NULL Pointer Dereference in r_bin_ne_get_entrypoints function in radareorg/radare2

Valid

Reported on

Apr 6th 2022


Description

A NULL pointer deference vulnerability in r_bin_ne_get_entrypoints function due to a missing check before using the pointer.

Version

radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6
commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-06__14:41:37

POC

radare2 -q -A poc

poc

Analysis

At /format/ne/ne.c:383, there's a deference of bin->entry_table without checking if it contains a valid pointer.

   383          ut8 bundle_length = *(ut8 *)(bin->entry_table + off);    << NULL pointer dereference
   384          if (!bundle_length) {
   385                  break;

ASAN

=================================================================
==2195761==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0ebaffa472 bp 0x7ffffc47f750 sp 0x7ffffc47f4a0 T0)
==2195761==The signal is caused by a READ memory access.                                                                                                           
==2195761==Hint: address points to the zero page.
    #0 0x7f0ebaffa472 in r_bin_ne_get_entrypoints /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/../format/ne/ne.c:383:23
    #1 0x7f0ebaff5938 in entries /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/bin_ne.c:90:9
    #2 0x7f0ebacd28e1 in r_bin_object_set_items /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bobj.c:306:17
    #3 0x7f0ebacd1553 in r_bin_object_new /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bobj.c:168:2
    #4 0x7f0ebacbde4c in r_bin_file_new_from_buffer /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bfile.c:585:19
    #5 0x7f0ebac7a4bc in r_bin_open_buf /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:279:8
    #6 0x7f0ebac78ec7 in r_bin_open_io /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:339:13
    #7 0x7f0ebbc04675 in r_core_file_do_load_for_io_plugin /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:435:7
    #8 0x7f0ebbbfc969 in r_core_bin_load /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:636:4
    #9 0x7f0ebecec2d2 in r_main_radare2 /root/fuzzing/radare2_fuzzing/radare2/libr/main/radare2.c:1188:15
    #10 0x55fe077ace4f in main /root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2.c:96:9
    #11 0x7f0ebea837fc in __libc_start_main csu/../csu/libc-start.c:332:16

Backtrace

pwndbg> bt
#0  0x00007ffff3a21472 in r_bin_ne_get_entrypoints (bin=0x608000020120) at /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/../format/ne/ne.c:383
#1  0x00007ffff3a1c939 in entries (bf=0x60d0000006c0) at /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/bin_ne.c:90
#2  0x00007ffff36f98e2 in r_bin_object_set_items (bf=0x60d0000006c0, bo=0x611000007340) at bobj.c:306
#3  0x00007ffff36f8554 in r_bin_object_new (bf=0x60d0000006c0, plugin=0x613000003140, baseaddr=18446744073709551615, loadaddr=0, offset=0, sz=81) at bobj.c:168
#4  0x00007ffff36e4e4d in r_bin_file_new_from_buffer (bin=0x616000000c80, file=0x60300008c770 "./crashes/Null/id_00", buf=0x60300008c800, rawstr=0, baseaddr=18446744073709551615, loadaddr=0, fd=3, pluginname=0x0) at bfile.c:585
#5  0x00007ffff36a14bd in r_bin_open_buf (bin=0x616000000c80, buf=0x60300008c800, opt=0x7fffffffc080) at bin.c:279
#6  0x00007ffff369fec8 in r_bin_open_io (bin=0x616000000c80, opt=0x7fffffffc080) at bin.c:339
#7  0x00007ffff462b676 in r_core_file_do_load_for_io_plugin (r=0x7fffee032800, baseaddr=18446744073709551615, loadaddr=0) at cfile.c:435
#8  0x00007ffff462396a in r_core_bin_load (r=0x7fffee032800, filenameuri=0x60300008c770 "./crashes/Null/id_00", baddr=18446744073709551615) at cfile.c:636
#9  0x00007ffff77132d3 in r_main_radare2 (argc=4, argv=0x7fffffffe498) at radare2.c:1188
#10 0x000055555561ee50 in main (argc=4, argv=0x7fffffffe498) at radare2.c:96
#11 0x00007ffff74aa7fd in __libc_start_main (main=0x55555561ecf0 <main>, argc=4, argv=0x7fffffffe498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe488) at ../csu/libc-start.c:332
#12 0x00005555555753ba in _start ()

Impact

This vulnerability allows attackers to cause a denial of service (application crash).

We are processing your report and will contact the radareorg/radare2 team within 24 hours. 2 months ago
hmsec modified the report
2 months ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back 2 months ago
hmsec modified the report
2 months ago
pancake validated this vulnerability 2 months ago
hmsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
pancake confirmed that a fix has been merged on 18d1d0 2 months ago
pancake has been awarded the fix bounty
to join this conversation