zydis: A stack-buffer-overflow in ZydisInputPeek.

Description

A stack-buffer-overflow was discovered in zydis.The issue is being triggered in function ZydisInputPeek at /root/zydis/asan_build/ZydisDisasm+0x613f4.

Version

https://github.com/zyantific/zydis/commit/4022f22f9280650082a9480519c86a6e2afde2f3

Environment

Ubuntu 18.04，64bit

Command

Compile test program:

$cmake ..
$make

Compile test program with address sanitizer:

Update Makefile:

SET (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
SET (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fno-omit-frame-pointer ")
SET (CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -fsanitize=address  -lasan -lstdc++ ")
SET (CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=address  -lasan -lstdc++ ")

Compile program:

$mkdir asan_build &&cd asan_build
$export CC=/usr/bin/gcc
$export CXX=/usr/bin/g++
$cmake ..
$make

Result

The result of running without ASAN:

$cd build
$./ZydisDisasm -real sync_out/fuzzer04/crashes/zydisinputpeek

sub ax, 0x3030
xor byte ptr ds:[bx+si*1], dh
xor byte ptr ds:[bx+si*1], dh
......
add byte ptr ds:[bx+si*1], al
add byte ptr ds:[bx+si*1], al
Segmentation fault (core dumped)

Information obtained by using ASAN:

$cd asan_build
$./ZydisDisasm -real ../build/sync_out/fuzzer04/crashes/zydisinputpeek

sub ax, 0x3030
xor byte ptr ds:[bx+si*1], dh
xor byte ptr ds:[bx+si*1], dh
.......
xor byte ptr ds:[bx+si*1], dh
xor byte ptr ds:[bx+si*1], dh
xor byte ptr ds:[bx+si*1], dh
=================================================================
==22482==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffe410 at pc 0x5555555b53f5 bp 0x7fffffffd3b0 sp 0x7fffffffd3a0
READ of size 1 at 0x7fffffffe410 thread T0
    #0 0x5555555b53f4 in ZydisInputPeek (/root/zydis/asan_build/ZydisDisasm+0x613f4)
    #1 0x5555555c8db6 in ZydisCollectOptionalPrefixes (/root/zydis/asan_build/ZydisDisasm+0x74db6)
    #2 0x5555555d4197 in ZydisDecoderDecodeInstruction (/root/zydis/asan_build/ZydisDisasm+0x80197)
    #3 0x5555555d3c6f in ZydisDecoderDecodeFull (/root/zydis/asan_build/ZydisDisasm+0x7fc6f)
    #4 0x5555555b4f85 in main (/root/zydis/asan_build/ZydisDisasm+0x60f85)
    #5 0x7ffff71df0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #6 0x5555555b454d in _start (/root/zydis/asan_build/ZydisDisasm+0x6054d)

Address 0x7fffffffe410 is located in stack of thread T0 at offset 3264 in frame
    #0 0x5555555b4618 in main (/root/zydis/asan_build/ZydisDisasm+0x60618)

  This frame has 6 object(s):
    [48, 68) 'decoder' (line 61)
    [112, 472) 'instruction' (line 127)
    [544, 1064) 'operands' (line 128)
    [1200, 1784) 'formatter' (line 99)
    [1920, 2176) 'format_buffer' (line 131)
    [2240, 3264) 'buffer' (line 110) <== Memory access at offset 3264 overflows [this](https://github.com/standaside/stas/blob/main/zydis/zydisinputpeek) variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/root/zydis/asan_build/ZydisDisasm+0x613f4) in ZydisInputPeek
Shadow bytes around the buggy address:
  0x10007fff7c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7c80: 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10007fff7c90: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==22482==ABORTING

Poc

Poc file is this.

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 15 (7 by maintainers)

Commits related to this issue

Fixed error codes inside `ZydisDecoderDecodeFull` Fixes #315, Fixes #316, Fixes #317, Fixes #318 — committed to mappzor/zydis by mappzor 2 years ago
Fixed error codes inside `ZydisDecoderDecodeFull` Fixes #315, Fixes #316, Fixes #317, Fixes #318 — committed to zyantific/zydis by mappzor 2 years ago

Most upvoted comments

I’m very sorry for the wrong version cognition. I think I’ll look forward to the version in advance and won’t repeat this problem.

standaside on Mar 10, 2022