Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference in symbols() #19478

Closed
0xShad3 opened this issue Dec 7, 2021 · 1 comment
Closed

NULL pointer dereference in symbols() #19478

0xShad3 opened this issue Dec 7, 2021 · 1 comment

Comments

@0xShad3
Copy link

0xShad3 commented Dec 7, 2021

NULL pointer dereference in symbols()

I have discovered a NULL / Invalid pointer dereference
bug, that gets triggered while parsing the symbols of a binary.

Environment

shad3@ubuntu:~/Desktop/$ uname -ms
Linux x86_64

shad3@ubuntu:~/Desktop/$ r2 -v
radare2 5.5.2 27243 @ linux-x86-64 git.5.5.0
commit: 79effabdf5db431e40ea2aafc7f322ca32edb876 build: 2021-12-07__12:18:24

shad3@ubuntu:~/Desktop/$ date
Tue Dec  7 14:07:20 PST 2021

ASAN

Stack Trace from an ASAN build while triggering the bug

ASAN:DEADLYSIGNAL
=================================================================
==128487==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbb0d3f2db3 bp 0x7ffd0bd70d50 sp 0x7ffd0bd70cf0 T0)
==128487==The signal is caused by a READ memory access.
==128487==Hint: address points to the zero page.
    #0 0x7fbb0d3f2db2 in symbols /home/shad3/Desktop/radare2/libr/..//libr/bin/p/bin_symbols.c:372
    #1 0x7fbb0d2bc308 in r_bin_object_set_items /home/shad3/Desktop/radare2/libr/bin/bobj.c:325
    #2 0x7fbb0d2bb9c0 in r_bin_object_new /home/shad3/Desktop/radare2/libr/bin/bobj.c:168
    #3 0x7fbb0d2b9231 in r_bin_file_new_from_buffer /home/shad3/Desktop/radare2/libr/bin/bfile.c:560
    #4 0x7fbb0d2a9558 in r_bin_open_buf /home/shad3/Desktop/radare2/libr/bin/bin.c:286
    #5 0x7fbb0d2a9850 in r_bin_open_io /home/shad3/Desktop/radare2/libr/bin/bin.c:346
    #6 0x7fbb0dc5f0fc in r_core_file_do_load_for_io_plugin /home/shad3/Desktop/radare2/libr/core/cfile.c:434
    #7 0x7fbb0dc5faa8 in r_core_bin_load /home/shad3/Desktop/radare2/libr/core/cfile.c:635
    #8 0x7fbb1187f0b8 in r_main_radare2 /home/shad3/Desktop/radare2/libr/main/radare2.c:1176
    #9 0x561b2af7db4e in main /home/shad3/Desktop/radare2/binr/radare2/radare2.c:96
    #10 0x7fbb1076dbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x561b2af7d579 in _start (/home/shad3/Desktop/validcrashes/radare2-asan/binr/radare2/radare2+0x1579)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/shad3/Desktop/radare2/libr/..//libr/bin/p/bin_symbols.c:372 in symbols
==128487==ABORTING

Explanation of the vulnerability

The vulnerability lies in the symbols function that
is responsible for parsing the symbols of the binary file.

The function can be found out at:

/radare2/libr/bin/bin_symbols.c

Please consider the following code
bellow bellow which has been simplified for readability:

static RList *symbols(RBinFile *bf) {
	RCoreSymCacheElement *element = bf->o->bin_obj;
	...
	// Parse symbols to a hash table
	for (i = 0; i < element->hdr->n_symbols; i++) {
		RCoreSymCacheElementSymbol *sym = &element->symbols[i]; // 1
		ht_uu_find (hash, sym->paddr, &found);					// 2
		if (found) {
			continue;
		}
		RBinSymbol *s = bin_symbol_from_symbol (element, sym);
		if (s) {
			r_list_append (res, s);
		}
	}
	ht_uu_free (hash);
	return res;
}

The element->symbols array, is an array of symbols for an object of the
file that is being loaded for analysis. In case were the pointer element->symbols[0]
is empty, which is possible, since it is directly controlled through,the binary
file (bf->o->bin_obj) at point 1 the sym variable will be set to 0. Thus,
in point 2 the programm with crash with a NULL pointer dereference while
trying to dereference the paddr struct member of the RCoreSymCacheElementSymbol
structure at sym->paddr.
Please note that the bf reaches this function unsanitized (since its the structure describing
a binary file) . If we trace up the functions on the stack we can see that it doesnt
get sanitized anywhere above.

Proposed fixes

Add a check right after the retrieve of the value (Point 1) to sanitize invalid
values.

Notes

  • Please check the attached binary that crashes
    the radare2 binary and reproduces the vulnerability
    by running the following command e.g. in an ASAN build
    r2 -qq -AA crash

  • I would highly appreciate if that bug qualifies for a
    CVE for you to request it for me.

crash.zip

@trufae trufae closed this as completed in 7b9ac97 Dec 9, 2021
aemmitt-ns pushed a commit to aemmitt-ns/radare2 that referenced this issue Jan 26, 2022
@dglynos
Copy link

dglynos commented May 24, 2022

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants