Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrHmnthabit7B979E76-AE54-4132-B455-0833E45195EB
HistoryApr 01, 2022 - 1:11 p.m.

Out-of-bounds read

2022-04-0113:11:06
hmnthabit
www.huntr.dev
10

6.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

31.5%

JSON

Description

Out-of-bounds (OOB) read vulnerability exists in analop function in Radare2 5.6.7

Version

radare2 5.6.7 27722 @ linux-x86-64 git.5.6.6
commit: e876eef2a2f758157dd6028fb01809bcedacf00f build: 2022-04-01__07:03:35

Proof of Concept

radare2 -q -A poc

poc

ASAN

==2143069==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000a2a17 at pc 0x7fabd14c6e67 bp 0x7ffcf252a750 sp 0x7ffcf252a748
READ of size 1 at 0x6020000a2a17 thread T0                                                                                                                                                                                                  
    #0 0x7fabd14c6e66 in analop /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/anal/p/anal_cris.c:65
    #1 0x7fabd15ee0b7 in r_anal_op /root/fuzzing/radare2_fuzzing/radare2/libr/anal/op.c:120
    #2 0x7fabd2edd954 in anal_block_cb /root/fuzzing/radare2_fuzzing/radare2/libr/core/canal.c:3502
    #3 0x7fabd1618bab in r_anal_block_recurse_depth_first /root/fuzzing/radare2_fuzzing/radare2/libr/anal/block.c:531
    #4 0x7fabd2ede480 in r_core_recover_vars /root/fuzzing/radare2_fuzzing/radare2/libr/core/canal.c:3553
    #5 0x7fabd2cf8d40 in r_core_af /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_anal.c:3894
    #6 0x7fabd2ee2f29 in r_core_anal_all /root/fuzzing/radare2_fuzzing/radare2/libr/core/canal.c:4251
    #7 0x7fabd2d33ac1 in cmd_anal_all /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_anal.c:11125
    #8 0x7fabd2d3bc5b in cmd_anal /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_anal.c:12330
    #9 0x7fabd2eb7d8a in r_cmd_call /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_api.c:531
    #10 0x7fabd2dece8c in r_core_cmd_subst_i /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:4478
    #11 0x7fabd2de4103 in r_core_cmd_subst /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:3364
    #12 0x7fabd2df3792 in run_cmd_depth /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:5366
    #13 0x7fabd2df4002 in r_core_cmd /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:5449
    #14 0x7fabd2df4b2c in r_core_cmd0 /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:5606
    #15 0x7fabd54f93ca in r_main_radare2 /root/fuzzing/radare2_fuzzing/radare2/libr/main/radare2.c:1397
    #16 0x5652f8dde5f8 in main /root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2.c:96
    #17 0x7fabd52f97fc in __libc_start_main ../csu/libc-start.c:332
    #18 0x5652f8dde179 in _start (/root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2+0x1179)

0x6020000a2a17 is located 0 bytes to the right of 7-byte region [0x6020000a2a10,0x6020000a2a17)
allocated by thread T0 here:                                                                                                                                                                                                                
    #0 0x7fabd59fe7cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7fabd2edd2ef in anal_block_cb /root/fuzzing/radare2_fuzzing/radare2/libr/core/canal.c:3452
    #2 0x7fabd1618bab in r_anal_block_recurse_depth_first /root/fuzzing/radare2_fuzzing/radare2/libr/anal/block.c:531
    #3 0x7fabd2ede480 in r_core_recover_vars /root/fuzzing/radare2_fuzzing/radare2/libr/core/canal.c:3553
    #4 0x7fabd2cf8d40 in r_core_af /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_anal.c:3894
    #5 0x7fabd2ee2f29 in r_core_anal_all /root/fuzzing/radare2_fuzzing/radare2/libr/core/canal.c:4251
    #6 0x7fabd2d33ac1 in cmd_anal_all /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_anal.c:11125
    #7 0x7fabd2d3bc5b in cmd_anal /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_anal.c:12330
    #8 0x7fabd2eb7d8a in r_cmd_call /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_api.c:531
    #9 0x7fabd2dece8c in r_core_cmd_subst_i /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:4478
    #10 0x7fabd2de4103 in r_core_cmd_subst /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:3364
    #11 0x7fabd2df3792 in run_cmd_depth /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:5366
    #12 0x7fabd2df4002 in r_core_cmd /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:5449
    #13 0x7fabd2df4b2c in r_core_cmd0 /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd.c:5606
    #14 0x7fabd54f93ca in r_main_radare2 /root/fuzzing/radare2_fuzzing/radare2/libr/main/radare2.c:1397
    #15 0x5652f8dde5f8 in main /root/fuzzing/radare2_fuzzing/radare2/binr/radare2/radare2.c:96
    #16 0x7fabd52f97fc in __libc_start_main ../csu/libc-start.c:332

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/anal/p/anal_cris.c:65 in analop
Shadow bytes around the buggy address:
  0x0c048000c4f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c048000c500: fa fa fd fa fa fa fd fa fa fa 06 fa fa fa fd fa
  0x0c048000c510: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 05
  0x0c048000c520: fa fa 00 fa fa fa 00 02 fa fa fd fd fa fa 00 05
  0x0c048000c530: fa fa 00 05 fa fa 00 05 fa fa fd fd fa fa fd fd
=>0x0c048000c540: fa fa[07]fa fa fa 04 fa fa fa 03 fa fa fa 03 fa
  0x0c048000c550: fa fa 03 fa fa fa 03 fa fa fa fa fa fa fa fa fa
  0x0c048000c560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048000c570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048000c580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048000c590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2143069==ABORTING

Backtrace

#7  0x00007ffff3149e67 in analop (a=0x61a000000680, op=0x7fffffffd170, addr=65542, buf=0x6020000a2a96 "\001", len=1, mask=7) at /root/fuzzing/radare2_fuzzing/radare2/libr/..//libr/anal/p/anal_cris.c:65
#8  0x00007ffff32710b8 in r_anal_op (anal=0x61a000000680, op=0x7fffffffd170, addr=65542, data=0x6020000a2a96 "\001", len=1, mask=7) at op.c:120
#9  0x00007ffff4b60955 in anal_block_cb (bb=0x611000014e00, ctx=0x7fffffffd580) at canal.c:3502
#10 0x00007ffff329bbac in r_anal_block_recurse_depth_first (block=0x611000014e00, cb=0x7ffff4b600da <anal_block_cb>, on_exit=0x7ffff4b5ff63 <anal_block_on_exit>, user=0x7fffffffd580) at block.c:531
#11 0x00007ffff4b61481 in r_core_recover_vars (core=0x7fffef60f800, fcn=0x611000014cc0, argonly=true) at canal.c:3553
#12 0x00007ffff497bd41 in r_core_af (core=0x7fffef60f800, addr=65536, name=0x0, anal_calls=false) at /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_anal.c:3894
#13 0x00007ffff4b65f2a in r_core_anal_all (core=0x7fffef60f800) at canal.c:4251
#14 0x00007ffff49b6ac2 in cmd_anal_all (core=0x7fffef60f800, input=0x6020000a26d2 "aa") at /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_anal.c:11125
#15 0x00007ffff49bec5c in cmd_anal (data=0x7fffef60f800, input=0x6020000a26d1 "aaa") at /root/fuzzing/radare2_fuzzing/radare2/libr/core/cmd_anal.c:12330
#16 0x00007ffff4b3ad8b in r_cmd_call (cmd=0x620000000080, input=0x6020000a26d0 "aaaa") at cmd_api.c:531
#17 0x00007ffff4a6fe8d in r_core_cmd_subst_i (core=0x7fffef60f800, cmd=0x6020000a26d0 "aaaa", colon=0x0, tmpseek=0x7fffffffdea0) at cmd.c:4478
#18 0x00007ffff4a67104 in r_core_cmd_subst (core=0x7fffef60f800, cmd=0x6020000a26d0 "aaaa") at cmd.c:3364
#19 0x00007ffff4a76793 in run_cmd_depth (core=0x7fffef60f800, cmd=0x6210000ec500 "aaaa") at cmd.c:5366
#20 0x00007ffff4a77003 in r_core_cmd (core=0x7fffef60f800, cstr=0x7ffff7196a80 "aaaa", log=false) at cmd.c:5449
#21 0x00007ffff4a77b2d in r_core_cmd0 (core=0x7fffef60f800, cmd=0x7ffff7196a80 "aaaa") at cmd.c:5606
#22 0x00007ffff717c3cb in r_main_radare2 (argc=4, argv=0x7fffffffe468) at radare2.c:1397
#23 0x00005555555555f9 in main (argc=4, argv=0x7fffffffe468) at radare2.c:96
#24 0x00007ffff6f7c7fd in __libc_start_main (main=0x555555555581 <main>, argc=4, argv=0x7fffffffe468, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe458) at ../csu/libc-start.c:332
#25 0x000055555555517a in _start ()

Analysis

The buffer is allocated at /libr/core/canal.c:3452 with bb->size

static bool anal_block_cb(RAnalBlock *bb, BlockRecurseCtx *ctx) {
	if (r_cons_is_breaked ()) {
		return false;
	}
	if (bb->size < 1) {
		return true;
	}
	if (bb->size > ctx->core->anal->opt.bb_max_size) {
		return true;
	}
	ut8 *buf = malloc (bb->size);
	if (!buf) {
		return false;
	}
    (void) r_io_read_at (ctx->core->io, bb->addr, buf, bb->size);

Then at /libr/core/canal.c:3502, pos value is added to the pointer buf before being passed to r_anal_op function

#else
		pos = (opaddr - bb->addr);
		if (r_anal_op (core->anal, &op, opaddr, buf + pos, bb->size - pos, mask) < 1) {
			break;
		}

r_anal_op function passes the arguments to op function without any validiation on data

ret = anal->cur->op (anal, op, addr, data, len, mask);

The OOB read happens at /libr/anal/p/anal_cris.c:65 when it tries to read buf[1]

static int analop(RAnal *a, RAnalOp *op, ut64 addr, const ut8 *buf, int len, RAnalOpMask mask) {
	default:
		switch (buf[1]) {               // <<<<< OOB read
		case 0x00:
			op->type = R_ANAL_OP_TYPE_CJMP; // BCC
			break;

Suggested Fix

Validate buf size after adding posat /libr/core/canal.c:3502

Related

veracode 1
alpinelinux 1
osv 1
debiancve 1
nvd 1
prion 1
ubuntucve 1
cvelist 1
cve 1
veracode
veracode
Denial Of Service (DoS)
2022-12-25 13:30:52
alpinelinux
alpinelinux
CVE-2022-1207
2022-04-01 19:15:07
osv
osv
CVE-2022-1207
2022-04-01 19:15:07
debiancve
debiancve
CVE-2022-1207
2022-04-01 19:15:07
nvd
nvd
CVE-2022-1207
2022-04-01 19:15:07
prion
prion
Design/Logic Flaw
2022-04-01 19:15:00
ubuntucve
ubuntucve
CVE-2022-1207
2022-04-01 00:00:00
cvelist
cvelist
CVE-2022-1207 Out-of-bounds read in radareorg/radare2
2022-04-01 19:10:10
cve
cve
CVE-2022-1207
2022-04-01 19:15:07

6.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

31.5%

JSON
Related for 7B979E76-AE54-4132-B455-0833E45195EB
veracode1alpinelinux1osv1debiancve1nvd1prion1ubuntucve1cvelist1cve1