NULL Pointer Dereference in radareorg/radare2
Reported on
Jan 28th 2022
NULL pointer dereference in load_buffer
radare2 suffers from a NULL pointer dereference
error in load_buffer of bin_xnu_kernelcache.c
Environment
date
Fri Jan 28 11:03:53 PST 2022
uname -ms
Linux x86_64
./radare2 -v
radare2 5.5.5 27531 @ linux-x86-64 git.5.5.4
commit: 715c4e0ff14aadd4026c182626502df3f3a620ab build: 2022-01-28__08:00:45
ASAN
Address sanitizer output :
./radare2 -qq -AA nullpointerdereference
ASAN:DEADLYSIGNAL
=================================================================
==54209==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9148ecf486 bp 0x7ffce3d94620 sp 0x7ffce3d94530 T0)
==54209==The signal is caused by a WRITE memory access.
==54209==Hint: address points to the zero page.
#0 0x7f9148ecf485 in load_buffer /home/shad3/Desktop/radare2-asan/libr/..//libr/bin/p/bin_xnu_kernelcache.c:245
#1 0x7f9148c0fcee in r_bin_object_new /home/shad3/Desktop/radare2-asan/libr/bin/bobj.c:147
#2 0x7f9148c0a779 in r_bin_file_new_from_buffer /home/shad3/Desktop/radare2-asan/libr/bin/bfile.c:560
#3 0x7f9148be8bf3 in r_bin_open_buf /home/shad3/Desktop/radare2-asan/libr/bin/bin.c:279
#4 0x7f9148be9279 in r_bin_open_io /home/shad3/Desktop/radare2-asan/libr/bin/bin.c:339
#5 0x7f9149b79010 in r_core_file_do_load_for_io_plugin /home/shad3/Desktop/radare2-asan/libr/core/cfile.c:435
#6 0x7f9149b7a8f6 in r_core_bin_load /home/shad3/Desktop/radare2-asan/libr/core/cfile.c:636
#7 0x7f914df1fdc4 in r_main_radare2 /home/shad3/Desktop/radare2-asan/libr/main/radare2.c:1177
#8 0x556796be6204 in main /home/shad3/Desktop/radare2-asan/binr/radare2/radare2.c:96
#9 0x7f914db05bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#10 0x556796be5d79 in _start (/home/shad3/Desktop/radare2-asan/binr/radare2/radare2+0xd79)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/shad3/Desktop/radare2-asan/libr/..//libr/bin/p/bin_xnu_kernelcache.c:245 in load_buffer
==54209==ABORTING
Explanation of the vulnerability
The vulnerability lies in the file
radare2/libr/bin/p/bin_xnu_kernelcache.c
Please consider the following code:
static bool load_buffer(RBinFile *bf, void **bin_obj, RBuffer *buf, ut64 loadaddr, Sdb *sdb) {
...
189 RKernelCacheObj *obj = NULL; // 1
191 RPrelinkRange *prelink_range = get_prelink_info_range_from_mach0 (main_mach0);
192 if (!prelink_range) {
193 goto beach; // 2
194 }
....
243 beach:
244 r_buf_free (fbuf);
245 obj->cache_buf = NULL; // 3
244 MACH0_(mach0_free) (main_mach0);
245 return false;
In case where the get_prelink_info_range_from_mach0 fails (2) and
the returned value is zero the programm will crash with a segfault
at line 245 (3) since the obj pointer is being dereferenced, while
being set as NULL on line 189 (1). (Write on address 0x0)
Attached POC
You can find the attached poc that triggers the vulnerability in the following link
Password : A7htCTD6Oli6rf1Waoz1
Run as:
./radare2 -qq -AA nullpointerdereference
@admin the description on the published CVE, seems to be wrong, can you please change that, thank you.
Updating it here: https://github.com/CVEProject/cvelist/pull/4292
Once this has been merged the CVE should be populated and corrected. Not sure what happened here, apologies!
The correct version is 5.6.0, sorry for my mistake here. Could you make another PR to address that? Should I?
@truefae - resolved here. Once this has been merged the CVE will be updated to reflect 5.6.0.
Thanks! 🎊