Lucene search
Peacock-doris3B3B7F77-AB8D-4DE3-999B-EEEC0A3EEBE7HistoryMar 22, 2022 - 9:46 a.m.
Heap Buffer Overflow in iterate_chained_fixups
2022-03-2209:46:03
peacock-doris
www.huntr.dev
6
0.001 Low
EPSS
Percentile
25.7%
Description
heap buffer overflow in iterate_chained_fixups function.
ASAN report:
=================================================================
==2540511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065710 at pc 0x7f5b64ccb878 bp 0x7ffeab141380 sp 0x7ffeab141370
READ of size 8 at 0x602000065710 thread T0
#0 0x7f5b64ccb877 in iterate_chained_fixups /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4562
#1 0x7f5b64c77396 in rebase_buffer /root/radare2/libr/..//libr/bin/p/bin_mach0.c:807
#2 0x7f5b64c76cd2 in rebasing_and_stripping_io_read /root/radare2/libr/..//libr/bin/p/bin_mach0.c:768
#3 0x7f5b6e4aa493 in r_io_plugin_read /root/radare2/libr/io/io_plugin.c:161
#4 0x7f5b6e4b3d19 in r_io_desc_read /root/radare2/libr/io/io_desc.c:213
#5 0x7f5b6e4c708c in r_io_fd_read /root/radare2/libr/io/io_fd.c:24
#6 0x7f5b6ffa0369 in buf_io_read /root/radare2/libr/util/buf_io.c:72
#7 0x7f5b6ffa1fc2 in buf_read /root/radare2/libr/util/buf.c:46
#8 0x7f5b6ffa5ef3 in r_buf_read /root/radare2/libr/util/buf.c:452
#9 0x7f5b6ffa7259 in r_buf_read_at /root/radare2/libr/util/buf.c:600
#10 0x7f5b64ccafb8 in get_hdr /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4517
#11 0x7f5b64cca3dc in mach_fields /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4417
#12 0x7f5b64aa04a1 in r_bin_object_set_items /root/radare2/libr/bin/bobj.c:310
#13 0x7f5b64a9d2a6 in r_bin_object_new /root/radare2/libr/bin/bobj.c:168
#14 0x7f5b64a91db0 in r_bin_file_new_from_buffer /root/radare2/libr/bin/bfile.c:585
#15 0x7f5b64a4f9f9 in r_bin_open_buf /root/radare2/libr/bin/bin.c:279
#16 0x7f5b64a5082e in r_bin_open_io /root/radare2/libr/bin/bin.c:339
#17 0x7f5b66ecb223 in r_core_file_do_load_for_io_plugin /root/radare2/libr/core/cfile.c:435
#18 0x7f5b66ecdd77 in r_core_bin_load /root/radare2/libr/core/cfile.c:636
#19 0x7f5b6f96ab18 in r_main_radare2 /root/radare2/libr/main/radare2.c:1184
#20 0x564e0b55f937 in main /root/radare2/binr/radare2/radare2.c:96
#21 0x7f5b6ed6e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#22 0x564e0b55f30d in _start (/root/radare2/binr/radare2/radare2+0x230d)
0x602000065711 is located 0 bytes to the right of 1-byte region [0x602000065710,0x602000065711)
allocated by thread T0 here:
#0 0x7f5b70abba06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x7f5b64c96f4b in parse_chained_fixups /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1517
#2 0x7f5b64ca2b6b in init_items /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:2069
#3 0x7f5b64ca2f29 in init /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:2092
#4 0x7f5b64ca55fa in new_buf /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:2207
#5 0x7f5b64c6a112 in load_buffer /root/radare2/libr/..//libr/bin/p/bin_mach0.c:57
#6 0x7f5b64a9cd3b in r_bin_object_new /root/radare2/libr/bin/bobj.c:147
#7 0x7f5b64a91db0 in r_bin_file_new_from_buffer /root/radare2/libr/bin/bfile.c:585
#8 0x7f5b64a4f9f9 in r_bin_open_buf /root/radare2/libr/bin/bin.c:279
#9 0x7f5b64a5082e in r_bin_open_io /root/radare2/libr/bin/bin.c:339
#10 0x7f5b66ecb223 in r_core_file_do_load_for_io_plugin /root/radare2/libr/core/cfile.c:435
#11 0x7f5b66ecdd77 in r_core_bin_load /root/radare2/libr/core/cfile.c:636
#12 0x7f5b6f96ab18 in r_main_radare2 /root/radare2/libr/main/radare2.c:1184
#13 0x564e0b55f937 in main /root/radare2/binr/radare2/radare2.c:96
#14 0x7f5b6ed6e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4562 in iterate_chained_fixups
Shadow bytes around the buggy address:
0x0c0480004a90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
0x0c0480004aa0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 02
0x0c0480004ab0: fa fa 00 02 fa fa 02 fa fa fa 05 fa fa fa 05 fa
0x0c0480004ac0: fa fa 00 00 fa fa 00 02 fa fa 05 fa fa fa 00 06
0x0c0480004ad0: fa fa 00 00 fa fa 00 fa fa fa 05 fa fa fa 02 fa
=>0x0c0480004ae0: fa fa[01]fa fa fa 05 fa fa fa 07 fa fa fa 00 fa
0x0c0480004af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2540511==ABORTING
How can we reproduce the issue?
Compile command
./sys/sanitize.sh
reproduce command
unzip tests_65305.zip
./radare2 -qq -AA <poc_file>
Impact
latest commit and latest release
$ ./radare2 -v
radare2 5.6.5 27847 @ linux-x86-64 git.5.6.2
commit: 60182bb63a77282ae469654556b899dbe2a7674c build: 2022-03-22__09:29:41
$ cat /etc/issue
Ubuntu 20.04.3 LTS \n \l
Related
cve
cve
CVE-2022-1052
2022-03-24 13:15:07
ubuntucve
ubuntucve
CVE-2022-1052
2022-03-24 00:00:00
nvd
nvd
CVE-2022-1052
2022-03-24 13:15:07
alpinelinux
alpinelinux
CVE-2022-1052
2022-03-24 13:15:07
osv
osv
CVE-2022-1052
2022-03-24 13:15:07
debiancve
debiancve
CVE-2022-1052
2022-03-24 13:15:07
prion
prion
Heap overflow
2022-03-24 13:15:00
cvelist
cvelist
veracode
veracode
Out-of-bounds Read
2022-12-26 19:38:30