Peacock-doris29C5F76E-5F1F-43AB-A0C8-E31951E407B6Use After Free in r_reg_get_name_idx
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
23.8%
Description
heap use after free in r_reg_get_name_idx.
ASAN report:
=================================================================
==1710816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001dff50 at pc 0x7fa7c085d87c bp 0x7ffc21731ac0 sp 0x7ffc21731ab0
READ of size 1 at 0x6020001dff50 thread T0
#0 0x7fa7c085d87b in r_reg_get_name_idx /root/radare2-5.6.4/libr/reg/reg.c:101
#1 0x7fa7c08610c7 in r_reg_get /root/radare2-5.6.4/libr/reg/reg.c:321
#2 0x7fa7c0860ed1 in r_reg_setv /root/radare2-5.6.4/libr/reg/reg.c:301
#3 0x7fa7cb191d52 in r_core_anal_esil /root/radare2-5.6.4/libr/core/canal.c:5377
#4 0x7fa7cae699b0 in cmd_anal_all /root/radare2-5.6.4/libr/core/cmd_anal.c:11048
#5 0x7fa7cae72d1d in cmd_anal /root/radare2-5.6.4/libr/core/cmd_anal.c:11957
#6 0x7fa7cb1321d7 in r_cmd_call /root/radare2-5.6.4/libr/core/cmd_api.c:537
#7 0x7fa7cafb1f28 in r_core_cmd_subst_i /root/radare2-5.6.4/libr/core/cmd.c:4443
#8 0x7fa7cafa1e07 in r_core_cmd_subst /root/radare2-5.6.4/libr/core/cmd.c:3329
#9 0x7fa7cafbe764 in run_cmd_depth /root/radare2-5.6.4/libr/core/cmd.c:5331
#10 0x7fa7cafbf7db in r_core_cmd /root/radare2-5.6.4/libr/core/cmd.c:5414
#11 0x7fa7cafc07d4 in r_core_cmd0 /root/radare2-5.6.4/libr/core/cmd.c:5571
#12 0x7fa7cae67039 in cmd_anal_all /root/radare2-5.6.4/libr/core/cmd_anal.c:10913
#13 0x7fa7cae72d1d in cmd_anal /root/radare2-5.6.4/libr/core/cmd_anal.c:11957
#14 0x7fa7cb1321d7 in r_cmd_call /root/radare2-5.6.4/libr/core/cmd_api.c:537
#15 0x7fa7cafb1f28 in r_core_cmd_subst_i /root/radare2-5.6.4/libr/core/cmd.c:4443
#16 0x7fa7cafa1e07 in r_core_cmd_subst /root/radare2-5.6.4/libr/core/cmd.c:3329
#17 0x7fa7cafbe764 in run_cmd_depth /root/radare2-5.6.4/libr/core/cmd.c:5331
#18 0x7fa7cafbf7db in r_core_cmd /root/radare2-5.6.4/libr/core/cmd.c:5414
#19 0x7fa7cafc07d4 in r_core_cmd0 /root/radare2-5.6.4/libr/core/cmd.c:5571
#20 0x7fa7d36ee1cd in r_main_radare2 /root/radare2-5.6.4/libr/main/radare2.c:1394
#21 0x557bc4deb937 in main /root/radare2/binr/radare2/radare2.c:96
#22 0x7fa7d2aee0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#23 0x557bc4deb30d in _start (/root/radare2/binr/radare2/radare2+0x230d)
How can we reproduce the issue?
Compile command
./sys/sanitize.sh
reproduce command
unzip poc_uaf_r_reg_get.zip
./radare2 -qq -AA <poc_file>
Impact
latest commit and latest release
$ ./radare2 -v
radare2 5.6.4 27751 @ linux-x86-64 git.5.6.2
commit: d1b1d52f695d287667690d130ad2569aed8aa2ff build: 2022-03-03__07:18:18
$ cat /etc/issue
Ubuntu 20.04.3 LTS \n \l
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
23.8%