7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
45.8%
heap buffer overflow in parseDragons function.
ASAN report:
=================================================================
==2541037==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065578 at pc 0x7f45488bde0d bp 0x7ffc08551b50 sp 0x7ffc085512f8
READ of size 4 at 0x602000065578 thread T0
#0 0x7f45488bde0c in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:826
#1 0x7f453cce46b7 in parseDragons /root/radare2/libr/..//libr/bin/p/bin_symbols.c:228
#2 0x7f453cce4d6e in load_buffer /root/radare2/libr/..//libr/bin/p/bin_symbols.c:289
#3 0x7f453c8d1d3b in r_bin_object_new /root/radare2/libr/bin/bobj.c:147
#4 0x7f453c8c6db0 in r_bin_file_new_from_buffer /root/radare2/libr/bin/bfile.c:585
#5 0x7f453c8849f9 in r_bin_open_buf /root/radare2/libr/bin/bin.c:279
#6 0x7f453c88582e in r_bin_open_io /root/radare2/libr/bin/bin.c:339
#7 0x7f453ed00223 in r_core_file_do_load_for_io_plugin /root/radare2/libr/core/cfile.c:435
#8 0x7f453ed02d77 in r_core_bin_load /root/radare2/libr/core/cfile.c:636
#9 0x7f454779fb18 in r_main_radare2 /root/radare2/libr/main/radare2.c:1184
#10 0x55eda11bb937 in main /root/radare2/binr/radare2/radare2.c:96
#11 0x7f4546ba30b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#12 0x55eda11bb30d in _start (/root/radare2/binr/radare2/radare2+0x230d)
0x602000065578 is located 1 bytes to the right of 7-byte region [0x602000065570,0x602000065577)
allocated by thread T0 here:
#0 0x7f45488f0808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f453cce456e in parseDragons /root/radare2/libr/..//libr/bin/p/bin_symbols.c:192
#2 0x7f453cce4d6e in load_buffer /root/radare2/libr/..//libr/bin/p/bin_symbols.c:289
#3 0x7f453c8d1d3b in r_bin_object_new /root/radare2/libr/bin/bobj.c:147
#4 0x7f453c8c6db0 in r_bin_file_new_from_buffer /root/radare2/libr/bin/bfile.c:585
#5 0x7f453c8849f9 in r_bin_open_buf /root/radare2/libr/bin/bin.c:279
#6 0x7f453c88582e in r_bin_open_io /root/radare2/libr/bin/bin.c:339
#7 0x7f453ed00223 in r_core_file_do_load_for_io_plugin /root/radare2/libr/core/cfile.c:435
#8 0x7f453ed02d77 in r_core_bin_load /root/radare2/libr/core/cfile.c:636
#9 0x7f454779fb18 in r_main_radare2 /root/radare2/libr/main/radare2.c:1184
#10 0x55eda11bb937 in main /root/radare2/binr/radare2/radare2.c:96
#11 0x7f4546ba30b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:826 in __interceptor_memcmp
Shadow bytes around the buggy address:
0x0c0480004a50: fa fa fd fa fa fa 07 fa fa fa fd fa fa fa fd fa
0x0c0480004a60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480004a70: fa fa fd fa fa fa 06 fa fa fa fd fa fa fa 06 fa
0x0c0480004a80: fa fa fd fa fa fa 06 fa fa fa fd fa fa fa fd fa
0x0c0480004a90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
=>0x0c0480004aa0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 07[fa]
0x0c0480004ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480004af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2541037==ABORTING
Compile command
./sys/sanitize.sh
reproduce command
unzip tests_65306.zip
./radare2 -qq -AA <poc_file>
latest commit and latest release
$ ./radare2 -v
radare2 5.6.6 27858 @ linux-x86-64 git.5.6.2
commit: 50b8813f1df7fbae3bbcb0e8d04397cd353d4759 build: 2022-03-23__02:15:26
$ cat /etc/issue
Ubuntu 20.04.3 LTS \n \l
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
45.8%