Lucene search

0xshad31F84E79D-70E7-4B29-8B48-A108F81C89AA

HistoryJan 28, 2022 - 7:34 p.m.

in radareorg/radare2

2022-01-2819:34:07

0xshad3

www.huntr.dev

radare2

null pointer dereference

load_buffer

bin_xnu_kernelcache

vulnerability

poc

bug bounty

asan

segfault

address sanitizer

linux

EPSS

0.002

Percentile

51.8%

JSON

NULL pointer dereference in `load_buffer`

radare2 suffers from a NULL pointer dereference
error in load_buffer of bin_xnu_kernelcache.c

Environment


date
Fri Jan 28 11:03:53 PST 2022


uname -ms
Linux x86_64


./radare2 -v
radare2 5.5.5 27531 @ linux-x86-64 git.5.5.4
commit: 715c4e0ff14aadd4026c182626502df3f3a620ab build: 2022-01-28__08:00:45

ASAN

Address sanitizer output :

./radare2 -qq -AA nullpointerdereference
ASAN:DEADLYSIGNAL
=================================================================
==54209==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9148ecf486 bp 0x7ffce3d94620 sp 0x7ffce3d94530 T0)
==54209==The signal is caused by a WRITE memory access.
==54209==Hint: address points to the zero page.
    #0 0x7f9148ecf485 in load_buffer /home/shad3/Desktop/radare2-asan/libr/..//libr/bin/p/bin_xnu_kernelcache.c:245
    #1 0x7f9148c0fcee in r_bin_object_new /home/shad3/Desktop/radare2-asan/libr/bin/bobj.c:147
    #2 0x7f9148c0a779 in r_bin_file_new_from_buffer /home/shad3/Desktop/radare2-asan/libr/bin/bfile.c:560
    #3 0x7f9148be8bf3 in r_bin_open_buf /home/shad3/Desktop/radare2-asan/libr/bin/bin.c:279
    #4 0x7f9148be9279 in r_bin_open_io /home/shad3/Desktop/radare2-asan/libr/bin/bin.c:339
    #5 0x7f9149b79010 in r_core_file_do_load_for_io_plugin /home/shad3/Desktop/radare2-asan/libr/core/cfile.c:435
    #6 0x7f9149b7a8f6 in r_core_bin_load /home/shad3/Desktop/radare2-asan/libr/core/cfile.c:636
    #7 0x7f914df1fdc4 in r_main_radare2 /home/shad3/Desktop/radare2-asan/libr/main/radare2.c:1177
    #8 0x556796be6204 in main /home/shad3/Desktop/radare2-asan/binr/radare2/radare2.c:96
    #9 0x7f914db05bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #10 0x556796be5d79 in _start (/home/shad3/Desktop/radare2-asan/binr/radare2/radare2+0xd79)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/shad3/Desktop/radare2-asan/libr/..//libr/bin/p/bin_xnu_kernelcache.c:245 in load_buffer
==54209==ABORTING

Explanation of the vulnerability

The vulnerability lies in the file

radare2/libr/bin/p/bin_xnu_kernelcache.c

Please consider the following code:

static bool load_buffer(RBinFile *bf, void **bin_obj, RBuffer *buf, ut64 loadaddr, Sdb *sdb) {
	...
189	RKernelCacheObj *obj = NULL; // 1

191	RPrelinkRange *prelink_range = get_prelink_info_range_from_mach0 (main_mach0);
192	if (!prelink_range) {
193		goto beach;              // 2
194	}

....
243 beach:
244	r_buf_free (fbuf);
245	obj-&gt;cache_buf = NULL;       // 3
244	MACH0_(mach0_free) (main_mach0);
245	return false;

In case where the get_prelink_info_range_from_mach0 fails (2) and
the returned value is zero the programm will crash with a segfault
at line 245 (3) since the obj pointer is being dereferenced, while
being set as NULL on line 189 (1). (Write on address 0x0)

Attached POC

You can find the attached poc that triggers the vulnerability
in the following link

Password : A7htCTD6Oli6rf1Waoz1

nullpointerdereference

Run as:

./radare2 -qq -AA nullpointerdereference