Out-of-bounds read in `r_bin_ne_get_relocs` function in radareorg/radare2

Valid

Reported on

Apr 6th 2022


Description

Out-of-bounds (OOB) read vulnerability exists in r_bin_ne_get_relocs function in Radare2 5.6.7 due to a missing check on the index value.

Version

radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6
commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-06__14:41:37

Proof of Concept

radare2 -q -A poc

poc

Analysis

The buffer is allocated at /format/ne/ne.c:442

ut16 *modref = calloc (bin->ne_header->ModRefs, sizeof (ut16));
    if (!modref) {
        return NULL;
    }

The out-of-boud read happens at /format/ne/ne.c:517 due to a missing check on rel.index

                if (rel.index > bin->ne_header->ModRefs) {
                    name = r_str_newf ("UnknownModule%d_%x", rel.index, off); // ????
                } else {
                    offset = modref[rel.index - 1] + bin->header_offset + bin->ne_header->ImportNameTable; // << OOB read
                    name = __read_nonnull_str_at (bin->buf, offset);
                }

ASAN

==2173198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200006938e at pc 0x7f394f24f0b1 bp 0x7ffdfec24a10 sp 0x7ffdfec24a08
READ of size 2 at 0x60200006938e thread T0
    #0 0x7f394f24f0b0 in r_bin_ne_get_relocs /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/../format/ne/ne.c:517
    #1 0x7f394f24c9d2 in relocs /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/bin_ne.c:106
    #2 0x7f394f0ec251 in r_bin_object_set_items /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bobj.c:349
    #3 0x7f394f0ed565 in r_bin_object_new /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bobj.c:168
    #4 0x7f394f0e6fe1 in r_bin_file_new_from_buffer /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bfile.c:585
    #5 0x7f394f0ca8ca in r_bin_open_buf /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:279
    #6 0x7f394f0cb1ff in r_bin_open_io /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:339
    #7 0x7f394f8b35d9 in r_core_file_do_load_for_io_plugin /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:435
    #8 0x7f394f8b35d9 in r_core_bin_load /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:636
    #9 0x7f3951c6167f in r_main_radare2 /root/fuzzing/radare2_fuzzing/radare2/libr/main/radare2.c:1188
    #10 0x562b58c2d27e in main /root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2.c:96
    #11 0x7f3951a717fc in __libc_start_main ../csu/libc-start.c:332
    #12 0x562b58c2d179 in _start (/root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2+0x1179)

0x60200006938e is located 2 bytes to the left of 1-byte region [0x602000069390,0x602000069391)
allocated by thread T0 here:
    #0 0x7f39520bc987 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x7f394f24e7c2 in r_bin_ne_get_relocs /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/../format/ne/ne.c:442

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/../format/ne/ne.c:517 in r_bin_ne_get_relocs
Shadow bytes around the buggy address:
  0x0c0480005220: fa fa 00 07 fa fa 00 fa fa fa 00 06 fa fa 00 07
  0x0c0480005230: fa fa 00 05 fa fa 00 06 fa fa 00 05 fa fa fd fd
  0x0c0480005240: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c0480005250: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480005260: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c0480005270: fa[fa]01 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480005280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480005290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800052a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800052b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800052c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

Backtrace

#0  r_bin_ne_get_relocs (bin=0x608000020120) at /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/../format/ne/ne.c:517
#1  0x00007ffff3a1cf29 in relocs (bf=0x60d0000006c0) at /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/bin_ne.c:106
#2  0x00007ffff36fb3de in r_bin_object_set_items (bf=0x60d0000006c0, bo=0x611000007340) at bobj.c:349
#3  0x00007ffff36f8554 in r_bin_object_new (bf=0x60d0000006c0, plugin=0x613000003140, baseaddr=18446744073709551615, loadaddr=0, offset=0, sz=81) at bobj.c:168
#4  0x00007ffff36e4e4d in r_bin_file_new_from_buffer (bin=0x616000000c80, file=0x60300008c770 "./crashes/heap/id_03", buf=0x60300008c800, rawstr=0, baseaddr=18446744073709551615, loadaddr=0, fd=3, pluginname=0x0) at bfile.c:585
#5  0x00007ffff36a14bd in r_bin_open_buf (bin=0x616000000c80, buf=0x60300008c800, opt=0x7fffffffc080) at bin.c:279
#6  0x00007ffff369fec8 in r_bin_open_io (bin=0x616000000c80, opt=0x7fffffffc080) at bin.c:339
#7  0x00007ffff462b676 in r_core_file_do_load_for_io_plugin (r=0x7fffee032800, baseaddr=18446744073709551615, loadaddr=0) at cfile.c:435
#8  0x00007ffff462396a in r_core_bin_load (r=0x7fffee032800, filenameuri=0x60300008c770 "./crashes/heap/id_03", baddr=18446744073709551615) at cfile.c:636
#9  0x00007ffff77132d3 in r_main_radare2 (argc=4, argv=0x7fffffffe498) at radare2.c:1188
#10 0x000055555561ee50 in main (argc=4, argv=0x7fffffffe498) at radare2.c:96
#11 0x00007ffff74aa7fd in __libc_start_main (main=0x55555561ecf0 <main>, argc=4, argv=0x7fffffffe498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe488) at ../csu/libc-start.c:332
#12 0x00005555555753ba in _start ()

Impact

This vulnerability may allow attackers to read sensitive information or cause a crash.

We are processing your report and will contact the radareorg/radare2 team within 24 hours. 2 months ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back 2 months ago
pancake has marked this vulnerability as informative 2 months ago

Can't reproduce on master

The disclosure bounty has been dropped
The fix bounty has been dropped
hmsec
2 months ago

Researcher


Please check if you used the correct POC.

I've tried it agian on the latest commit and it works without any problem

radare2 -v                                                                                                                          1 ↵
radare2 5.6.7 27748 @ linux-x86-64 git.5.6.6
commit: 18d1d064bf599a255d55f09fca3104776fc34a67 build: 2022-04-08__14:04:24
pancake
2 months ago

Maintainer


You are right, i tested it wrongly. i have fixed it but i see no way to reopen this ticket. maybe we should call support? https://github.com/radareorg/radare2/pull/19923

Sorry for that and thanks for reporting it! nice catch!

hmsec
2 months ago

Researcher


Thanks for responding

@admin can you please reclassify this issue?

pancake
2 months ago

Maintainer


Can you confirm now?

hmsec
2 months ago

Researcher


It's fixed now. Thanks

Jamie Slome
2 months ago

Admin


Sorted 🎉

@maintainer - feel free to use the dropdown below to close the report accordingly and to mark the report as fixed 👍

We have sent a follow up to the radareorg/radare2 team. We will try again in 7 days. 2 months ago
pancake validated this vulnerability 2 months ago
hmsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
pancake confirmed that a fix has been merged on 153bcd 2 months ago
pancake has been awarded the fix bounty
to join this conversation