LIEF
LIEF copied to clipboard
SEGV in LIEF::DEX::Field::set_static at DEX/Field.cpp:64
Describe the bug A bad DEX file which can lead LIEF::DEX::Parser::parse() to segmentation fault.
Poc here : dex_segv_1.zip
To Reproduce
- Build the whole project with ASAN
- Drive program (compile it with ASAN too):
// read_dex.c
// read_dex.c
#include <LIEF/LIEF.hpp>
int main(int argc, char** argv){
if(argc != 2) return 0;
// DEX
try {
std::unique_ptr<LIEF::DEX::File> dex = LIEF::DEX::Parser::parse(argv[1]);
if(dex) std::cout << *dex << std::endl;
} catch (const LIEF::exception& err) {
std::cerr << err.what() << std::endl;
}
return 0;
}
- Run Poc:
$ ./read_dex ./dex_segv_1.bin
Expected behavior Parse the DEX file without segmentation fault because segmentation fault can cause a Denial of Service (Dos).
Environment (please complete the following information):
- System and Version : Ubuntu 20.04 + gcc 9.4.0
- Target format : DEX
- LIEF commit version: https://github.com/lief-project/LIEF/commit/ad811916670e83947560b6f3c45df6e71d3885af
Additional context ASAN says:
$ /read_dex dex_segv_1.bin
Corrupted method index #76 for class: LTest1; (32 methods)
Corrupted field index #780 for class: Lorg/t0t0/androguard/test/R$attr; (7 fields)
Corrupted method index #769 for class: Lorg/t0t0/androguard/test/R$layout; (32 methods)
Corrupted method index #1188 for class: Lorg/t0t0/androguard/test/R$strin (23 methods)
Corrupted method index #32 for class: Lorg/t0t0/androguard/test/R$strin (32 methods)
Corrupted method index #42 for class: Lorg/t0t0/androguard/test/R; (23 methods)
Corrupted method index #25 for class: Lorg/t0t0/androguard/test/R; (32 methods)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==31169==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557d2ceb2960 bp 0x0fffbbade038 sp 0x7ffddd6f0170 T0)
==31169==The signal is caused by a READ memory access.
==31169==Hint: address points to the zero page.
#0 0x557d2ceb295f in LIEF::DEX::Field::set_static(bool) /home/ubuntu/test/LIEF/src/DEX/Field.cpp:64
#1 0x557d2cdb807d in void LIEF::DEX::Parser::parse_field<LIEF::DEX::details::DEX35>(unsigned long, LIEF::DEX::Class&, bool) (/home/ubuntu/test/LIEF/fuzz/read_dex+0x52707d)
#2 0x557d2cd9e175 in void LIEF::DEX::Parser::parse_class_data<LIEF::DEX::details::DEX35>(unsigned int, LIEF::DEX::Class&) /home/ubuntu/test/LIEF/src/DEX/Parser.tcc:517
#3 0x557d2cd71721 in void LIEF::DEX::Parser::parse_classes<LIEF::DEX::details::DEX35>() /home/ubuntu/test/LIEF/src/DEX/Parser.tcc:463
#4 0x557d2cd627e1 in void LIEF::DEX::Parser::parse_file<LIEF::DEX::details::DEX35>() /home/ubuntu/test/LIEF/src/DEX/Parser.tcc:45
#5 0x557d2cd58dad in LIEF::DEX::Parser::init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int) /home/ubuntu/test/LIEF/src/DEX/Parser.cpp:78
#6 0x557d2cd58197 in LIEF::DEX::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/LIEF/src/DEX/Parser.cpp:40
#7 0x557d2cbc1856 in main /home/ubuntu/test/LIEF/fuzz/read_dex.c:9
#8 0x7fbd0c48c082 in __libc_start_main ../csu/libc-start.c:308
#9 0x557d2cbc155d in _start (/home/ubuntu/test/LIEF/fuzz/read_dex+0x33055d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/test/LIEF/src/DEX/Field.cpp:64 in LIEF::DEX::Field::set_static(bool)
==31169==ABORTING