Lucene search
CnitlrtD35B3DFF-768D-4A09-A742-C18CA8F56D3CHistoryFeb 20, 2022 - 10:14 a.m.
Heap-based Buffer Overflow
2022-02-2010:14:56
cnitlrt
www.huntr.dev
15
0.001 Low
EPSS
Percentile
43.9%
Description
heap-buffer-overflow /home/ubuntu/fuzz/radare2/libr/include/r_endian.h:176 in r_read_le32
Environment
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
radare2 5.6.3 27472 @ linux-x86-64 git.5.6.2
commit: d24dbb9fbb0b398a6a739847008ccef3ea7e687c
ASAN
=================================================================
==3022342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62400012dd3f at pc 0x7f1a2103bced bp 0x7ffdadb6e090 sp 0x7ffdadb6e080
READ of size 1 at 0x62400012dd3f thread T0
#0 0x7f1a2103bcec in r_read_le32 /home/ubuntu/fuzz/radare2/libr/include/r_endian.h:176
#1 0x7f1a2103bcec in r_read_at_le32 /home/ubuntu/fuzz/radare2/libr/include/r_endian.h:185
#2 0x7f1a2103bcec in r_read_le64 /home/ubuntu/fuzz/radare2/libr/include/r_endian.h:199
#3 0x7f1a2103bcec in r_coresym_cache_element_new /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/../format/mach0/coresymbolication.c:227
#4 0x7f1a210323ea in parseDragons /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/bin_symbols.c:250
#5 0x7f1a210323ea in load_buffer /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/bin_symbols.c:289
#6 0x7f1a210323ea in load_buffer /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/bin_symbols.c:253
#7 0x7f1a20b08d17 in r_bin_object_new /home/ubuntu/fuzz/radare2/libr/bin/bobj.c:147
#8 0x7f1a20af9db0 in r_bin_file_new_from_buffer /home/ubuntu/fuzz/radare2/libr/bin/bfile.c:560
#9 0x7f1a20ab4b67 in r_bin_open_buf /home/ubuntu/fuzz/radare2/libr/bin/bin.c:279
#10 0x7f1a20ab6009 in r_bin_open_io /home/ubuntu/fuzz/radare2/libr/bin/bin.c:339
#11 0x7f1a218f82c8 in r_core_file_do_load_for_io_plugin /home/ubuntu/fuzz/radare2/libr/core/cfile.c:435
#12 0x7f1a218f82c8 in r_core_bin_load /home/ubuntu/fuzz/radare2/libr/core/cfile.c:636
#13 0x7f1a218f82c8 in r_core_bin_load /home/ubuntu/fuzz/radare2/libr/core/cfile.c:604
#14 0x7f1a24a062ba in r_main_radare2 /home/ubuntu/fuzz/radare2/libr/main/radare2.c:1179
#15 0x7f1a247a50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#16 0x560f17c179fd in _start (/home/ubuntu/fuzz/radare2/binr/radare2/radare2+0x99fd)
0x62400012dd3f is located 0 bytes to the right of 7231-byte region [0x62400012c100,0x62400012dd3f)
allocated by thread T0 here:
#0 0x560f17d02a48 in __interceptor_malloc (/home/ubuntu/fuzz/radare2/binr/radare2/radare2+0xf4a48)
#1 0x7f1a210355c1 in r_coresym_cache_element_new /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/../format/mach0/coresymbolication.c:180
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/fuzz/radare2/libr/include/r_endian.h:176 in r_read_le32
Shadow bytes around the buggy address:
0x0c488001db50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488001db60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488001db70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488001db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c488001db90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c488001dba0: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
0x0c488001dbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c488001dbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c488001dbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c488001dbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c488001dbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3022342==ABORTING
POC
./radare2 -qq -AA ./heap_overflow_poc
Impact
The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.
Related
alpinelinux
alpinelinux
CVE-2022-0713
2022-02-22 19:15:07
nvd
nvd
CVE-2022-0713
2022-02-22 19:15:07
cve
cve
CVE-2022-0713
2022-02-22 19:15:07
debiancve
debiancve
CVE-2022-0713
2022-02-22 19:15:07
prion
prion
Heap overflow
2022-02-22 19:15:00
veracode
veracode
Denial Of Service (DoS)
2022-12-25 08:58:37
ubuntucve
ubuntucve
CVE-2022-0713
2022-02-22 00:00:00
cvelist
cvelist
CVE-2022-0713 Heap-based Buffer Overflow in radareorg/radare2
2022-02-22 18:30:11
osv
osv
CVE-2022-0713
2022-02-22 19:15:07
openvas
openvas
Fedora: Security Advisory for radare2 (FEDORA-2022-7db9e7bb5b)
2022-03-23 00:00:00
Fedora: Security Advisory for radare2 (FEDORA-2022-85b277e748)
2022-03-27 00:00:00
Mageia: Security Advisory (MGASA-2022-0440)
2022-11-28 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: radare2-5.6.4-1.fc35
2022-03-11 14:47:54
[SECURITY] Fedora 36 Update: radare2-5.6.4-1.fc36
2022-03-26 15:39:36
mageia
mageia
Updated radare2/rizin packages fix security vulnerability
2022-11-27 23:51:49