Out-of-bounds Read in r_bin_ne_get_entrypoints function in radareorg/radare2
Valid
Reported on
Apr 10th 2022
Description
Out-of-bounds (OOB) read vulnerability exists in r_bin_ne_get_entrypoints function in Radare2 5.6.7
Version
radare2 5.6.7 27777 @ linux-x86-64 git.5.6.6
commit: 0c4af43def68ce29f7a74847bb1b7286da155200 build: 2022-04-10__08:53:32
Analysis
The vulnerability exists due to the invalid type casting and dereferencing of bin struct members (bin->segment_entries, bin->entry_table)
POC
poc 1: /format/ne/ne.c:413
radare2 -q -A poc_06
poc 2: /format/ne/ne.c:418
radare2 -q -A poc_09
poc 3: /format/ne/ne.c:411
poc_17
radare2 -q -A poc_17
ASAN
==2274169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000066048 at pc 0x7f3a58920613 bp 0x7fff4fc5ea60 sp 0x7fff4fc5ea58
READ of size 2 at 0x602000066048 thread T0
#0 0x7f3a58920612 in r_bin_ne_get_entrypoints /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/../format/ne/ne.c:413
#1 0x7f3a5891dd43 in entries /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/bin_ne.c:90
#2 0x7f3a58790b23 in r_bin_object_set_items /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bobj.c:306
#3 0x7f3a5878f818 in r_bin_object_new /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bobj.c:168
#4 0x7f3a58789f44 in r_bin_file_new_from_buffer /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bfile.c:585
#5 0x7f3a58767d0b in r_bin_open_buf /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:279
#6 0x7f3a5876838f in r_bin_open_io /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:339
#7 0x7f3a5909356c in r_core_file_do_load_for_io_plugin /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:435
#8 0x7f3a59094e3d in r_core_bin_load /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:636
#9 0x7f3a5bb8d676 in r_main_radare2 /root/fuzzing/radare2_fuzzing/radare2/libr/main/radare2.c:1188
#10 0x555b9a2695f8 in main /root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2.c:96
#11 0x7f3a5b98f7fc in __libc_start_main ../csu/libc-start.c:332
#12 0x555b9a269179 in _start (/root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2+0x1179)
0x602000066048 is located 8 bytes to the left of 8-byte region [0x602000066050,0x602000066058)
allocated by thread T0 here:
#0 0x7f3a5c0947cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f3a5891e23a in __read_nonnull_str_at /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/../format/ne/ne.c:42
#2 0x7f3a5891fa44 in __ne_get_resources /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/../format/ne/ne.c:310
#3 0x7f3a58922ad8 in __init /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/../format/ne/ne.c:636
#4 0x7f3a58922c4b in r_bin_ne_new_buf /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/../format/ne/ne.c:654
#5 0x7f3a5891c4e4 in load_buffer /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/bin_ne.c:28
#6 0x7f3a5878f52c in r_bin_object_new /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bobj.c:147
#7 0x7f3a58789f44 in r_bin_file_new_from_buffer /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bfile.c:585
#8 0x7f3a58767d0b in r_bin_open_buf /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:279
#9 0x7f3a5876838f in r_bin_open_io /root/fuzzing/radare2_fuzzing/radare2/libr/bin/bin.c:339
#10 0x7f3a5909356c in r_core_file_do_load_for_io_plugin /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:435
#11 0x7f3a59094e3d in r_core_bin_load /root/fuzzing/radare2_fuzzing/radare2/libr/core/cfile.c:636
#12 0x7f3a5bb8d676 in r_main_radare2 /root/fuzzing/radare2_fuzzing/radare2/libr/main/radare2.c:1188
#13 0x555b9a2695f8 in main /root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2.c:96
#14 0x7f3a5b98f7fc in __libc_start_main ../csu/libc-start.c:332
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/bin/p/../format/ne/ne.c:413 in r_bin_ne_get_entrypoints
Shadow bytes around the buggy address:
0x0c0480004bb0: fa fa 00 03 fa fa 00 03 fa fa 00 03 fa fa 07 fa
0x0c0480004bc0: fa fa fd fa fa fa 06 fa fa fa fd fa fa fa 06 fa
0x0c0480004bd0: fa fa fd fa fa fa 06 fa fa fa fd fa fa fa fd fa
0x0c0480004be0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
0x0c0480004bf0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 01 fa
=>0x0c0480004c00: fa fa 00 00 fa fa 00 00 fa[fa]00 fa fa fa 00 00
0x0c0480004c10: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 00
0x0c0480004c20: fa fa 06 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c0480004c30: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c0480004c40: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
0x0c0480004c50: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Impact
This vulnerability may allow attackers to read sensitive information or cause a crash.
We are processing your report and will contact the
radareorg/radare2
team within 24 hours.
a year ago
ne.c#L418
has been validated
ne.c#L411
has been validated
to join this conversation