URL: <http://savannah.gnu.org/bugs/?51189>
Summary: Stack buffer underflow in grub_memmove() Project: GNU GRUB Submitted by: fumfel Submitted on: Tue 06 Jun 2017 11:13:15 AM UTC Category: Security Severity: Major Priority: 5 - Normal Item Group: Software Error Status: None Privacy: Public Assigned to: None Originator Name: Originator Email: Open/Closed: Open Discussion Lock: Any Release: Release: other Reproducibility: Every Time Planned Release: None _______________________________________________________ Details: While fuzzing radare2 I found stack buffer underflow in function grub_memmove() Original issue with repro: https://github.com/radare/radare2/issues/7683 ASAN from r2: ==32384==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffd57d028f8 at pc 0x7fc9c5b6ac47 bp 0x7ffd57d01c40 sp 0x7ffd57d01c38 WRITE of size 16 at 0x7ffd57d028f8 thread T0 #0 0x7fc9c5b6ac46 in grub_memmove XYZ/radare2/shlr/grub/kern/misc.c:98:7 #1 0x7fc9c5b67800 in grub_disk_read XYZ/radare2/shlr/grub/kern/disk.c:488:3 #2 0x7fc9c5b68268 in grub_disk_read_ex XYZ/radare2/shlr/grub/kern/disk.c:563:12 #3 0x7fc9c5b0754d in grub_fshelp_read_file XYZ/radare2/shlr/grub/fs/fshelp.c:333:4 #4 0x7fc9c5b1134d in grub_ext2_read_file XYZ/radare2/shlr/grub/fs/ext2.c:504:9 #5 0x7fc9c5b1134d in grub_ext2_iterate_dir XYZ/radare2/shlr/grub/fs/ext2.c:690 #6 0x7fc9c5b0faf2 in grub_ext2_dir XYZ/radare2/shlr/grub/fs/ext2.c:876:3 #7 0x7fc9c5af0c58 in ext2__mount XYZ/radare2/libr/fs/p/fs_grub_base.c:74:8 #8 0x7fc9c5afbeaa in r_fs_mount XYZ/radare2/libr/fs/fs.c:151:7 #9 0x7fc9c8f20dfb in cmd_mount XYZ/radare2/libr/core/./cmd_mount.c:49:9 #10 0x7fc9c90e76af in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:226:10 #11 0x7fc9c8fd5811 in r_core_cmd_subst_i XYZ/radare2/libr/core/cmd.c:2191:12 #12 0x7fc9c8f1d5b7 in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1395:9 #13 0x7fc9c8f16d24 in r_core_cmd XYZ/radare2/libr/core/cmd.c:2799:9 #14 0x7fc9c8f0183f in r_core_cmdf XYZ/radare2/libr/core/cmd.c:2957:8 #15 0x7fc9c90c1752 in bin_info XYZ/radare2/libr/core/cbin.c:621:4 #16 0x7fc9c90c1752 in r_core_bin_info XYZ/radare2/libr/core/cbin.c:2870 #17 0x7fc9c90b1e41 in r_core_bin_set_env XYZ/radare2/libr/core/cbin.c:115:3 #18 0x7fc9c903d974 in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/file.c:434:2 #19 0x7fc9c903d974 in r_core_bin_load XYZ/radare2/libr/core/file.c:567 #20 0x555f8a113f6b in main XYZ/radare2/binr/radare2/radare2.c:952:14 #21 0x7fc9c1bc782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #22 0x555f8a043f38 in _start (/usr/local/bin/radare2+0x20f38) ASAN:DEADLYSIGNAL AddressSanitizer: nested bug in the same thread, aborting. _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?51189> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ _______________________________________________ Bug-grub mailing list Bug-grub@gnu.org https://lists.gnu.org/mailman/listinfo/bug-grub