Heap-based Buffer Overflow in radareorg/radare2
Valid
Reported on
Aug 11th 2023
Description
heap-buffer-overflow p/bf/plugin.c:176 in decode
Environment
radare2 5.8.9 31000 @ linux-x86-64
commit: 95b648f0907e91e10d55fc48147a7dae99029c5b
Build
export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
./configure && make && make install
Proof of Concept
radare2 -A ./heap-buffer-overflow-poc0x1
#Asan
286237==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100015607f at pc 0x7f33249902bd bp 0x7fff636244a0 sp 0x7fff63624490
READ of size 1 at 0x61100015607f thread T0
#0 0x7f33249902bc in decode p/bf/plugin.c:176
#1 0x7f3324238256 in r_arch_decode /home/hack/fuzz/radare2/libr/arch/arch.c:292
#2 0x7f33222b4d29 in r_anal_op /home/hack/fuzz/radare2/libr/anal/op.c:186
#3 0x7f332596b909 in _anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8705
#4 0x7f332596c4df in cmd_anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8811
#5 0x7f33259892f3 in cmd_anal_all /home/hack/fuzz/radare2/libr/core/cmd_anal.c:12465
#6 0x7f332599120a in cmd_anal /home/hack/fuzz/radare2/libr/core/cmd_anal.c:13726
#7 0x7f3325b2dbe1 in r_cmd_call /home/hack/fuzz/radare2/libr/core/cmd_api.c:520
#8 0x7f3325a5e192 in r_core_cmd_call /home/hack/fuzz/radare2/libr/core/cmd.c:6266
#9 0x7f3321f74e46 in perform_analysis /home/hack/fuzz/radare2/libr/main/radare2.c:428
#10 0x7f3321f7ca28 in r_main_radare2 /home/hack/fuzz/radare2/libr/main/radare2.c:1633
#11 0x56371e08ad6b in main /home/hack/fuzz/radare2/binr/radare2/radare2.c:102
#12 0x7f3321d0a082 in __libc_start_main ../csu/libc-start.c:308
#13 0x56371df5e5fd in _start (/home/hack/fuzz_r2/asan_r2/bin/radare2+0x3e5fd)
0x61100015607f is located 0 bytes to the right of 255-byte region [0x611000155f80,0x61100015607f)
allocated by thread T0 here:
#0 0x56371e049288 in malloc (/home/hack/fuzz/asan_r2/bin/radare2+0x129288)
#1 0x7f3324990034 in decode p/bf/plugin.c:167
#2 0x7f3324238256 in r_arch_decode /home/hack/fuzz/radare2/libr/arch/arch.c:292
#3 0x7f33222b4d29 in r_anal_op /home/hack/fuzz/radare2/libr/anal/op.c:186
#4 0x7f332596b909 in _anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8705
#5 0x7f332596c4df in cmd_anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8811
#6 0x7f33259892f3 in cmd_anal_all /home/hack/fuzz/radare2/libr/core/cmd_anal.c:12465
#7 0x7f332599120a in cmd_anal /home/hack/fuzz/radare2/libr/core/cmd_anal.c:13726
#8 0x7f3325b2dbe1 in r_cmd_call /home/hack/fuzz/radare2/libr/core/cmd_api.c:520
#9 0x7f3325a5e192 in r_core_cmd_call /home/hack/fuzz/radare2/libr/core/cmd.c:6266
#10 0x7f3321f74e46 in perform_analysis /home/hack/fuzz/radare2/libr/main/radare2.c:428
#11 0x7f3321f7ca28 in r_main_radare2 /home/hack/fuzz/radare2/libr/main/radare2.c:1633
#12 0x56371e08ad6b in main /home/hack/fuzz/radare2/binr/radare2/radare2.c:102
#13 0x7f3321d0a082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow p/bf/plugin.c:176 in decode
Shadow bytes around the buggy address:
0x0c2280022bb0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2280022bc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280022bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280022be0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c2280022bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2280022c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
0x0c2280022c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280022c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280022c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280022c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280022c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==286237==ABORTING
Impact
The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.
References
We are processing your report and will contact the
radareorg/radare2
team within 24 hours.
a month ago
7resp4ss modified the report
a month ago
7resp4ss modified the report
a month ago
We have contacted a member of the
radareorg/radare2
team and are waiting to hear back
a month ago
The researcher's credibility has increased: +7
to join this conversation