Use-after-free in r_anal_bb_free()

[fumfel]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu 18.04 x64
File format of the file you reverse (mandatory)	Java Class
Architecture/bits of the file (mandatory)	N/A
r2 -v full output, not truncated (mandatory)	radare2 2.7.0-git 18328 @ linux-x86-64 git.2.6.0-153-g555e88a commit: 555e88a build: 2018-06-08__08:53:22

Expected behavior

Disassembly of file or error message.

Actual behavior

UAF in ASAN build.

Steps to reproduce the behavior

• Download https://github.com/radare/radare2-regressions/pull/1342
• Run: r2 -A r2_uaf_r_anal_bb_free

Additional Logs, screenshots, source-code, configuration dump, ...

==25197==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000040b8 at pc 0x7efe631cc8b9 bp 0x7ffe6f1b0740 sp 0x7ffe6f1b0730
READ of size 8 at 0x6110000040b8 thread T0
    #0 0x7efe631cc8b8 in r_anal_bb_free XYZ/radare2/libr/anal/bb.c:49
    #1 0x7efe5f69e152 in r_list_delete XYZ/radare2/libr/util/list.c:93
    #2 0x7efe5f69e2b2 in r_list_purge XYZ/radare2/libr/util/list.c:62
    #3 0x7efe5f69e375 in r_list_free XYZ/radare2/libr/util/list.c:72
    #4 0x7efe631b318b in r_anal_fcn_free XYZ/radare2/libr/anal/fcn.c:327
    #5 0x7efe5f69e152 in r_list_delete XYZ/radare2/libr/util/list.c:93
    #6 0x7efe5f69e2b2 in r_list_purge XYZ/radare2/libr/util/list.c:62
    #7 0x7efe5f69e375 in r_list_free XYZ/radare2/libr/util/list.c:72
    #8 0x7efe631ea451 in r_anal_free XYZ/radare2/libr/anal/anal.c:128
    #9 0x7efe656e8274 in r_core_fini XYZ/radare2/libr/core/core.c:1945
    #10 0x55e86f23ae97 in main XYZ/radare2/binr/radare2/radare2.c:1449
    #11 0x7efe5efd182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x55e86f2423f8 in _start (/usr/local/bin/radare2+0x113f8)

0x6110000040b8 is located 184 bytes inside of 216-byte region [0x611000004000,0x6110000040d8)
freed by thread T0 here:
    #0 0x7efe65f5f2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x7efe5f69e152 in r_list_delete XYZ/radare2/libr/util/list.c:93

previously allocated by thread T0 here:
    #0 0x7efe65f5f79a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
    #1 0x7efe631cc9c7 in r_anal_bb_new XYZ/radare2/libr/anal/bb.c:11

SUMMARY: AddressSanitizer: heap-use-after-free XYZ/radare2/libr/anal/bb.c:49 r_anal_bb_free
Shadow bytes around the buggy address:
  0x0c227fff87c0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c227fff87d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff87f0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c227fff8810: fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa
  0x0c227fff8820: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8840: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25197==ABORTING