NULL Pointer Dereference in radareorg/radare2

Valid

Reported on

Jan 28th 2022


NULL pointer dereference in load_buffer

radare2 suffers from a NULL pointer dereference error in load_buffer of bin_xnu_kernelcache.c

Environment


date
Fri Jan 28 11:03:53 PST 2022


uname -ms
Linux x86_64


./radare2 -v
radare2 5.5.5 27531 @ linux-x86-64 git.5.5.4
commit: 715c4e0ff14aadd4026c182626502df3f3a620ab build: 2022-01-28__08:00:45

ASAN

Address sanitizer output :

./radare2 -qq -AA nullpointerdereference
ASAN:DEADLYSIGNAL
=================================================================
==54209==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9148ecf486 bp 0x7ffce3d94620 sp 0x7ffce3d94530 T0)
==54209==The signal is caused by a WRITE memory access.
==54209==Hint: address points to the zero page.
    #0 0x7f9148ecf485 in load_buffer /home/shad3/Desktop/radare2-asan/libr/..//libr/bin/p/bin_xnu_kernelcache.c:245
    #1 0x7f9148c0fcee in r_bin_object_new /home/shad3/Desktop/radare2-asan/libr/bin/bobj.c:147
    #2 0x7f9148c0a779 in r_bin_file_new_from_buffer /home/shad3/Desktop/radare2-asan/libr/bin/bfile.c:560
    #3 0x7f9148be8bf3 in r_bin_open_buf /home/shad3/Desktop/radare2-asan/libr/bin/bin.c:279
    #4 0x7f9148be9279 in r_bin_open_io /home/shad3/Desktop/radare2-asan/libr/bin/bin.c:339
    #5 0x7f9149b79010 in r_core_file_do_load_for_io_plugin /home/shad3/Desktop/radare2-asan/libr/core/cfile.c:435
    #6 0x7f9149b7a8f6 in r_core_bin_load /home/shad3/Desktop/radare2-asan/libr/core/cfile.c:636
    #7 0x7f914df1fdc4 in r_main_radare2 /home/shad3/Desktop/radare2-asan/libr/main/radare2.c:1177
    #8 0x556796be6204 in main /home/shad3/Desktop/radare2-asan/binr/radare2/radare2.c:96
    #9 0x7f914db05bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #10 0x556796be5d79 in _start (/home/shad3/Desktop/radare2-asan/binr/radare2/radare2+0xd79)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/shad3/Desktop/radare2-asan/libr/..//libr/bin/p/bin_xnu_kernelcache.c:245 in load_buffer
==54209==ABORTING


Explanation of the vulnerability

The vulnerability lies in the file

radare2/libr/bin/p/bin_xnu_kernelcache.c

Please consider the following code:

static bool load_buffer(RBinFile *bf, void **bin_obj, RBuffer *buf, ut64 loadaddr, Sdb *sdb) {
    ...
189 RKernelCacheObj *obj = NULL; // 1

191 RPrelinkRange *prelink_range = get_prelink_info_range_from_mach0 (main_mach0);
192 if (!prelink_range) {
193     goto beach;              // 2
194 }

....
243 beach:
244 r_buf_free (fbuf);
245 obj->cache_buf = NULL;       // 3
244 MACH0_(mach0_free) (main_mach0);
245 return false;
    

In case where the get_prelink_info_range_from_mach0 fails (2) and the returned value is zero the programm will crash with a segfault at line 245 (3) since the obj pointer is being dereferenced, while being set as NULL on line 189 (1). (Write on address 0x0)

Attached POC

You can find the attached poc that triggers the vulnerability in the following link

Password : A7htCTD6Oli6rf1Waoz1

nullpointerdereference

Run as:

./radare2 -qq -AA nullpointerdereference
We are processing your report and will contact the radareorg/radare2 team within 24 hours. 4 months ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back 4 months ago
pancake validated this vulnerability 4 months ago
Angelos T. Kalaitzidis has been awarded the disclosure bounty
The fix bounty is now up for grabs
pancake confirmed that a fix has been merged on feaa4e 4 months ago
The fix bounty has been dropped
Angelos
4 months ago

Researcher


@admin the description on the published CVE, seems to be wrong, can you please change that, thank you.

Jamie Slome
4 months ago

Admin


Updating it here: https://github.com/CVEProject/cvelist/pull/4292

Once this has been merged the CVE should be populated and corrected. Not sure what happened here, apologies!

pancake
3 months ago

Maintainer


The correct version is 5.6.0, sorry for my mistake here. Could you make another PR to address that? Should I?

Jamie Slome
3 months ago

Admin


@truefae - resolved here. Once this has been merged the CVE will be updated to reflect 5.6.0.

Thanks! 🎊

to join this conversation