[c166] Fix overflow#6599
Conversation
notxvilka
left a comment
There was a problem hiding this comment.
Please make PR description shorter
Also it breaks one of the tests:
[XX] 00h00m03s265ms db/analysis/c166 C166 measure binary file iA
RZ_COLOR=0 RZ_UTF8=0 RZ_NOPLUGINS=1 /usr/bin/rizin -escr.utf8=0 -escr.color=0 -escr.interactive=0 -eflirt.sigdb.load.system=false -esearch.show_progress=false -eflirt.sigdb.load.home=false -N -qc 'e asm.arch=c166
e asm.bytes=true
iA
echo
iS
echo
aaa
pd 150
echo
pd 21 @ 0x00c001e6
echo
pd @ 0x00c018da
echo
pdf @ 0x00c013b0
echo
pdf @ 0x00c0168a
' bins/omf/omf166/measure
-- stdout
--- expected
+++ actual
@@ -56,20 +56,20 @@
@| ;-- section.PR_GETKEY_FCODE:
@| ;-- _getkey:
/ _getkey();
-| @=-> 0x00c0001c 9ab7fe70 jnb 0xff6e, _getkey ; Getkey.c:22 ; 0xc0001c ; [09] -rw- section size 12 named PR_GETKEY_FCODE
+| @=-> 0x00c0001c 9ab7fe70 jnb S0RIC.7, _getkey ; Getkey.c:22 ; 0xc0001c ; [09] -rw- section size 12 named PR_GETKEY_FCODE
| | 0x00c00020 f2f4b2fe mov r4, 0xfe06:0x3eb2 ; Getkey.c:26
-| | 0x00c00024 7eb7 bclr 0xff6e ; Getkey.c:27
+| | 0x00c00024 7eb7 bclr S0RIC.7 ; Getkey.c:27
\ | 0x00c00026 db00 rets ; Getkey.c:28
/ sym.isr_vec_0x28();
\ ,==< 0x00c00028 fac07a00 jmps Class_B_trap ; 0xc0007a ; "\r\xff\xff\xff\xff\xff\xfa\xc0\x80\U00000012\xa5Z\xa5\xa5р\xe6\xea"
|| ;-- section.C_CLRMEMSEC_UNKNOWN:
- || 0x00c0002c 1a800400 bfldh 0xff00, #0x00, #0x04 ; [26] -r-- section size 24 named C_CLRMEMSEC_UNKNOWN
+ || 0x00c0002c 1a800400 bfldh P0L, #0x00, #0x04 ; [26] -r-- section size 24 named C_CLRMEMSEC_UNKNOWN
|| 0x00c00030 40c2 cmp r12, r2
- || 0x00c00032 0fa0 bset 0xff40.0
- || 0x00c00034 04005cc2 add 0xfe06:0x025c, 0xfe00
- || 0x00c00038 03000000 addb 0xfe00, 0xfe00:0x0000
+ || 0x00c00032 0fa0 bset T2CON.0
+ || 0x00c00034 04005cc2 add 0xfe06:0x025c, DPP0
+ || 0x00c00038 03000000 addb DPP0, 0xfe00:0x0000
|| 0x00c0003c 0080 add r8, r0
- || 0x00c0003e 04005bc2 add 0xfe06:0x025b, 0xfe00
+ || 0x00c0003e 04005bc2 add 0xfe06:0x025b, DPP0
|| 0x00c00042 0000 add r0, r0
|| ;-- section.C_LIB_NCONST_NCONST:
|| 0x00c00044 0000 add r0, r0 ; [19] -r-- section size 48 named C_LIB_NCONST_NCONST
@@ -83,13 +83,13 @@
|| 0x00c00056 1c46 rol r6, #0x04
|| 0x00c00058 0050 add r5, r0
|| 0x00c0005a c3470024 CoSTORE r4, 0xffde
- || 0x00c0005e 74498096 or 0xfe04:0x1680, 0xfe92
+ || 0x00c0005e 74498096 or 0xfe04:0x1680, CC9
|| 0x00c00062 184b addc r4, [r3]
|| 0x00c00064 20bc sub r11, r12
|| 0x00c00066 be4c bclr 0xfd98.11
|| 0x00c00068 ca1b0e5a calla- cc_NUSR1, 0xc05a0e ; 0x5a0e
|| 0x00c0006c 1cc2 rol r2, #0x0c
- || 0x00c0006e 5367aec5 xorb 0xfece, 0xfe06:0x05ae
+ || 0x00c0006e 5367aec5 xorb PECC7, 0xfe06:0x05ae
|| 0x00c00072 9d74 jmpr cc_NC/UGE, 0xc0015c ; sym.a166_NEAR.RepeatInit+0x2
@|| ; CODE XREF from sym.isr_vec_0x8 @ 0xc00008
@|| ;-- section.PR_TRAPS_FCODE:
1a52554 to
255007e
Compare
wargio
left a comment
There was a problem hiding this comment.
Did you use AI for this patch?
No, I only use AI (gemini) for information retrieval. I write the code myself, and last PR I answered a similar question from Rot127 about why the code sometimes looks a bit messy. Regarding the description, this text was sent as information about the leak, and I've attached it to the description. |
56c70e3 to
7bdeb9c
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files
... and 12 files with indirect coverage changes Continue to review full report in Codecov by Harness.
🚀 New features to boost your workflow:
|
93d269a to
c5b2832
Compare
c5b2832 to
adebc01
Compare
5b6dd64 to
d4173d9
Compare
cd7055d to
8fdc9c9
Compare
Your checklist for this pull request
RZ_APIfunction and struct this PR changes.RZ_API).Detailed description
START REPORT
Heap out-of-bounds read in Rizin OMF166 loader (load_omf166_global_sym_record)
Summary
The OMF166 object-file loader reads a symbol-name length byte from the file and
adds it to the record cursor without checking it against the buffer size. A
crafted .obj with a LOCSYM/PUBDEF/GLBDEF/DEBSYM record whose name
length is large drives the cursor past the end of the mapped file buffer; the
next fixed-field reads (rz_read_le16_offset / rz_read_le8_offset) then read
out of bounds on the heap.
The file is auto-detected as OMF166 by rz_bin (no plugin flag needed), so the
overflow is reached by simply opening a malicious file, e.g. rz-bin file.obj
or rizin file.obj. A 22-byte input is enough.
symbol fields, so adjacent heap memory can influence loader output
(information disclosure)
...
Test plan
...
Closing issues
...