Heap-based Buffer Overflow in radareorg/radare2

Valid

Reported on

Aug 11th 2023

Description

heap-buffer-overflow p/bf/plugin.c:176 in decode

Environment

radare2 5.8.9 31000 @ linux-x86-64
commit: 95b648f0907e91e10d55fc48147a7dae99029c5b

Build

export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"

./configure && make && make install

Proof of Concept

radare2 -A ./heap-buffer-overflow-poc0x1

poc

#Asan

286237==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100015607f at pc 0x7f33249902bd bp 0x7fff636244a0 sp 0x7fff63624490
READ of size 1 at 0x61100015607f thread T0
    #0 0x7f33249902bc in decode p/bf/plugin.c:176
    #1 0x7f3324238256 in r_arch_decode /home/hack/fuzz/radare2/libr/arch/arch.c:292
    #2 0x7f33222b4d29 in r_anal_op /home/hack/fuzz/radare2/libr/anal/op.c:186
    #3 0x7f332596b909 in _anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8705
    #4 0x7f332596c4df in cmd_anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8811
    #5 0x7f33259892f3 in cmd_anal_all /home/hack/fuzz/radare2/libr/core/cmd_anal.c:12465
    #6 0x7f332599120a in cmd_anal /home/hack/fuzz/radare2/libr/core/cmd_anal.c:13726
    #7 0x7f3325b2dbe1 in r_cmd_call /home/hack/fuzz/radare2/libr/core/cmd_api.c:520
    #8 0x7f3325a5e192 in r_core_cmd_call /home/hack/fuzz/radare2/libr/core/cmd.c:6266
    #9 0x7f3321f74e46 in perform_analysis /home/hack/fuzz/radare2/libr/main/radare2.c:428
    #10 0x7f3321f7ca28 in r_main_radare2 /home/hack/fuzz/radare2/libr/main/radare2.c:1633
    #11 0x56371e08ad6b in main /home/hack/fuzz/radare2/binr/radare2/radare2.c:102
    #12 0x7f3321d0a082 in __libc_start_main ../csu/libc-start.c:308
    #13 0x56371df5e5fd in _start (/home/hack/fuzz_r2/asan_r2/bin/radare2+0x3e5fd)

0x61100015607f is located 0 bytes to the right of 255-byte region [0x611000155f80,0x61100015607f)
allocated by thread T0 here:
    #0 0x56371e049288 in malloc (/home/hack/fuzz/asan_r2/bin/radare2+0x129288)
    #1 0x7f3324990034 in decode p/bf/plugin.c:167
    #2 0x7f3324238256 in r_arch_decode /home/hack/fuzz/radare2/libr/arch/arch.c:292
    #3 0x7f33222b4d29 in r_anal_op /home/hack/fuzz/radare2/libr/anal/op.c:186
    #4 0x7f332596b909 in _anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8705
    #5 0x7f332596c4df in cmd_anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8811
    #6 0x7f33259892f3 in cmd_anal_all /home/hack/fuzz/radare2/libr/core/cmd_anal.c:12465
    #7 0x7f332599120a in cmd_anal /home/hack/fuzz/radare2/libr/core/cmd_anal.c:13726
    #8 0x7f3325b2dbe1 in r_cmd_call /home/hack/fuzz/radare2/libr/core/cmd_api.c:520
    #9 0x7f3325a5e192 in r_core_cmd_call /home/hack/fuzz/radare2/libr/core/cmd.c:6266
    #10 0x7f3321f74e46 in perform_analysis /home/hack/fuzz/radare2/libr/main/radare2.c:428
    #11 0x7f3321f7ca28 in r_main_radare2 /home/hack/fuzz/radare2/libr/main/radare2.c:1633
    #12 0x56371e08ad6b in main /home/hack/fuzz/radare2/binr/radare2/radare2.c:102
    #13 0x7f3321d0a082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow p/bf/plugin.c:176 in decode
Shadow bytes around the buggy address:
  0x0c2280022bb0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c2280022bc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280022bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280022be0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c2280022bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2280022c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
  0x0c2280022c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280022c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280022c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280022c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280022c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==286237==ABORTING

Impact

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

References

We are processing your report and will contact the radareorg/radare2 team within 24 hours. 4 months ago
7resp4ss modified the report
4 months ago
7resp4ss modified the report
4 months ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back 4 months ago
pancake
4 months ago

Maintainer

i can confirm the bug. fixing now

pancake validated this vulnerability 4 months ago

Fixed in https://github.com/radareorg/radare2/commit/ba919adb74ac368bf76b150a00347ded78b572dd

7resp4ss has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pancake marked this as fixed in 5.9.0 with commit ba919a 4 months ago
pancake has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Sep 11th 2023
pancake published this vulnerability 4 months ago
to join this conversation