memroy using rax's valuebut
rax=0xfffffffffffffff8, this could lead crashThe binary and poc