Use After Free in r_reg_get_name_idx in radareorg/radare2

Valid

Reported on

Mar 3rd 2022


Description

heap use after free in r_reg_get_name_idx.

ASAN report:

=================================================================
==1710816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001dff50 at pc 0x7fa7c085d87c bp 0x7ffc21731ac0 sp 0x7ffc21731ab0
READ of size 1 at 0x6020001dff50 thread T0
    #0 0x7fa7c085d87b in r_reg_get_name_idx /root/radare2-5.6.4/libr/reg/reg.c:101
    #1 0x7fa7c08610c7 in r_reg_get /root/radare2-5.6.4/libr/reg/reg.c:321
    #2 0x7fa7c0860ed1 in r_reg_setv /root/radare2-5.6.4/libr/reg/reg.c:301
    #3 0x7fa7cb191d52 in r_core_anal_esil /root/radare2-5.6.4/libr/core/canal.c:5377
    #4 0x7fa7cae699b0 in cmd_anal_all /root/radare2-5.6.4/libr/core/cmd_anal.c:11048
    #5 0x7fa7cae72d1d in cmd_anal /root/radare2-5.6.4/libr/core/cmd_anal.c:11957
    #6 0x7fa7cb1321d7 in r_cmd_call /root/radare2-5.6.4/libr/core/cmd_api.c:537
    #7 0x7fa7cafb1f28 in r_core_cmd_subst_i /root/radare2-5.6.4/libr/core/cmd.c:4443
    #8 0x7fa7cafa1e07 in r_core_cmd_subst /root/radare2-5.6.4/libr/core/cmd.c:3329
    #9 0x7fa7cafbe764 in run_cmd_depth /root/radare2-5.6.4/libr/core/cmd.c:5331
    #10 0x7fa7cafbf7db in r_core_cmd /root/radare2-5.6.4/libr/core/cmd.c:5414
    #11 0x7fa7cafc07d4 in r_core_cmd0 /root/radare2-5.6.4/libr/core/cmd.c:5571
    #12 0x7fa7cae67039 in cmd_anal_all /root/radare2-5.6.4/libr/core/cmd_anal.c:10913
    #13 0x7fa7cae72d1d in cmd_anal /root/radare2-5.6.4/libr/core/cmd_anal.c:11957
    #14 0x7fa7cb1321d7 in r_cmd_call /root/radare2-5.6.4/libr/core/cmd_api.c:537
    #15 0x7fa7cafb1f28 in r_core_cmd_subst_i /root/radare2-5.6.4/libr/core/cmd.c:4443
    #16 0x7fa7cafa1e07 in r_core_cmd_subst /root/radare2-5.6.4/libr/core/cmd.c:3329
    #17 0x7fa7cafbe764 in run_cmd_depth /root/radare2-5.6.4/libr/core/cmd.c:5331
    #18 0x7fa7cafbf7db in r_core_cmd /root/radare2-5.6.4/libr/core/cmd.c:5414
    #19 0x7fa7cafc07d4 in r_core_cmd0 /root/radare2-5.6.4/libr/core/cmd.c:5571
    #20 0x7fa7d36ee1cd in r_main_radare2 /root/radare2-5.6.4/libr/main/radare2.c:1394
    #21 0x557bc4deb937 in main /root/radare2/binr/radare2/radare2.c:96
    #22 0x7fa7d2aee0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #23 0x557bc4deb30d in _start (/root/radare2/binr/radare2/radare2+0x230d)

How can we reproduce the issue?

Compile command

./sys/sanitize.sh

reproduce command

poc_uaf_r_reg_get.zip

unzip poc_uaf_r_reg_get.zip
./radare2 -qq -AA <poc_file>

Impact

latest commit and latest release

$ ./radare2 -v
radare2 5.6.4 27751 @ linux-x86-64 git.5.6.2
commit: d1b1d52f695d287667690d130ad2569aed8aa2ff build: 2022-03-03__07:18:18
$ cat /etc/issue
Ubuntu 20.04.3 LTS \n \l
We are processing your report and will contact the radareorg/radare2 team within 24 hours. 3 months ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back 3 months ago
pancake validated this vulnerability 3 months ago
peacock-doris has been awarded the disclosure bounty
The fix bounty is now up for grabs
pancake confirmed that a fix has been merged on 10517e 3 months ago
pancake has been awarded the fix bounty
to join this conversation