Description

Integer overflow in realloc and memcpy calls in core_anal_graph_label.
In the process of concatenating source lines based on DWARF data, the resulting size (32bit signed int) can overflow.
The sizes of the realloc and memcpy calls differ, and potentially can lead to writes in an unintended location.

Proof of Concept

poc

build the poc with make or download from releases.

then run:

r2 -A intof_mod

and in r2 shell:

s main
agl

note: it’s important to run intof_mod in the same directory as dummy.c, as the DWARF data relies on it.

Asan

potato@dev-ubuntu22:~/projects/sec/poc/r2/r2_int_of$ r2 -A intof_mod                                                                                                                   
WARN: run r2 with -e bin.cache=true to fix relocations in disassembly
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Integrate dwarf function information
INFO: Use -AA or aaaa to perform additional experimental analysis
 -- Set 'e bin.dbginfo=true' to load debug information at startup.
[0x00001060]> s main
[0x00001149]> agl
canal.c:1393:43: runtime error: signed integer overflow: 2147483646 + 8 cannot be represented in type 'int'
=================================================================
==84280==ERROR: AddressSanitizer: requested allocation size 0xffffffff80000006 (0xffffffff80001008 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x7fed1f848c18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
    #1 0x7fed1b9cbbad in core_anal_graph_label /home/potato/stuff/repos/radare2/libr/core/canal.c:1393
    #2 0x7fed1b9d1153 in core_anal_graph_construct_nodes /home/potato/stuff/repos/radare2/libr/core/canal.c:1668
    #3 0x7fed1b9d443a in core_anal_graph_nodes /home/potato/stuff/repos/radare2/libr/core/canal.c:1873
    #4 0x7fed1b9ef175 in r_core_anal_graph /home/potato/stuff/repos/radare2/libr/core/canal.c:3796
    #5 0x7fed1b6868eb in cmd_anal_graph /home/potato/stuff/repos/radare2/libr/core/cmd_anal.c:10926
    #6 0x7fed1b69f966 in cmd_anal /home/potato/stuff/repos/radare2/libr/core/cmd_anal.c:12878
    #7 0x7fed1b9a716a in r_cmd_call /home/potato/stuff/repos/radare2/libr/core/cmd_api.c:519
    #8 0x7fed1b8077a8 in r_core_cmd_subst_i /home/potato/stuff/repos/radare2/libr/core/cmd.c:4722
    #9 0x7fed1b7f5ff6 in r_core_cmd_subst /home/potato/stuff/repos/radare2/libr/core/cmd.c:3558
    #10 0x7fed1b814844 in run_cmd_depth /home/potato/stuff/repos/radare2/libr/core/cmd.c:5621
    #11 0x7fed1b815a19 in r_core_cmd /home/potato/stuff/repos/radare2/libr/core/cmd.c:5705
    #12 0x7fed1b4c0b07 in r_core_prompt_exec /home/potato/stuff/repos/radare2/libr/core/core.c:3570
    #13 0x7fed1b4be0b8 in r_core_prompt_loop /home/potato/stuff/repos/radare2/libr/core/core.c:3388
    #14 0x7fed1e618e8a in r_main_radare2 /home/potato/stuff/repos/radare2/libr/main/radare2.c:1666
    #15 0x55bd629d5af2 in main /home/potato/stuff/repos/radare2/binr/radare2/radare2.c:104
    #16 0x7fed1dd04d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

==84280==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164 in __interceptor_realloc
==84280==ABORTING