Heap-based Buffer Overflow in radareorg/radare2

Valid

Reported on

Apr 20th 2022

Description

Heap-based buffer overflow in coresymbolication:272

Environment

radare2 5.6.9 0 @ linux-x86-64 git.
commit: 5.6.9 build: 2022-04-19__23:49:49

Build

export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
./configure && make

POC

radare2 -q -A ./poc

poc

Asan

=================================================================
==140626==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62400012dd37 at pc 0x7ffff41a892b bp 0x7fffffffd160 sp 0x7fffffffd150
READ of size 1 at 0x62400012dd37 thread T0
    #0 0x7ffff41a892a in r_read_le32 /home/ubuntu/radare2-master/libr/include/r_endian.h:176
    #1 0x7ffff41a892a in r_read_at_le32 /home/ubuntu/radare2-master/libr/include/r_endian.h:185
    #2 0x7ffff41a892a in r_read_le64 /home/ubuntu/radare2-master/libr/include/r_endian.h:199
    #3 0x7ffff41a892a in r_read_ble64 /home/ubuntu/radare2-master/libr/include/r_endian.h:322
    #4 0x7ffff41a892a in r_read_ble /home/ubuntu/radare2-master/libr/include/r_endian.h:346
    #5 0x7ffff41a892a in r_coresym_cache_element_new /home/ubuntu/radare2-master/libr/..//libr/bin/p/../format/mach0/coresymbolication.c:272
    #6 0x7ffff419ec0d in parseDragons /home/ubuntu/radare2-master/libr/..//libr/bin/p/bin_symbols.c:253
    #7 0x7ffff419ec0d in load_buffer /home/ubuntu/radare2-master/libr/..//libr/bin/p/bin_symbols.c:292
    #8 0x7ffff419ec0d in load_buffer /home/ubuntu/radare2-master/libr/..//libr/bin/p/bin_symbols.c:256
    #9 0x7ffff3c849fd in r_bin_object_new /home/ubuntu/radare2-master/libr/bin/bobj.c:149
    #10 0x7ffff3c76714 in r_bin_file_new_from_buffer /home/ubuntu/radare2-master/libr/bin/bfile.c:585
    #11 0x7ffff3c30a27 in r_bin_open_buf /home/ubuntu/radare2-master/libr/bin/bin.c:281
    #12 0x7ffff3c31f06 in r_bin_open_io /home/ubuntu/radare2-master/libr/bin/bin.c:341
    #13 0x7ffff4a747e8 in r_core_file_do_load_for_io_plugin /home/ubuntu/radare2-master/libr/core/cfile.c:436
    #14 0x7ffff4a747e8 in r_core_bin_load /home/ubuntu/radare2-master/libr/core/cfile.c:637
    #15 0x7ffff4a747e8 in r_core_bin_load /home/ubuntu/radare2-master/libr/core/cfile.c:605
    #16 0x7ffff779763f in r_main_radare2 /home/ubuntu/radare2-master/libr/main/radare2.c:1206
    #17 0x7ffff75340b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #18 0x55555555d9bd in _start (/home/ubuntu/radare2-master/binr/radare2/radare2+0x99bd)

0x62400012dd37 is located 0 bytes to the right of 7223-byte region [0x62400012c100,0x62400012dd37)
allocated by thread T0 here:
    #0 0x555555648a08 in __interceptor_malloc (/home/ubuntu/radare2-master/binr/radare2/radare2+0xf4a08)
    #1 0x7ffff41a1c51 in r_coresym_cache_element_new /home/ubuntu/radare2-master/libr/..//libr/bin/p/../format/mach0/coresymbolication.c:180

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/radare2-master/libr/include/r_endian.h:176 in r_read_le32
Shadow bytes around the buggy address:
  0x0c488001db50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c488001db60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c488001db70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c488001db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c488001db90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c488001dba0: 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa
  0x0c488001dbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c488001dbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c488001dbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c488001dbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c488001dbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==140626==ABORTING

Impact

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

We are processing your report and will contact the radareorg/radare2 team within 24 hours. a year ago

We have contacted a member of the radareorg/radare2 team and are waiting to hear back a year ago

pancake validated this vulnerability a year ago

cnitlrt has been awarded the disclosure bounty

The fix bounty is now up for grabs

pancake marked this as fixed in 5.7.0 with commit 669a40 a year ago

pancake has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation