Out of Bounds Read in string_scan_range in radareorg/radare2
Valid
Reported on
May 25th 2022
Description
When providing crafted input, an attacker can cause r_read_32 within string_scan_range to do an out of bounds read. This causes a segmentation fault, but could also potentially enable information disclosure.
What's interesting is there is already a comment stating "may oobread" near this call. I noticed other oob reads occurring that did not cause a segmentation fault.
// may oobread
while (needle < to) {
if (is_breaked && is_breaked ()) {
break;
}
// smol optimization
if (needle + 4 < to) {
ut32 n1 = r_read_le32 (buf + needle - from); //crash
if (!n1) {
needle += 4;
continue;
}
}
ASAN
Warning: oobread in LE header parsing relocs
AddressSanitizer:DEADLYSIGNAL
=================================================================
==78927==ERROR: AddressSanitizer: SEGV on unknown address 0x627000040000 (pc 0x7f025f2dd5ec bp 0x000000000056 sp 0x7fffc2222b20 T0)
==78927==The signal is caused by a READ memory access.
#0 0x7f025f2dd5eb in r_read_le32 /home/rgood/Projects/radare2/libr/include/r_endian.h:172
#1 0x7f025f2dd5eb in string_scan_range /home/rgood/Projects/radare2/libr/bin/bfile.c:187
#2 0x7f025f2e469e in get_strings_range /home/rgood/Projects/radare2/libr/bin/bfile.c:488
#3 0x7f025f2e50a4 in r_bin_file_get_strings /home/rgood/Projects/radare2/libr/bin/bfile.c:852
#4 0x7f025f2eb669 in r_bin_object_set_items /home/rgood/Projects/radare2/libr/bin/bobj.c:363
#5 0x7f025f2ec0bf in r_bin_object_new /home/rgood/Projects/radare2/libr/bin/bobj.c:170
#6 0x7f025f2e175a in r_bin_file_new_from_buffer /home/rgood/Projects/radare2/libr/bin/bfile.c:592
#7 0x7f025f2b6b27 in r_bin_open_buf /home/rgood/Projects/radare2/libr/bin/bin.c:285
#8 0x7f025f2b7873 in r_bin_open_io /home/rgood/Projects/radare2/libr/bin/bin.c:345
#9 0x7f025f925237 in r_core_file_do_load_for_io_plugin /home/rgood/Projects/radare2/libr/core/cfile.c:436
#10 0x7f025f925237 in r_core_bin_load /home/rgood/Projects/radare2/libr/core/cfile.c:637
#11 0x7f025db3be73 in r_main_radare2 /home/rgood/Projects/radare2/libr/main/radare2.c:1257
#12 0x7f025d95809a in __libc_start_main ../csu/libc-start.c:308
#13 0x55f2cd30ef49 in _start (/home/rgood/Projects/ASAN-radare2/binr/radare2/radare2+0x3f49)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/rgood/Projects/radare2/libr/include/r_endian.h:172 in r_read_le32
==78927==ABORTING
Backtrace
#0 string_scan_range (list=list@entry=0x6030000573d0, bf=bf@entry=0x60d000000ba0, min=<optimized out>,
from=from@entry=18446744073709539278, to=to@entry=18446744073709551614, type=<optimized out>, raw=<optimized out>,
section=<optimized out>) at bfile.c:188
#1 0x00007ffff525469f in get_strings_range (bf=0x60d000000ba0, list=<optimized out>, min=<optimized out>, raw=0,
from=18446744073709539278, to=18446744073709551614, section=<optimized out>) at bfile.c:488
#2 0x00007ffff52550a5 in r_bin_file_get_strings (bf=bf@entry=0x60d000000ba0, min=min@entry=4, dump=dump@entry=0, raw=<optimized out>)
at bfile.c:852
#3 0x00007ffff525b66a in r_bin_object_set_items (bf=bf@entry=0x60d000000ba0, bo=bo@entry=0x611000154a40) at bobj.c:229
#4 0x00007ffff525c0c0 in r_bin_object_new (bf=bf@entry=0x60d000000ba0, plugin=plugin@entry=0x613000002500,
baseaddr=baseaddr@entry=18446744073709551615, loadaddr=loadaddr@entry=0, offset=offset@entry=0, sz=<optimized out>) at bobj.c:170
#5 0x00007ffff525175b in r_bin_file_new_from_buffer (bin=bin@entry=0x616000000c80, file=<optimized out>,
buf=buf@entry=0x6030000552d0, rawstr=<optimized out>, baseaddr=18446744073709551615, loadaddr=<optimized out>,
fd=<optimized out>, pluginname=<optimized out>) at bfile.c:592
#6 0x00007ffff5226b28 in r_bin_open_buf (bin=bin@entry=0x616000000c80, buf=buf@entry=0x6030000552d0, opt=opt@entry=0x7fffffffdc00)
at bin.c:285
#7 0x00007ffff5227874 in r_bin_open_io (bin=0x616000000c80, opt=opt@entry=0x7fffffffdc00) at bin.c:345
#8 0x00007ffff5895238 in r_core_file_do_load_for_io_plugin (loadaddr=0, baseaddr=18446744073709551615, r=0x7ffff119d800)
at cfile.c:436
#9 r_core_bin_load (r=r@entry=0x7ffff119d800, filenameuri=<optimized out>, baddr=baddr@entry=18446744073709551615) at cfile.c:637
#10 0x00007ffff3aabe74 in r_main_radare2 (argc=<optimized out>, argv=<optimized out>) at radare2.c:1257
#11 0x00007ffff38c809b in __libc_start_main (main=0x555555557370 <main>, argc=4, argv=0x7fffffffdeb8, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdea8) at ../csu/libc-start.c:308
#12 0x0000555555557f4a in _start ()
Proof of Concept
radare2 -AA -q oob_read_min_crash_input
https://github.com/GreaterGoodest/pocs/blob/master/oob_read_min_crash_input
Impact
Causing DoS and potentially information disclosure.
Occurrences
bfile.c L187
Call to r_read_le32 results in segfault due to OOB read.
References
We are processing your report and will contact the
radareorg/radare2
team within 24 hours.
a year ago
We have contacted a member of the
radareorg/radare2
team and are waiting to hear back
a year ago
The researcher's credibility has increased: +7
bfile.c#L187
has been validated
to join this conversation