Cutter: Crash when pseudocode view is enabled

Created on 5 Oct 2018  路  3Comments  路  Source: rizinorg/cutter

Work environment

| Questions | Answers
|------------------------------------------------------|--------------------
| OS/arch/bits (mandatory) | Windows 7 x64
| File format of the file you reverse (mandatory) | PE
| Architecture/bits of the file (mandatory) | x86/64
| Cutter and r2 version, See About Cutter (mandatory) | Version 1.7.1 / Using r2 2.8.0
| Show version information full output (See About Cutter) in a pastebin document (mandatory) | I don't see what's there to say other than it's your default win64 1.7.1 release, let alone I'm not going to copy them by hand

Expected behavior

Scroll flawlessly disassembly

Actual behavior

Crash after some seconds

Steps to reproduce the behavior

Open the executable in cutter (default analysis is fine)
Enable "asm.pseudo" in preferences.
Scroll up and down a bit.

BUG rizin

Most helpful comment

Because of buffer overflow here
image

In case asmop.buf_asm has a small string (<32 characters) the string is being stored inside inline RStrBuf::buf array and r_asm_op_get_asm returns a pointer to it. After passing this pointer to the r_parse_parse func this RStrBuf will be overwritten by it in case there are some replacement which is not fits in buf. For example these ones:

image
(parse_x86_pseudo.c)

In case RStrBuf holds a string bigger that 32 characters, this overflow will spoil heap.
Current implementation of r_parse_parse isn't safe, and requires refactoring...

Thanks

All 3 comments

r2 issue, crashes at Linux as well. To reproduce:

  • e asm.pseudo = true
  • pdj 6@6442453038

Because of buffer overflow here
image

In case asmop.buf_asm has a small string (<32 characters) the string is being stored inside inline RStrBuf::buf array and r_asm_op_get_asm returns a pointer to it. After passing this pointer to the r_parse_parse func this RStrBuf will be overwritten by it in case there are some replacement which is not fits in buf. For example these ones:

image
(parse_x86_pseudo.c)

In case RStrBuf holds a string bigger that 32 characters, this overflow will spoil heap.
Current implementation of r_parse_parse isn't safe, and requires refactoring...

Thanks

Fixed partially in https://github.com/radare/radare2/issues/11751 so I'm closing the issue.
That said, r_parse_parse is still vulnerable to buffer overflow and probably need reimplemntation in the radare2 side.

I think @a1ext can share more details

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Maijin picture Maijin  路  4Comments

dukebarman picture dukebarman  路  4Comments

Maijin picture Maijin  路  5Comments

doublegrey picture doublegrey  路  4Comments

xarkes picture xarkes  路  4Comments