Menu
▾
▴
[Bastard-libdisasm] RE: overflow buffer bug
|
From: Michael M. <ma...@ho...> - 2005-02-27 20:26:08
|
take it easy with the CCs there fella ;) haven't had time to reply to your earlier email, but here's the story: * bastard code is no longer being maintained. * libdisasm .21 [pre or something] is the latest, HOWEVER the CVS version has some bug fixes. * there is also a new version [rewrite of the decoding algo, and support for the SSE2/3 crap] in a different dir in CVS, but it has not been finished -- r/l concerns and all that. what's up with the mpatrol log? wouldn't valgrind be a better way of finding where the bug is? anyways, in the middle of something ... will get to your original email later. _m >From: Kristis Makris <kri...@as...> >To: bas...@li..., bas...@li... >Subject: overflow buffer bug >Date: Sun, 27 Feb 2005 12:21:06 -0700 >MIME-Version: 1.0 >Received: from sc8-sf-mx1.sourceforge.net ([66.35.250.206]) by MC8-F4.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Sun, 27 Feb 2005 11:21:12 -0800 >Received: from mta6.srv.hcvlny.cv.net ([167.206.5.72])by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.41)id 1D5Tyb-0003Ll-5l; Sun, 27 Feb 2005 11:21:13 -0800 >Received: from [192.168.0.30] (ool-44c7579f.dyn.optonline.net [68.199.87.159]) by mta6.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0IC...@mt...>; Sun, 27 Feb 2005 14:21:07 -0500 (EST) >X-Message-Info: JGTYoYF78jFslrnrPyNKlf9gfY/RWzU2gbOuR0gSHgM= >X-Mailer: Evolution 2.0.3 >X-Spam-Score: 0.0 (/) >X-Spam-Report: Spam Filtering performed by sourceforge.net.See http://spamassassin.org/tag/ for more details.Report problems to http://sf.net/tracker/?func=add&group_id=1&atid=200001 >Return-Path: kri...@as... >X-OriginalArrivalTime: 27 Feb 2005 19:21:13.0025 (UTC) FILETIME=[800A2B10:01C51D01] > >Hello, > >It appears that there is a buffer overflow problem in libdisasm. This >was discovered using mpatrol and a random .bin file (attached). mpatrol >reports (at the end of this email) that a memory allocation was given a >pointer to a buffer that is corrupted before any data were written to >it. > >This was produced using bastard_src-0.17. > >Is there a fix ? Is this project active or should I stop bothering ? > >Thanks, >Kristis > > >$ dd if=/dev/random of=test.bin bs=1 count=100 100+0 records in >100+0 records out >100 bytes transferred in 0.000747 seconds (133890 bytes/sec) > > >$ mpatrol -g -i -C --dynamic --leak-table --alloc-byte=0x66 >--oflow-byte=0x79 --oflow-size=64 ./testdis test.bin >File name: test.bin >0 1C 14 ;invariant bytes (signature) >0 1C 14 sbb %(null), $0x14 >2 31 A4 57 5B D7 18 E7 ;invariant bytes >(signature) >2 31 A4 57 5B D7 18 E7 xor -18E728A5(%edi, % >edx,02), %(null) >9 2B 72 5A ;invariant bytes (signature) >9 2B 72 5A sub %(null), 5A(%edx) >C 94 ;invariant bytes (signature) >C 94 xchg %(null), %(null) >D 3F ;invariant bytes (signature) >D 3F aas >E 66 EA F4 F4 F4 F4 ;invariant bytes >(signature) >E 66 EA 9D 7D DF A5 jmp *0xA5DF7D9D >14 28 71 1E ;invariant bytes (signature) >14 28 71 1E sub 1E(%ecx), %(null) >17 DB 87 95 83 6B F5 ;invariant bytes >(signature) >17 DB 87 95 83 6B F5 fild -0A947C6B(%edi) >1D 63 E8 ;invariant bytes (signature) >1D 63 E8 arpl %(null), %(null) >1F D9 ;invariant bytes (signature) >1F invalid opcode D9 >20 D9 93 58 0E 24 B7 ;invariant bytes >(signature) >20 D9 93 58 0E 24 B7 fst -48DBF1A8(%ebx) >26 44 ;invariant bytes (signature) >26 44 inc %(null) >27 DF ;invariant bytes (signature) >27 invalid opcode DF >28 08 71 FF ;invariant bytes (signature) >28 08 71 FF or -01(%ecx), %(null) >2B 89 4B 90 ;invariant bytes (signature) >2B 89 4B 90 mov -70(%ebx), %(null) >2E 7A 18 ;invariant bytes (signature) >2E 7A 18 jpe +0x18 >30 15 F4 F4 F4 F4 ;invariant bytes (signature) >30 15 4C 14 9A 96 adc %(null), $-0x969A144C >35 A7 ;invariant bytes (signature) >35 A7 cmpsd %(null), %(null) >36 7C E4 ;invariant bytes (signature) >36 7C E4 jl +0xE4 >38 71 88 ;invariant bytes (signature) >38 71 88 jno +0x88 >3A FB ;invariant bytes (signature) >3A FB sti >3B 6B B0 83 A0 7D 20 90 ;invariant bytes >(signature) >3B 6B B0 83 A0 7D 20 90 imul %(null), >207DA083(%eax), $-0xFFFFFF90 >42 50 ;invariant bytes (signature) >42 50 push %(null) >43 E9 F4 F4 F4 F4 ;invariant bytes (signature) >43 E9 D6 77 A4 9B jmp +0x9BA477D6 >48 F9 ;invariant bytes (signature) >48 F9 stc >49 5B ;invariant bytes (signature) >49 5B pop %(null) >4A AA ;invariant bytes (signature) >4A AA stosb %(null), %(null) >4B 32 FF ;invariant bytes (signature) >4B 32 FF xor %(null), %(null) >4D C9 ;invariant bytes (signature) >4D C9 leave >4E 51 ;invariant bytes (signature) >4E 51 push %(null) >4F 49 ;invariant bytes (signature) >4F 49 dec %(null) >50 10 7A 0E ;invariant bytes (signature) >50 10 7A 0E adc 0E(%edx), %(null) >53 66 3F ;invariant bytes (signature) >53 66 3F aas >55 2C 64 ;invariant bytes (signature) >55 2C 64 sub %(null), $0x64 >57 E4 36 ;invariant bytes (signature) >57 E4 36 in %(null), $0x36 >59 04 68 ;invariant bytes (signature) >59 04 68 add %(null), $0x68 >5B 25 F4 F4 F4 F4 ;invariant bytes (signature) >5B 25 05 4B B1 A2 and %(null), $-0xA2B14B05 >60 A9 F4 F4 F4 F4 ;invariant bytes (signature) >60 A9 48 A4 5F 00 test %(null), >$0x5FA448 >(2148)12:11:46[mkgnu@syd:~/incoming/bastard_src-0.17/src/arch/i386/libdisasm]$ more mpatrol.21399.log >@(#) mpatrol 1.4.8 (02/01/08) >Copyright (C) 1997-2002 Graeme S. Roy > >This is free software, and you are welcome to redistribute it under >certain >conditions; see the GNU Library General Public License for details. > >For the latest mpatrol release and documentation, >visit http://www.cbmamiga.demon.co.uk/mpatrol. > >operating system: UNIX >system variant: Linux >processor architecture: Intel 80x86 >processor word size: 32-bit >object file format: ELF32 >dynamic linker type: SVR4 > >Log file generated on Sun Feb 27 12:11:46 2005 > >read 77 symbols from ./testdis > >LOG: check () [-|-|-] > 0x400457FE ??? > 0x4000C4F6 ??? > 0x40095A52 ??? > 0x4007FDCE ??? > 0x08048661 _start+33 > >system page size: 4096 bytes >default alignment: 4 bytes >overflow size: 64 bytes >overflow byte: 0x79 >allocation byte: 0x66 >free byte: 0x55 >allocation stop: 0 >reallocation stop: 0 >free stop: 0 >unfreed abort: 0 >small boundary: 32 bytes >medium boundary: 256 bytes >large boundary: 2048 bytes >lower check range: 0 >upper check range: 0 >check frequency: 1 >failure frequency: 0 >failure seed: 1109531506 >prologue function: <unset> >epilogue function: <unset> >handler function: <unset> >log file: mpatrol.21399.log >profiling file: mpatrol.21399.out >tracing file: mpatrol.21399.trace >program filename: ./testdis >symbols read: 77 >autosave count: 0 >freed queue size: 0 >allocation count: 29 >allocation peak: 18 (6371 bytes) >allocation limit: 0 bytes >allocated blocks: 15 (755 bytes) >marked blocks: 0 (0 bytes) >freed blocks: 0 (0 bytes) >free blocks: 9 (9613 bytes) >internal blocks: 8 (131072 bytes) >total heap usage: 143360 bytes >total compared: 0 bytes >total located: 0 bytes >total copied: 1547 bytes >total set: 6860 bytes >total warnings: 0 >total errors: 0 > >ERROR: [ALLOVF]: allocation 0x08061080 has a corrupted overflow buffer >at 0x080610A4 > 0x0806109C 79797979 79797979 00000000 79797979 >yyyyyyyy....yyyy > 0x080610AC 79797979 79797979 79797979 79797979 >yyyyyyyyyyyyyyyy > 0x080610BC 79797979 79797979 79797979 79797979 >yyyyyyyyyyyyyyyy > 0x080610CC 79797979 79797979 79797979 79797979 >yyyyyyyyyyyyyyyy > > 0x08061080 (28 bytes) {calloc:15:0} [-|-|-] > 0x08049C1C x86_old_disasm_addr+496 > 0x080488A0 main+400 > 0x4007FDC6 ??? > 0x08048661 _start+33 > > ><< test.bin >> |
