NULL Pointer Dereference in r_bin_ne_get_entrypoints function in radareorg/radare2
Valid
Reported on
Apr 6th 2022
Description
A NULL pointer deference vulnerability in r_bin_ne_get_entrypoints function due to a missing check before using the pointer.
Version
radare2 5.6.7 27746 @ linux-x86-64 git.5.6.6
commit: 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 build: 2022-04-06__14:41:37
POC
radare2 -q -A poc
Analysis
At /format/ne/ne.c:383, there's a deference of bin->entry_table without checking if it contains a valid pointer.
383 ut8 bundle_length = *(ut8 *)(bin->entry_table + off); << NULL pointer dereference
384 if (!bundle_length) {
385 break;
ASAN
=================================================================
==2195761==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0ebaffa472 bp 0x7ffffc47f750 sp 0x7ffffc47f4a0 T0)
==2195761==The signal is caused by a READ memory access.
==2195761==Hint: address points to the zero page.
#0 0x7f0ebaffa472 in r_bin_ne_get_entrypoints /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/../format/ne/ne.c:383:23
#1 0x7f0ebaff5938 in entries /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/bin_ne.c:90:9
#2 0x7f0ebacd28e1 in r_bin_object_set_items /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bobj.c:306:17
#3 0x7f0ebacd1553 in r_bin_object_new /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bobj.c:168:2
#4 0x7f0ebacbde4c in r_bin_file_new_from_buffer /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bfile.c:585:19
#5 0x7f0ebac7a4bc in r_bin_open_buf /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:279:8
#6 0x7f0ebac78ec7 in r_bin_open_io /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:339:13
#7 0x7f0ebbc04675 in r_core_file_do_load_for_io_plugin /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:435:7
#8 0x7f0ebbbfc969 in r_core_bin_load /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:636:4
#9 0x7f0ebecec2d2 in r_main_radare2 /root/fuzzing/radare2_fuzzing/radare2/libr/main/radare2.c:1188:15
#10 0x55fe077ace4f in main /root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2.c:96:9
#11 0x7f0ebea837fc in __libc_start_main csu/../csu/libc-start.c:332:16
Backtrace
pwndbg> bt
#0 0x00007ffff3a21472 in r_bin_ne_get_entrypoints (bin=0x608000020120) at /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/../format/ne/ne.c:383
#1 0x00007ffff3a1c939 in entries (bf=0x60d0000006c0) at /root/fuzzing/radare2_fuzzing/radare2/libr/../libr/bin/p/bin_ne.c:90
#2 0x00007ffff36f98e2 in r_bin_object_set_items (bf=0x60d0000006c0, bo=0x611000007340) at bobj.c:306
#3 0x00007ffff36f8554 in r_bin_object_new (bf=0x60d0000006c0, plugin=0x613000003140, baseaddr=18446744073709551615, loadaddr=0, offset=0, sz=81) at bobj.c:168
#4 0x00007ffff36e4e4d in r_bin_file_new_from_buffer (bin=0x616000000c80, file=0x60300008c770 "./crashes/Null/id_00", buf=0x60300008c800, rawstr=0, baseaddr=18446744073709551615, loadaddr=0, fd=3, pluginname=0x0) at bfile.c:585
#5 0x00007ffff36a14bd in r_bin_open_buf (bin=0x616000000c80, buf=0x60300008c800, opt=0x7fffffffc080) at bin.c:279
#6 0x00007ffff369fec8 in r_bin_open_io (bin=0x616000000c80, opt=0x7fffffffc080) at bin.c:339
#7 0x00007ffff462b676 in r_core_file_do_load_for_io_plugin (r=0x7fffee032800, baseaddr=18446744073709551615, loadaddr=0) at cfile.c:435
#8 0x00007ffff462396a in r_core_bin_load (r=0x7fffee032800, filenameuri=0x60300008c770 "./crashes/Null/id_00", baddr=18446744073709551615) at cfile.c:636
#9 0x00007ffff77132d3 in r_main_radare2 (argc=4, argv=0x7fffffffe498) at radare2.c:1188
#10 0x000055555561ee50 in main (argc=4, argv=0x7fffffffe498) at radare2.c:96
#11 0x00007ffff74aa7fd in __libc_start_main (main=0x55555561ecf0 <main>, argc=4, argv=0x7fffffffe498, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe488) at ../csu/libc-start.c:332
#12 0x00005555555753ba in _start ()
Impact
This vulnerability allows attackers to cause a denial of service (application crash).
We are processing your report and will contact the
radareorg/radare2
team within 24 hours.
a year ago
hmthabit modified the report
a year ago
We have contacted a member of the
radareorg/radare2
team and are waiting to hear back
a year ago
hmthabit modified the report
a year ago
to join this conversation