Heap-based Buffer Overflow in radareorg/radare2

Valid

Reported on

May 11th 2022


Description

Heap-based Buffer Overflow in msp430_op

Environment

radare2 5.6.9 0 @ linux-x86-64 git.
commit: 5.6.9 build: 2022-05-01__12:17:49

Build

export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
./configure && make

POC

radare2 -q -A ./poc6

poc6

Asan

=================================================================
==4030479==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000595d3 at pc 0x7f2b12c8cfa6 bp 0x7ffdf5b699b0 sp 0x7ffdf5b699a0
READ of size 1 at 0x6020000595d3 thread T0
    #0 0x7f2b12c8cfa5 in r_read_le16 /home/ubuntu/radare2-master/libr/include/r_endian.h:143
    #1 0x7f2b12c8cfa5 in r_read_at_le16 /home/ubuntu/radare2-master/libr/include/r_endian.h:151
    #2 0x7f2b12c8cfa5 in msp430_op /home/ubuntu/radare2-master/libr/..//libr/anal/p/anal_msp430.c:60
    #3 0x7f2b12de2d19 in r_anal_op /home/ubuntu/radare2-master/libr/anal/op.c:121
    #4 0x7f2b14f241df in anal_block_cb /home/ubuntu/radare2-master/libr/core/canal.c:3497
    #5 0x7f2b12e267e8 in r_anal_block_recurse_depth_first /home/ubuntu/radare2-master/libr/anal/block.c:562
    #6 0x7f2b14f565fd in r_core_recover_vars /home/ubuntu/radare2-master/libr/core/canal.c:3548
    #7 0x7f2b14bcd43f in r_core_af /home/ubuntu/radare2-master/libr/core/cmd_anal.c:3926
    #8 0x7f2b14f5e320 in r_core_anal_all /home/ubuntu/radare2-master/libr/core/canal.c:4247
    #9 0x7f2b14cac9e6 in cmd_anal_all /home/ubuntu/radare2-master/libr/core/cmd_anal.c:11219
    #10 0x7f2b14d1aadc in cmd_anal /home/ubuntu/radare2-master/libr/core/cmd_anal.c:12436
    #11 0x7f2b14c08d2c in r_core_cmd_subst_i /home/ubuntu/radare2-master/libr/core/cmd.c:4490
    #12 0x7f2b14c08d2c in r_core_cmd_subst /home/ubuntu/radare2-master/libr/core/cmd.c:3363
    #13 0x7f2b14c1682a in run_cmd_depth /home/ubuntu/radare2-master/libr/core/cmd.c:5384
    #14 0x7f2b14c1682a in r_core_cmd /home/ubuntu/radare2-master/libr/core/cmd.c:5467
    #15 0x7f2b14c1682a in r_core_cmd /home/ubuntu/radare2-master/libr/core/cmd.c:5398
    #16 0x7f2b17aee546 in r_main_radare2 /home/ubuntu/radare2-master/libr/main/radare2.c:1419
    #17 0x7f2b178900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #18 0x564ce9a25b6d in _start (/home/ubuntu/radare2-master/binr/radare2/radare2+0x9b6d)

0x6020000595d3 is located 1 bytes to the right of 2-byte region [0x6020000595d0,0x6020000595d2)
allocated by thread T0 here:
    #0 0x564ce9b10bb8 in __interceptor_malloc (/home/ubuntu/radare2-master/binr/radare2/radare2+0xf4bb8)
    #1 0x7f2b14f23c9b in anal_block_cb /home/ubuntu/radare2-master/libr/core/canal.c:3447

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/radare2-master/libr/include/r_endian.h:143 in r_read_le16
Shadow bytes around the buggy address:
  0x0c0480003260: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480003270: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480003280: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480003290: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800032a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c04800032b0: fa fa fd fa fa fa fd fa fa fa[02]fa fa fa fa fa
  0x0c04800032c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800032d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800032e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800032f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4030479==ABORTING

Impact

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

We are processing your report and will contact the radareorg/radare2 team within 24 hours. 13 days ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back 12 days ago
pancake validated this vulnerability 11 days ago
cnitlrt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pancake confirmed that a fix has been merged on 3ecdbf 11 days ago
pancake has been awarded the fix bounty
to join this conversation