NULL Pointer Dereference in radareorg/radare2

Valid

Reported on

Feb 20th 2022


Description

NULL pointer dereference in bin_symbols.c

Environment

Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

radare2 5.6.3 27472 @ linux-x86-64 git.5.6.2
commit: d24dbb9fbb0b398a6a739847008ccef3ea7e687c 

POC

radare2 -AA -qq ./poc

poc

ASAN

=================================================================
==2968491==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe53d2ad412 bp 0x000000000000 sp 0x7ffe218a5920 T0)
==2968491==The signal is caused by a READ memory access.
==2968491==Hint: address points to the zero page.
    #0 0x7fe53d2ad411 in symbols /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/bin_symbols.c:364
    #1 0x7fe53cd844ec in r_bin_object_set_items /home/ubuntu/fuzz/radare2/libr/bin/bobj.c:324
    #2 0x7fe53cd87d87 in r_bin_object_new /home/ubuntu/fuzz/radare2/libr/bin/bobj.c:168
    #3 0x7fe53cd78db0 in r_bin_file_new_from_buffer /home/ubuntu/fuzz/radare2/libr/bin/bfile.c:560
    #4 0x7fe53cd33b67 in r_bin_open_buf /home/ubuntu/fuzz/radare2/libr/bin/bin.c:279
    #5 0x7fe53cd35009 in r_bin_open_io /home/ubuntu/fuzz/radare2/libr/bin/bin.c:339
    #6 0x7fe53db772c8 in r_core_file_do_load_for_io_plugin /home/ubuntu/fuzz/radare2/libr/core/cfile.c:435
    #7 0x7fe53db772c8 in r_core_bin_load /home/ubuntu/fuzz/radare2/libr/core/cfile.c:636
    #8 0x7fe53db772c8 in r_core_bin_load /home/ubuntu/fuzz/radare2/libr/core/cfile.c:604
    #9 0x7fe540c852ba in r_main_radare2 /home/ubuntu/fuzz/radare2/libr/main/radare2.c:1179
    #10 0x7fe540a240b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x559b96c449fd in _start (/home/ubuntu/fuzz/radare2/binr/radare2/radare2+0x99fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/bin_symbols.c:364 in symbols
==2968491==ABORTING

Impact

This vulnerability is capable of making the radare2 crash, thus affecting the availability of the system.

We are processing your report and will contact the radareorg/radare2 team within 24 hours. 3 months ago
cnitlrt modified the report
3 months ago
cnitlrt modified the report
3 months ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back 3 months ago
pancake validated this vulnerability 3 months ago
cnitlrt has been awarded the disclosure bounty
The fix bounty is now up for grabs
pancake confirmed that a fix has been merged on 515e59 3 months ago
pancake has been awarded the fix bounty
to join this conversation