OOB read in lift when using bytes_offset parameter #482
Description
Description
In the provided PoC pyvex.lift does not seem to take the provided bytes_offset into account but still sets max_bytes to the length of the whole buffer. This leads to the lifter reading past the provided buffer.
Steps to reproduce the bug
code to reproduce the issue:
import pyvex
import archinfo
import logging
logger = logging.getLogger()
handler = logging.StreamHandler()
formatter = logging.Formatter(
'%(asctime)s %(name)-12s %(levelname)-8s %(message)s')
handler.setFormatter(formatter)
logger.addHandler(handler)
logger.setLevel(logging.DEBUG)
code = bytes.fromhex('31c0e8a932f9ff488b0d22a0060089df4489fe4489f2e825aff5ff89c531c0e8dc32f9ffc7442408b55f5999896c2404')
arch = archinfo.arch_amd64.ArchAMD64(endness='Iend_LE')
addr = 0xbb1c0
offset = 36
irsb = pyvex.lift(arch=arch, data=code, addr=addr+offset, bytes_offset=offset, opt_level=1, traceflags=10000000FE logging shows the lifter is working on 44 bytes reading past the end of the buffer.
GuestBytes BB1E4 44 C7 44 24 08 B5 5F 59 99 89 6C 24 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000000
the expected output can be had by setting max_bytes to 12 manually
irsb = pyvex.lift(arch=arch, data=code, addr=addr+offset, bytes_offset=offset, opt_level=1, max_bytes=12, traceflags=10000000)
this produces the expected output from the FE logging of 12 bytes being lifted
GuestBytes BB1E4 12 C7 44 24 08 B5 5F 59 99 89 6C 24 04 00072244
By looping the poc one can see that the output does change, further indicating an OOB of random memory:
while true; python poc.py; done
Environment
(venv) ~/code/vexbug >>> pip freeze
archinfo==9.2.165
bitarray==3.5.0
bitstring==4.3.1
cffi==1.17.1
pycparser==2.22
pyvex==9.2.165
Additional context
No response