NULL Pointer Dereference in radareorg/radare2

Valid

Reported on

Dec 27th 2022

Environment

Distributor ID: Debian
Description:    Debian GNU/Linux bookworm/sid
Release:    n/a
Codename:   bookworm

Version

I checked against the latest release as of 12/27/22 version 5.8.0 and the current master branch at commit 031da1be8f6c9aa55f6e4e76df962d2c85dc32e8 .

Description

This AddressSanitizer output is indicating that a null pointer dereference occurred in the function r_io_bank_read_at at line 790 in the file io_bank.c. This means that a member of a the struct RIORelocMap was accessed through a null pointer.

POC

radare2 -AA -qq ./poc

POC File

ASAN

io_bank.c:790:25: runtime error: member access within null pointer of type 'struct RIORelocMap'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==140168==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f622d30bb05 bp 0x7ffda44db6a0 sp 0x7ffda44db5a0 T0)
==140168==The signal is caused by a READ memory access.
==140168==Hint: address points to the zero page.
    #0 0x7f622d30bb05 in r_io_bank_read_at /path/to/radare2/libr/io/io_bank.c:790
    #1 0x7f622d2dc7dc in r_io_vread_at /path/to/radare2/libr/io/io.c:213
    #2 0x7f622d2dca9d in internal_r_io_read_at /path/to/radare2/libr/io/io.c:234
    #3 0x7f622d2dce54 in r_io_read_at /path/to/radare2/libr/io/io.c:269
    #4 0x7f622b5b183d in r_core_block_read /path/to/radare2/libr/core/cio.c:538
    #5 0x7f622b5b0027 in r_core_seek /path/to/radare2/libr/core/cio.c:402
    #6 0x7f622ff8f917 in r_main_radare2 /path/to/radare2/libr/main/radare2.c:1515
    #7 0x55dcbee61971 in main /path/to/radare2/binr/radare2/radare2.c:104
    #8 0x7f622dc46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7f622dc46244 in __libc_start_main_impl ../csu/libc-start.c:381
    #10 0x55dcbee611d0 in _start (/path/to/radare2/binr/radare2/radare2+0x21d0)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/radare2/libr/io/io_bank.c:790 in r_io_bank_read_at
==140168==ABORTING

Impact

This vulnerability is capable of making the radare2 crash, thus affecting the availability of the system.

We are processing your report and will contact the radareorg/radare2 team within 24 hours. a year ago
We have contacted a member of the radareorg/radare2 team and are waiting to hear back a year ago
pancake validated this vulnerability a year ago

Thanks! I can reproduce and i have fixed it in 842f809d4ec6a12af2906f948657281c9ebc8a24

Renzo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pancake marked this as fixed in 5.8.2 with commit 842f80 a year ago
pancake has been awarded the fix bounty
This vulnerability has been assigned a CVE
pancake published this vulnerability a year ago
dh667661
a year ago

So did you get paid for it?

Renzo
a year ago

Researcher

I did not, I'm fairly certain the pool of money for radare2 is expended. I'm unsure if fix bounties come from the same pool. It would have been cool to get a few bucks for it, but the CVE assigned to my profile is pretty cool too.

to join this conversation