Headline
CVE-2022-34612: An integer overflow is found in get_long_object() · Issue #2738 · rizinorg/rizin
Rizin v0.4.0 and below was discovered to contain an integer overflow via the function get_long_object(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted binary.
Crash
In Rizin of the current version, an integer overflow is found in get_long_object(). It further leads to a heap buffer overflow. The attacker can launch the DoS attack with a malformed binary.
Work environment
Questions
Answers
OS/arch/bits (mandatory)
Linux 5.18.6-arch1-1
File format of the file you reverse (mandatory)
malformed
Architecture/bits of the file (mandatory)
malformed
rizin -v full output, not truncated (mandatory)
rizin 0.5.0 @ linux-x86-64 commit: 74e499a, build: 2022-06-25__09:14:00
Expected behavior
run normally
Actual behavior
crash
Steps to reproduce the behavior
Open the attached file (after unzip) with Rizin.
Additional Logs, screenshots, source code, configuration dump, …
input.zip
ERROR: Undefined type in free_object (0) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x14) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x2) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x40) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x40) ERROR: Undefined type in get_object (0x0) ERROR: Undefined type in get_object (0x0) ERROR: Copy not implemented for type 7b …/librz/bin/format/pyc/marshal.c:202:18: runtime error: signed integer overflow: 1162871039 * 15 cannot be represented in type ‘int’ ================================================================= ==2965413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa62f4647ff at pc 0x7fa63e73190d bp 0x7fffe4547ef0 sp 0x7fffe4547ee0 WRITE of size 1 at 0x7fa62f4647ff thread T0 #0 0x7fa63e73190c in get_long_object …/librz/bin/format/pyc/marshal.c:219 #1 0x7fa63e73190c in get_object …/librz/bin/format/pyc/marshal.c:1099 #2 0x7fa63e7332e5 in get_code_object …/librz/bin/format/pyc/marshal.c:948 #3 0x7fa63e7305a3 in get_object …/librz/bin/format/pyc/marshal.c:1054 #4 0x7fa63e7342a6 in get_sections_symbols_from_code_objects …/librz/bin/format/pyc/marshal.c:1204 #5 0x7fa63e439e26 in symbols …/librz/bin/p/bin_pyc.c:126 #6 0x7fa63e30551b in rz_bin_object_set_items …/librz/bin/bobj.c:419 #7 0x7fa63e30a21d in rz_bin_object_new …/librz/bin/bobj.c:282 #8 0x7fa63e2e5ca4 in rz_bin_file_new_from_buffer …/librz/bin/bfile.c:277 #9 0x7fa63e2f2675 in rz_bin_open_buf …/librz/bin/bin.c:283 #10 0x7fa63e2f3f72 in rz_bin_open_io …/librz/bin/bin.c:341 #11 0x7fa63c5fe1a3 in core_file_do_load_for_io_plugin …/librz/core/cfile.c:727 #12 0x7fa63c5fe1a3 in rz_core_bin_load …/librz/core/cfile.c:974 #13 0x7fa645326b1d in rz_main_rizin …/librz/main/rizin.c:1147 #14 0x7fa64482928f (/usr/lib/libc.so.6+0x2928f) #15 0x7fa644829349 in __libc_start_main (/usr/lib/libc.so.6+0x29349) #16 0x55c82ec2f964 in _start (/usr/local/bin/rizin+0x2964)
0x7fa62f4647ff is located 1 bytes to the left of 65799105-byte region [0x7fa62f464800,0x7fa633324bc1) allocated by thread T0 here: #0 0x7fa6460bfa89 in __interceptor_malloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x7fa63e72e907 in get_long_object …/librz/bin/format/pyc/marshal.c:205 #2 0x7fa63e72e907 in get_object …/librz/bin/format/pyc/marshal.c:1099 #3 0x7fa63e7332e5 in get_code_object …/librz/bin/format/pyc/marshal.c:948 #4 0x7fa63e7305a3 in get_object …/librz/bin/format/pyc/marshal.c:1054 #5 0x7fa63e7342a6 in get_sections_symbols_from_code_objects …/librz/bin/format/pyc/marshal.c:1204 #6 0x7fa63e439e26 in symbols …/librz/bin/p/bin_pyc.c:126 #7 0x7fa63e30551b in rz_bin_object_set_items …/librz/bin/bobj.c:419 #8 0x7fa63e30a21d in rz_bin_object_new …/librz/bin/bobj.c:282 #9 0x7fa63e2e5ca4 in rz_bin_file_new_from_buffer …/librz/bin/bfile.c:277 #10 0x7fa63e2f2675 in rz_bin_open_buf …/librz/bin/bin.c:283 #11 0x7fa63e2f3f72 in rz_bin_open_io …/librz/bin/bin.c:341 #12 0x7fa63c5fe1a3 in core_file_do_load_for_io_plugin …/librz/core/cfile.c:727 #13 0x7fa63c5fe1a3 in rz_core_bin_load …/librz/core/cfile.c:974 #14 0x7fa645326b1d in rz_main_rizin …/librz/main/rizin.c:1147 #15 0x7fa64482928f (/usr/lib/libc.so.6+0x2928f)
SUMMARY: AddressSanitizer: heap-buffer-overflow …/librz/bin/format/pyc/marshal.c:219 in get_long_object Shadow bytes around the buggy address: 0x0ff545e848a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff545e848b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff545e848c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff545e848d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff545e848e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ff545e848f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0ff545e84900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff545e84910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff545e84920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff545e84930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff545e84940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2965413==ABORTING