You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sat Jun 25 11:13:09 AM CST 2022
radare2 5.7.3 28346 @ linux-x86-64 git.5.6.6-689-gf369ff2de
commit: f369ff2de3c807681ec76df450ee6d4af5e04ce0 build: 2022-06-24__10:39:32
Description
NULL pointer dereference in function r_bin_file_xtr_load_buffer in bin/bfile.c in Radare2 5.7.2 could crash the application when opening a crafted binary file with r2. Typically, attackers can leverage this vulnerability to perform denial-of-service attack in the context of the current user.
Test
Build Radare2 normally or with UBSAN enabled
Make a PoC file with size of just 32 bytes. Save the content below as hex.txt
ERROR: LZ4 decompression failed
../libr/bin/bfile.c:817:7: runtime error: member access within null pointer of type 'RBinXtrData' (aka 'struct r_bin_xtr_data_t')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../libr/bin/bfile.c:817:7 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3515943==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x56147ed500b0 bp 0x7ffe95e3a3a0 sp 0x7ffe95e3a0a0 T0)
==3515943==The signal is caused by a WRITE memory access.
==3515943==Hint: address points to the zero page.
#0 0x56147ed500b0 in r_bin_file_xtr_load_buffer /data/Repo/radare2/build/../libr/bin/bfile.c:817:13
#1 0x56147ec16be6 in r_bin_open_buf /data/Repo/radare2/build/../libr/bin/bin.c:275:11
#2 0x56147ec1157d in r_bin_open_io /data/Repo/radare2/build/../libr/bin/bin.c:345:13
#3 0x56147c1b6a99 in r_core_file_do_load_for_io_plugin /data/Repo/radare2/build/../libr/core/cfile.c:436:7
#4 0x56147c195842 in r_core_bin_load /data/Repo/radare2/build/../libr/core/cfile.c:637:4
#5 0x561477ea9ef1 in r_main_radare2 /data/Repo/radare2/build/../libr/main/radare2.c:1258:15
The text was updated successfully, but these errors were encountered:
Environment
Description
NULL pointer dereference in function
r_bin_file_xtr_load_buffer
inbin/bfile.c
in Radare2 5.7.2 could crash the application when opening a crafted binary file with r2. Typically, attackers can leverage this vulnerability to perform denial-of-service attack in the context of the current user.Test
UBSAN
enabledhex.txt
xxd -r hex.txt > PoCfile
to create the poc file3.
r2 PoCfile
, the program will crash immediatelyWhen built normally:
When
UBSAN
andASAN
enabled:The text was updated successfully, but these errors were encountered: