LIEF icon indicating copy to clipboard operation
LIEF copied to clipboard

Published 20 hours ago verified publisher icon lief-project

SEGV in LIEF::DEX::Field::set_static at DEX/Field.cpp:64

Open bladchan opened this issue 1 year ago • 0 comments

Describe the bug A bad DEX file which can lead LIEF::DEX::Parser::parse() to segmentation fault.

Poc here : dex_segv_1.zip

To Reproduce

  1. Build the whole project with ASAN
  2. Drive program (compile it with ASAN too):
// read_dex.c
// read_dex.c
#include <LIEF/LIEF.hpp>

int main(int argc, char** argv){
	
	if(argc != 2) return 0;
	
	// DEX
	try {
	    std::unique_ptr<LIEF::DEX::File> dex = LIEF::DEX::Parser::parse(argv[1]);
	    if(dex) std::cout << *dex << std::endl;
	} catch (const LIEF::exception& err) {
	    std::cerr << err.what() << std::endl;
	}

	return 0;
}
  1. Run Poc:
$ ./read_dex ./dex_segv_1.bin

Expected behavior Parse the DEX file without segmentation fault because segmentation fault can cause a Denial of Service (Dos).

Environment (please complete the following information):

  • System and Version : Ubuntu 20.04 + gcc 9.4.0
  • Target format : DEX
  • LIEF commit version: https://github.com/lief-project/LIEF/commit/ad811916670e83947560b6f3c45df6e71d3885af

Additional context ASAN says:

$ /read_dex dex_segv_1.bin 
Corrupted method index #76 for class: LTest1; (32 methods)
Corrupted field index #780 for class: Lorg/t0t0/androguard/test/R$attr; (7 fields)
Corrupted method index #769 for class: Lorg/t0t0/androguard/test/R$layout; (32 methods)
Corrupted method index #1188 for class: Lorg/t0t0/androguard/test/R$strin (23 methods)
Corrupted method index #32 for class: Lorg/t0t0/androguard/test/R$strin (32 methods)
Corrupted method index #42 for class: Lorg/t0t0/androguard/test/R; (23 methods)
Corrupted method index #25 for class: Lorg/t0t0/androguard/test/R; (32 methods)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==31169==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557d2ceb2960 bp 0x0fffbbade038 sp 0x7ffddd6f0170 T0)
==31169==The signal is caused by a READ memory access.
==31169==Hint: address points to the zero page.
    #0 0x557d2ceb295f in LIEF::DEX::Field::set_static(bool) /home/ubuntu/test/LIEF/src/DEX/Field.cpp:64
    #1 0x557d2cdb807d in void LIEF::DEX::Parser::parse_field<LIEF::DEX::details::DEX35>(unsigned long, LIEF::DEX::Class&, bool) (/home/ubuntu/test/LIEF/fuzz/read_dex+0x52707d)
    #2 0x557d2cd9e175 in void LIEF::DEX::Parser::parse_class_data<LIEF::DEX::details::DEX35>(unsigned int, LIEF::DEX::Class&) /home/ubuntu/test/LIEF/src/DEX/Parser.tcc:517
    #3 0x557d2cd71721 in void LIEF::DEX::Parser::parse_classes<LIEF::DEX::details::DEX35>() /home/ubuntu/test/LIEF/src/DEX/Parser.tcc:463
    #4 0x557d2cd627e1 in void LIEF::DEX::Parser::parse_file<LIEF::DEX::details::DEX35>() /home/ubuntu/test/LIEF/src/DEX/Parser.tcc:45
    #5 0x557d2cd58dad in LIEF::DEX::Parser::init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int) /home/ubuntu/test/LIEF/src/DEX/Parser.cpp:78
    #6 0x557d2cd58197 in LIEF::DEX::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/LIEF/src/DEX/Parser.cpp:40
    #7 0x557d2cbc1856 in main /home/ubuntu/test/LIEF/fuzz/read_dex.c:9
    #8 0x7fbd0c48c082 in __libc_start_main ../csu/libc-start.c:308
    #9 0x557d2cbc155d in _start (/home/ubuntu/test/LIEF/fuzz/read_dex+0x33055d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/test/LIEF/src/DEX/Field.cpp:64 in LIEF::DEX::Field::set_static(bool)
==31169==ABORTING

bladchan avatar Sep 16 '22 15:09 bladchan