Use After Free in r_reg_get_name_idx in radareorg/radare2
Valid
Reported on
Mar 3rd 2022
Description
heap use after free in r_reg_get_name_idx.
ASAN report:
=================================================================
==1710816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001dff50 at pc 0x7fa7c085d87c bp 0x7ffc21731ac0 sp 0x7ffc21731ab0
READ of size 1 at 0x6020001dff50 thread T0
#0 0x7fa7c085d87b in r_reg_get_name_idx /root/radare2-5.6.4/libr/reg/reg.c:101
#1 0x7fa7c08610c7 in r_reg_get /root/radare2-5.6.4/libr/reg/reg.c:321
#2 0x7fa7c0860ed1 in r_reg_setv /root/radare2-5.6.4/libr/reg/reg.c:301
#3 0x7fa7cb191d52 in r_core_anal_esil /root/radare2-5.6.4/libr/core/canal.c:5377
#4 0x7fa7cae699b0 in cmd_anal_all /root/radare2-5.6.4/libr/core/cmd_anal.c:11048
#5 0x7fa7cae72d1d in cmd_anal /root/radare2-5.6.4/libr/core/cmd_anal.c:11957
#6 0x7fa7cb1321d7 in r_cmd_call /root/radare2-5.6.4/libr/core/cmd_api.c:537
#7 0x7fa7cafb1f28 in r_core_cmd_subst_i /root/radare2-5.6.4/libr/core/cmd.c:4443
#8 0x7fa7cafa1e07 in r_core_cmd_subst /root/radare2-5.6.4/libr/core/cmd.c:3329
#9 0x7fa7cafbe764 in run_cmd_depth /root/radare2-5.6.4/libr/core/cmd.c:5331
#10 0x7fa7cafbf7db in r_core_cmd /root/radare2-5.6.4/libr/core/cmd.c:5414
#11 0x7fa7cafc07d4 in r_core_cmd0 /root/radare2-5.6.4/libr/core/cmd.c:5571
#12 0x7fa7cae67039 in cmd_anal_all /root/radare2-5.6.4/libr/core/cmd_anal.c:10913
#13 0x7fa7cae72d1d in cmd_anal /root/radare2-5.6.4/libr/core/cmd_anal.c:11957
#14 0x7fa7cb1321d7 in r_cmd_call /root/radare2-5.6.4/libr/core/cmd_api.c:537
#15 0x7fa7cafb1f28 in r_core_cmd_subst_i /root/radare2-5.6.4/libr/core/cmd.c:4443
#16 0x7fa7cafa1e07 in r_core_cmd_subst /root/radare2-5.6.4/libr/core/cmd.c:3329
#17 0x7fa7cafbe764 in run_cmd_depth /root/radare2-5.6.4/libr/core/cmd.c:5331
#18 0x7fa7cafbf7db in r_core_cmd /root/radare2-5.6.4/libr/core/cmd.c:5414
#19 0x7fa7cafc07d4 in r_core_cmd0 /root/radare2-5.6.4/libr/core/cmd.c:5571
#20 0x7fa7d36ee1cd in r_main_radare2 /root/radare2-5.6.4/libr/main/radare2.c:1394
#21 0x557bc4deb937 in main /root/radare2/binr/radare2/radare2.c:96
#22 0x7fa7d2aee0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#23 0x557bc4deb30d in _start (/root/radare2/binr/radare2/radare2+0x230d)
How can we reproduce the issue?
Compile command
./sys/sanitize.sh
reproduce command
unzip poc_uaf_r_reg_get.zip
./radare2 -qq -AA <poc_file>
Impact
latest commit and latest release
$ ./radare2 -v
radare2 5.6.4 27751 @ linux-x86-64 git.5.6.2
commit: d1b1d52f695d287667690d130ad2569aed8aa2ff build: 2022-03-03__07:18:18
$ cat /etc/issue
Ubuntu 20.04.3 LTS \n \l
References
We are processing your report and will contact the
radareorg/radare2
team within 24 hours.
2 years ago
We have contacted a member of the
radareorg/radare2
team and are waiting to hear back
2 years ago
to join this conversation