bug-grub
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

oob read(out-of-bound read) in dict_get()

From: sohu0106
Subject: oob read(out-of-bound read) in dict_get()
Date: Sat, 3 Sep 2022 14:34:34 +0800 (CST)

oob read(out-of-bound read) in dict_get() grub-2.06/grub-core/lib/xzembed/xz_dec_lzma2.c:326. The version of gawk is grub-2.06, See the attachment for the POC of Asan report is below.


static inline uint32_t dict_get(

const struct dictionary *dict, uint32_t dist)

{

size_t offset = dict->pos - dist - 1;


if (dist >= dict->pos)

offset += dict->end;

// offset call oob read

return dict->full > 0 ? dict->buf[offset] : 0;

}

 

 

grub2-master/grub-2.06/grub-file --is-x86-linux oob_read_in_grub2

AddressSanitizer:DEADLYSIGNAL

=================================================================

==133773==ERROR: AddressSanitizer: SEGV on unknown address 0x630fffffb464 (pc 0x00000085235c bp 0x62c0000002c0 sp 0x7ffe51caca00 T0)

==133773==The signal is caused by a READ memory access.

#0 0x85235c in dict_get grub2/grub2-master/grub-2.06/grub-core/lib/xzembed/xz_dec_lzma2.c:326:26

#1 0x85235c in lzma_literal grub2/grub2-master/grub-2.06/grub-core/lib/xzembed/xz_dec_lzma2.c:597:16

#2 0x85235c in lzma_main grub2/grub2-master/grub-2.06/grub-core/lib/xzembed/xz_dec_lzma2.c:743:4

#3 0x847d92 in lzma2_lzma grub2/grub2-master/grub-2.06/grub-core/lib/xzembed/xz_dec_lzma2.c:904:8

#4 0x847d92 in xz_dec_lzma2_run grub2/grub2-master/grub-2.06/grub-core/lib/xzembed/xz_dec_lzma2.c:1074:9

#5 0x7b604c in dec_block grub2/grub2-master/grub-2.06/grub-core/lib/xzembed/xz_dec_stream.c:252:9

#6 0x7b604c in dec_main grub2/grub2-master/grub-2.06/grub-core/lib/xzembed/xz_dec_stream.c:790:10

#7 0x7b604c in xz_dec_run grub2/grub2-master/grub-2.06/grub-core/lib/xzembed/xz_dec_stream.c:922:8

#8 0x7a79be in grub_xzio_read grub2/grub2-master/grub-2.06/grub-core/io/xzio.c:269:15

#9 0x8f1521 in grub_file_read grub2/grub2-master/grub-2.06/grub-core/kern/file.c:180:9

#10 0x4d1324 in grub_cmd_file grub2/grub2-master/grub-2.06/grub-core/commands/file.c:507:6

#11 0x97255e in grub_extcmd_dispatcher grub2/grub2-master/grub-2.06/grub-core/commands/extcmd.c:55:13

#12 0x4c8fa1 in main grub2/grub2-master/grub-2.06/util/grub-file.c:102:9

#13 0x7effb938a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

#14 0x41c41d in _start (grub2/grub2-master/grub-2.06/grub-file+0x41c41d)


AddressSanitizer can not provide additional info.

SUMMARY: AddressSanitizer: SEGV grub2/grub2-master/grub-2.06/grub-core/lib/xzembed/xz_dec_lzma2.c:326:26 in dict_get

==133773==ABORTING


Attachment: oob_read_in_grub2.zip
Description: Zip compressed data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]