zydis: A stack-buffer-overflow in ZydisInputPeek.
Description
A stack-buffer-overflow was discovered in zydis.The issue is being triggered in function ZydisInputPeek at /root/zydis/asan_build/ZydisDisasm+0x613f4.
Version
https://github.com/zyantific/zydis/commit/4022f22f9280650082a9480519c86a6e2afde2f3
Environment
Ubuntu 18.04,64bit
Command
Compile test program:
$cmake ..
$make
Compile test program with address sanitizer:
Update Makefile:
SET (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
SET (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fno-omit-frame-pointer ")
SET (CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -fsanitize=address -lasan -lstdc++ ")
SET (CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=address -lasan -lstdc++ ")
Compile program:
$mkdir asan_build &&cd asan_build
$export CC=/usr/bin/gcc
$export CXX=/usr/bin/g++
$cmake ..
$make
Result
The result of running without ASAN:
$cd build
$./ZydisDisasm -real sync_out/fuzzer04/crashes/zydisinputpeek
sub ax, 0x3030
xor byte ptr ds:[bx+si*1], dh
xor byte ptr ds:[bx+si*1], dh
......
add byte ptr ds:[bx+si*1], al
add byte ptr ds:[bx+si*1], al
Segmentation fault (core dumped)
Information obtained by using ASAN:
$cd asan_build
$./ZydisDisasm -real ../build/sync_out/fuzzer04/crashes/zydisinputpeek
sub ax, 0x3030
xor byte ptr ds:[bx+si*1], dh
xor byte ptr ds:[bx+si*1], dh
.......
xor byte ptr ds:[bx+si*1], dh
xor byte ptr ds:[bx+si*1], dh
xor byte ptr ds:[bx+si*1], dh
=================================================================
==22482==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffe410 at pc 0x5555555b53f5 bp 0x7fffffffd3b0 sp 0x7fffffffd3a0
READ of size 1 at 0x7fffffffe410 thread T0
#0 0x5555555b53f4 in ZydisInputPeek (/root/zydis/asan_build/ZydisDisasm+0x613f4)
#1 0x5555555c8db6 in ZydisCollectOptionalPrefixes (/root/zydis/asan_build/ZydisDisasm+0x74db6)
#2 0x5555555d4197 in ZydisDecoderDecodeInstruction (/root/zydis/asan_build/ZydisDisasm+0x80197)
#3 0x5555555d3c6f in ZydisDecoderDecodeFull (/root/zydis/asan_build/ZydisDisasm+0x7fc6f)
#4 0x5555555b4f85 in main (/root/zydis/asan_build/ZydisDisasm+0x60f85)
#5 0x7ffff71df0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#6 0x5555555b454d in _start (/root/zydis/asan_build/ZydisDisasm+0x6054d)
Address 0x7fffffffe410 is located in stack of thread T0 at offset 3264 in frame
#0 0x5555555b4618 in main (/root/zydis/asan_build/ZydisDisasm+0x60618)
This frame has 6 object(s):
[48, 68) 'decoder' (line 61)
[112, 472) 'instruction' (line 127)
[544, 1064) 'operands' (line 128)
[1200, 1784) 'formatter' (line 99)
[1920, 2176) 'format_buffer' (line 131)
[2240, 3264) 'buffer' (line 110) <== Memory access at offset 3264 overflows [this](https://github.com/standaside/stas/blob/main/zydis/zydisinputpeek) variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/root/zydis/asan_build/ZydisDisasm+0x613f4) in ZydisInputPeek
Shadow bytes around the buggy address:
0x10007fff7c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7c80: 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x10007fff7c90: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==22482==ABORTING
Poc
Poc file is this.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 15 (7 by maintainers)
Commits related to this issue
- Fixed error codes inside `ZydisDecoderDecodeFull` Fixes #315, Fixes #316, Fixes #317, Fixes #318 — committed to mappzor/zydis by mappzor 2 years ago
- Fixed error codes inside `ZydisDecoderDecodeFull` Fixes #315, Fixes #316, Fixes #317, Fixes #318 — committed to zyantific/zydis by mappzor 2 years ago
I’m very sorry for the wrong version cognition. I think I’ll look forward to the version in advance and won’t repeat this problem.