[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #51189] Stack buffer underflow in grub_memmove()
From: |
Kamil Frankowicz |
Subject: |
[bug #51189] Stack buffer underflow in grub_memmove() |
Date: |
Tue, 6 Jun 2017 07:13:16 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 |
URL:
<http://savannah.gnu.org/bugs/?51189>
Summary: Stack buffer underflow in grub_memmove()
Project: GNU GRUB
Submitted by: fumfel
Submitted on: Tue 06 Jun 2017 11:13:15 AM UTC
Category: Security
Severity: Major
Priority: 5 - Normal
Item Group: Software Error
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release:
Release: other
Reproducibility: Every Time
Planned Release: None
_______________________________________________________
Details:
While fuzzing radare2 I found stack buffer underflow in function
grub_memmove()
Original issue with repro: https://github.com/radare/radare2/issues/7683
ASAN from r2:
==32384==ERROR: AddressSanitizer: stack-buffer-underflow on address
0x7ffd57d028f8 at pc 0x7fc9c5b6ac47 bp 0x7ffd57d01c40 sp 0x7ffd57d01c38
WRITE of size 16 at 0x7ffd57d028f8 thread T0
#0 0x7fc9c5b6ac46 in grub_memmove XYZ/radare2/shlr/grub/kern/misc.c:98:7
#1 0x7fc9c5b67800 in grub_disk_read
XYZ/radare2/shlr/grub/kern/disk.c:488:3
#2 0x7fc9c5b68268 in grub_disk_read_ex
XYZ/radare2/shlr/grub/kern/disk.c:563:12
#3 0x7fc9c5b0754d in grub_fshelp_read_file
XYZ/radare2/shlr/grub/fs/fshelp.c:333:4
#4 0x7fc9c5b1134d in grub_ext2_read_file
XYZ/radare2/shlr/grub/fs/ext2.c:504:9
#5 0x7fc9c5b1134d in grub_ext2_iterate_dir
XYZ/radare2/shlr/grub/fs/ext2.c:690
#6 0x7fc9c5b0faf2 in grub_ext2_dir XYZ/radare2/shlr/grub/fs/ext2.c:876:3
#7 0x7fc9c5af0c58 in ext2__mount
XYZ/radare2/libr/fs/p/fs_grub_base.c:74:8
#8 0x7fc9c5afbeaa in r_fs_mount XYZ/radare2/libr/fs/fs.c:151:7
#9 0x7fc9c8f20dfb in cmd_mount XYZ/radare2/libr/core/./cmd_mount.c:49:9
#10 0x7fc9c90e76af in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:226:10
#11 0x7fc9c8fd5811 in r_core_cmd_subst_i
XYZ/radare2/libr/core/cmd.c:2191:12
#12 0x7fc9c8f1d5b7 in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1395:9
#13 0x7fc9c8f16d24 in r_core_cmd XYZ/radare2/libr/core/cmd.c:2799:9
#14 0x7fc9c8f0183f in r_core_cmdf XYZ/radare2/libr/core/cmd.c:2957:8
#15 0x7fc9c90c1752 in bin_info XYZ/radare2/libr/core/cbin.c:621:4
#16 0x7fc9c90c1752 in r_core_bin_info XYZ/radare2/libr/core/cbin.c:2870
#17 0x7fc9c90b1e41 in r_core_bin_set_env
XYZ/radare2/libr/core/cbin.c:115:3
#18 0x7fc9c903d974 in r_core_file_do_load_for_io_plugin
XYZ/radare2/libr/core/file.c:434:2
#19 0x7fc9c903d974 in r_core_bin_load XYZ/radare2/libr/core/file.c:567
#20 0x555f8a113f6b in main XYZ/radare2/binr/radare2/radare2.c:952:14
#21 0x7fc9c1bc782f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#22 0x555f8a043f38 in _start (/usr/local/bin/radare2+0x20f38)
ASAN:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?51189>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug #51189] Stack buffer underflow in grub_memmove(),
Kamil Frankowicz <=