NULL Pointer Dereference in radareorg/radare2

Valid

Reported on

Apr 13th 2022


Description

NULL pointer dereference in r_bin_ne_get_segments

Environment

Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

radare2 5.6.7 0 @ linux-x86-64 git.
commit: 5.6.7

Build

export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
./configure && make

POC

radare2 -AA -qq ./poc

poc

ASAN

AddressSanitizer:DEADLYSIGNAL
=================================================================
==945410==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7f38cb2b3dc4 bp 0x607000012000 sp 0x7ffcbe6db590 T0)
==945410==The signal is caused by a READ memory access.
==945410==Hint: address points to the zero page.
    #0 0x7f38cb2b3dc3 in r_bin_ne_get_segments /home/ubuntu/radare2-master/libr/..//libr/bin/p/../format/ne/ne.c:90
    #1 0x7f38caed7304 in r_bin_object_set_items /home/ubuntu/radare2-master/libr/bin/bobj.c:340
    #2 0x7f38caed90ca in r_bin_object_new /home/ubuntu/radare2-master/libr/bin/bobj.c:168
    #3 0x7f38caeca6f3 in r_bin_file_new_from_buffer /home/ubuntu/radare2-master/libr/bin/bfile.c:585
    #4 0x7f38cae85697 in r_bin_open_buf /home/ubuntu/radare2-master/libr/bin/bin.c:279
    #5 0x7f38cae86a6f in r_bin_open_io /home/ubuntu/radare2-master/libr/bin/bin.c:339
    #6 0x7f38cbcd2d2f in r_core_file_do_load_for_io_plugin /home/ubuntu/radare2-master/libr/core/cfile.c:435
    #7 0x7f38cbcd2d2f in r_core_bin_load /home/ubuntu/radare2-master/libr/core/cfile.c:636
    #8 0x7f38cbcd2d2f in r_core_bin_load /home/ubuntu/radare2-master/libr/core/cfile.c:604
    #9 0x7f38ce9f89d2 in r_main_radare2 /home/ubuntu/radare2-master/libr/main/radare2.c:1188
    #10 0x7f38ce7940b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x55957465dabd in _start (/home/ubuntu/radare2-master/binr/radare2/radare2+0x9abd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/radare2-master/libr/..//libr/bin/p/../format/ne/ne.c:90 in r_bin_ne_get_segments
==945410==ABORTING

Impact

This vulnerability is capable of making the radare2 crash, thus affecting the availability of the system.

We are processing your report and will contact the radareorg/radare2 team within 24 hours. a month ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back a month ago
cnitlrt modified the report
a month ago
pancake validated this vulnerability a month ago
cnitlrt has been awarded the disclosure bounty
The fix bounty is now up for grabs
pancake confirmed that a fix has been merged on 48f0ea a month ago
pancake has been awarded the fix bounty
to join this conversation