Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use-after-free in r_config_set() #7698

Closed
fumfel opened this issue Jun 7, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@fumfel
Copy link

commented Jun 7, 2017

Use-after-free in r_config_set()

HEAD: e1cfd1c

Payload (bins/fuzzed/r2_uaf_r_config_set) in radare/radare2-regressions#876

To reproduce: r2 -A r2_uaf_r_config_set

ASAN:

==17157==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000025d70 at pc 0x5585dd1788c1 bp 0x7ffed0f6ebe0 sp 0x7ffed0f6e390
READ of size 2 at 0x602000025d70 thread T0
    #0 0x5585dd1788c0 in __strdup (/usr/local/bin/radare2+0x658c0)
    #1 0x7fd3652be6df in r_config_set XYZ/radare2/libr/config/config.c:392:19
    #2 0x7fd365fff8cd in r_core_bin_set_env XYZ/radare2/libr/core/cbin.c:106:3
    #3 0x7fd365f89873 in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/file.c:434:2
    #4 0x7fd365f89873 in r_core_bin_load XYZ/radare2/libr/core/file.c:567
    #5 0x5585dd22713a in main XYZ/radare2/binr/radare2/radare2.c:952:14
    #6 0x7fd35e770510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
    #7 0x5585dd133e29 in _start (/usr/local/bin/radare2+0x20e29)

0x602000025d70 is located 0 bytes inside of 7-byte region [0x602000025d70,0x602000025d77)
freed by thread T0 here:
    #0 0x5585dd1e9650 in __interceptor_cfree.localalias.1 (/usr/local/bin/radare2+0xd6650)
    #1 0x7fd364c68a09 in r_bin_info_free XYZ/radare2/libr/bin/bin.c:573:2

previously allocated by thread T0 here:
    #0 0x5585dd1e9808 in malloc (/usr/local/bin/radare2+0xd6808)
    #1 0x7fd364d0c3b6 in info XYZ/radare2/libr/..//libr/bin/p/bin_dex.c:773:14

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/local/bin/radare2+0x658c0) in __strdup
Shadow bytes around the buggy address:
  0x0c047fffcb50: fa fa 05 fa fa fa 06 fa fa fa 00 03 fa fa 00 01
  0x0c047fffcb60: fa fa 00 01 fa fa 04 fa fa fa 01 fa fa fa 01 fa
  0x0c047fffcb70: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 05 fa
  0x0c047fffcb80: fa fa 06 fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fffcb90: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
=>0x0c047fffcba0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa[fd]fa
  0x0c047fffcbb0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fffcbc0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fffcbd0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fffcbe0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fffcbf0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17157==ABORTING

@radare radare closed this in f85bc67 Jun 7, 2017

leberus added a commit to leberus/radare2 that referenced this issue Jul 26, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.